question

chrisbaio avatar image
0 Votes"
chrisbaio asked Brandonnesbitt-5941 commented

MpCmdRun.exe Undocumented Option

On some windows 10 workstation in our organization, I am seeing the following log entry:

"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" GetDeviceTicket -AccessKey <RANDOM_HEX_STRING>

I've been trying to find documentation on the GetDeviceTicket option, but can't seem to find anything. It is not an option presented in the mpcmdrun.exe command line help file.

Is anyone able to provide any information on this option? I'd just like to understand what this is.

Thank you for any help you can provide.

Regards,

Chris

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for posting in Q&A platform.

Before we go further, could you please help to verify how did you find this log entry and this log appeared in which kind of scenario?

I also find an article regarding of “Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool”, please kindly check if it is helpful.

Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool


Best Regards,
Sunny Qi

=======================================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

chrisbaio avatar image
0 Votes"
chrisbaio answered Brandonnesbitt-5941 commented

Hello Sunny,

Thank you for replying. It was actually recorded by our enterprise EDR solution as a possible indication of compromise.

At this point, we feel this may be part of the definition upgrade process. But wanted to confirm.

I can provide detailed logs if you think they will help.

Regards,

Chris

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Chris,

Sorry for the late reply.

Please share the detailed logs to for further troubleshooting.

Best Regards,
Sunny

0 Votes 0 ·

Hello Sunny,

Thank you. Unfortunately, full log files have aged out of our SEIM. But the specific commands that were flagged as potentially malicious were:

"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" GetDeviceTicket -AccessKey 91835DEE-329F-25BC-B508-9639E0F274B6

"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" -DisableService

\??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1

All three commands were viewed as Privilege Escalation via Access Token Manipulation

I hope this helps.

Chris

1 Vote 1 ·

Did you ever get confirmation as to whether this is standard procedure say when Win 10 OS updates defender signatures? I have system recently log this in our XDR solution that was logged as possible unexpected behavior.

0 Votes 0 ·
JeanFrancoisBrouillette-3769 avatar image
0 Votes"
JeanFrancoisBrouillette-3769 answered JeanFrancoisBrouillette-3769 published

Got any news regarding this? Got the same detection today and can't find documentation about "GetDeviceTicket -AccessKey".

Thank you

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.