Behavior Monitoring demonstration

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business
• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender Antivirus
• Microsoft Defender for Individuals

Behavior monitoring in Microsoft Defender Antivirus monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on content matching, which identifies known malware patterns, behavior monitoring focuses on observing how software behaves in real-time.

Scenario requirements and setup

• Windows 11, Windows 10, Windows 8.1, Windows 7 SP1

• Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2

• macOS

• Microsoft Defender Real-time protection is enabled

• Behavior Monitoring is enabled

Windows

Verify Microsoft Defender real-time protection is enabled

To verify real-time protection is enabled, open PowerShell as an administrator, and then run the following command:

get-mpComputerStatus |ft RealTimeProtectionEnabled

When real-time protection is enabled, the result shows a value of True.

Enable Behavior Monitoring for Microsoft Defender for Endpoint

For more information on how to enable Behavior Monitoring for Defender for Endpoint, see how to enable Behavior Monitoring.

Demonstration of how Behavior Monitoring works in Windows and Windows Server

To demonstrate how Behavior Monitoring blocks a payload, run the following PowerShell command:

powershell.exe -NoExit -Command "powershell.exe hidden 12154dfe-61a5-4357-ba5a-efecc45c34c4"

The output contains an expected error as follows:

hidden : The term 'hidden' is not recognized as the name of a cmdlet, function, script, script file, or operable program.  Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+hidden 12154dfe-61a5-4357-ba5a-efecc45c34c4
+""""""
CategoryInfo             : ObjectNotFound: (hidden:String) [], CommandNotFoundException
FullyQualifiedErrorId : CommandNotFoundException

In the Microsoft Defender portal, in the Action center, you should see the following information:

• Windows Security
• Threats found
• Microsoft Defender Antivirus found threats. Get details.
• Dismiss

If you select the link, your Windows Security app opens. Select Protection history.

You should see information that resembles the following output:

Threat blocked
Detected: Behavior:Win32/BmTestOfflineUI
Status: Removed
A threat or app was removed from this device.
Date: 6/7/2024 11:51 AM
Details: This program is dangerous and executes command from an attacker.
Affected items:
behavior: process: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe, pid:6132:118419370780344
process: pid:6132,ProcessStart:133621698624737241
Learn more	Actions

In the Microsoft Defender portal, you should see information like this:

Suspicious 'BmTestOfflineUI' behavior was blocked

When you select it, you see the alert tree that has the following information:

Defender detected and terminated active 'Behavior:Win32/BmTestOfflineUI' in process 'powershell.exe' during behavior monitoring

macOS

Verify Microsoft Defender Real-time protection is enabled

To verify real-time protection (RTP) is enabled, open a terminal window and copy and execute the following command:

mdatp health --field real_time_protection_enabled

When RTP is enabled, the result shows a value of 1.

Enable Behavior Monitoring for Microsoft Defender for Endpoint

For more information on how to enable behavior monitoring for Defender for Endpoint, see Deployment instructions.

Demonstration of how Behavior Monitoring works

To demonstrate how Behavior Monitoring blocks a payload:

1. Create a bash script using a script/text editor such as nano or Visual Studio Code (VS Code):

   #! /usr/bin/bash
   echo " " >> /tmp/9a74c69a-acdc-4c6d-84a2-0410df8ee480.txt
   echo " " >> /tmp/f918b422-751c-423e-bfe1-dbbb2ab4385a.txt
   sleep 5
   

2. Save as BM_test.sh.

3. Run the following command to make the bash script executable:

   sudo chmod u+x BM_test.sh
   

4. Run the bash script:

   sudo bash BM_test.sh
   

   The result should look like this

   zsh: killed sudo bash BM_test.sh

   The file was quarantined by Defender for Endpoint on macOS. Use the following command to list all the detected threats:

   mdatp threat list
   

   The result shows information like this:

   ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
   
   Name: Behavior: MacOS/MacOSChangeFileTest
   
   Type: "behavior"
   
   Detection time: Tue May 7 20:23:41 2024
   
   Status: "quarantined"
   

If you have Microsoft Defender for Endpoint P2/P1 or Microsoft Defender for Business, go to the Microsoft Defender portal, and you see an alert titled, Suspicious 'MacOSChangeFileTest' behavior was blocked.