MDATP doesn't constantly detect a ransomware-type mass encryption

Srika 1 Reputation point
2021-05-26T17:29:04.063+00:00

Hello,

As a part of security tastings, to see the efficacy level of MDATP, we are running a PowerShell script (encrypt_ransomware.ps1) found in the GitHub GitHub - leomatias/Ransomware-Simulator that encrypts a bulk number of files and behaves like ransomware.

The workstations used are Windows 10 Enterprise enrolled in Intune with similar policies & settings. The user accounts used to execute the scripts are administrators, but we only run the scripts as standard PowerShell sessions (meaning not 'run as administrator'). We rely on MDATP protection to detect this event and we confirm the alert after seeing it on security center, but the alerts/detections on the MDATP security center are not consistent. Once it gets detected as a "ransomware behaviour by MDATP " and an alert is generated on some of the test machines.. Doing the same test on another machine has a different result; no alert is raised in the MDATP console. But this is not consistent with each device we run the script.

There is no real difference in configuration between the machines as all policies and settings are pushed to all devices/all users. The tests are identical, the same encryption script, the same amount of files, same total size

I appreciate any advices or suggestions on how to troubleshoot this and to find what's generating the different detection behavior. Why is the massive file change not detected consistently across machines?

I'll continue to see if it stays the same with a standard user (no admin rights by default).

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,692 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Teemo Tang 11,296 Reputation points
    2021-05-27T07:02:23.707+00:00

    Hello,
    Due to limited condition, we can reproduce your scenario for test. For MDAP question, you’d better ask for help from Microsoft Defender for Endpoint community.
    Microsoft Defender for Endpoint - Microsoft Tech Community
    https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn.
    Thanks for your understanding and cooperating.

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.