Legitimacy and Documentation of PowerShell Script in Windows Defender ATP Data Collection Path

Question

Hi Team,

We’ve observed the following script being executed on several servers:

1. C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12576079.0.12576079-309b4e8361ee7020fd7fd8bf26c7c6d27dbe6a99\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1
2. C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12776012.0.12776012-ea4638610e3d754942a7d3936a46012d82c88e4f\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1

Can anyone please confirm if this is a legitimate Microsoft Defender for Endpoint (ATP) diagnostic or investigation script? Also, is there any official documentation or article that explains its purpose and usage?

We’re considering whitelisting it to reduce false positives but need validation first.

Regards,

Hitesh Sungar

Answer 1

Hello @Hitesh Sungar,

Based on your description, I understand that you have observed the following script being executed on several servers:

1. C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12576079.0.12576079-309b4e8361ee7020fd7fd8bf26c7c6d27dbe6a99\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1
2. C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12776012.0.12776012-ea4638610e3d754942a7d3936a46012d82c88e4f\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1

After doing some research and investigation from my side, I could not find the exact Powershell script which you have observed on your several Windows Servers, but I found out somewhat similar Powershell script and I am providing you the Screenshot below which explains about that Powershell script which might be helpful.

Please note that these scripts are used for running device discovery as per device discovery:

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.