Experience Microsoft Defender for Endpoint through simulated attacks
Important
The Microsoft Defender for Endpoint evaluation lab was deprecated in January, 2024.
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Tip
- Learn about the latest enhancements in Microsoft Defender for Endpoint: What's new in Defender for Endpoint?.
- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: Insights from the MITRE ATT&CK-based evaluation.
You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.
Before you begin
To run any of the provided simulations, you need at least one onboarded device.
Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
Run a simulation
In Endpoints > Evaluation & tutorials > Tutorials & simulations, select which of the available attack scenarios you would like to simulate:
- Scenario 1: Document drops backdoor - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
- Scenario 2: PowerShell script in fileless attack - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
- Scenario 3: Automated incident response - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
Download and read the corresponding walkthrough document provided with your selected scenario.
Download the simulation file or copy the simulation script by navigating to Evaluation & tutorials > Tutorials & simulations. You can choose to download the file or script on the test device but it's not mandatory.
Run the simulation file or script on the test device as instructed in the walkthrough document.
Note
Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
You can also use the EICAR test file or the EICAR test text string to perform some tests. It is possible to test real-time protection features (create a text file, paste the EICAR text, and save the file as an executable file to your endpoint's local drive—you will get a notification on the test endpoint and an alert in the MDE console) or EDR protection (you need to temporarily disable real-time protection on the test endpoint and save the EICAR test file, and then try to execute, copy, or move this file). After you run your tests, enable real-time protection on the test endpoint.
Want to experience Defender for Endpoint? Sign up for a free trial.
Related topics
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for