question

Srika avatar image
0 Votes"
Srika asked Srika commented

MDATP doesn't constantly detect a ransomware-type mass encryption

Hello,

As a part of security tastings, to see the efficacy level of MDATP, we are running a PowerShell script (encrypt_ransomware.ps1) found in the GitHub GitHub - leomatias/Ransomware-Simulator that encrypts a bulk number of files and behaves like ransomware.

The workstations used are Windows 10 Enterprise enrolled in Intune with similar policies & settings. The user accounts used to execute the scripts are administrators, but we only run the scripts as standard PowerShell sessions (meaning not 'run as administrator'). We rely on MDATP protection to detect this event and we confirm the alert after seeing it on security center, but the alerts/detections on the MDATP security center are not consistent. Once it gets detected as a "ransomware behaviour by MDATP " and an alert is generated on some of the test machines.. Doing the same test on another machine has a different result; no alert is raised in the MDATP console. But this is not consistent with each device we run the script.

There is no real difference in configuration between the machines as all policies and settings are pushed to all devices/all users. The tests are identical, the same encryption script, the same amount of files, same total size

I appreciate any advices or suggestions on how to troubleshoot this and to find what's generating the different detection behavior. Why is the massive file change not detected consistently across machines?

I'll continue to see if it stays the same with a standard user (no admin rights by default).


windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered Srika commented

Hello,
Due to limited condition, we can reproduce your scenario for test. For MDAP question, you’d better ask for help from Microsoft Defender for Endpoint community.
Microsoft Defender for Endpoint - Microsoft Tech Community
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn.
Thanks for your understanding and cooperating.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.