![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 97%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Any news regarding this? I still can't find any documentation about command "MpCmdRun GetDeviceTicket -AccessKey A1A1A1A1-A1A1-A1A1-A1A1-A1A1A1A1A1A1"
MpCmdRun.exe Undocumented Option
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 11%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
chrisbaio
6
Reputation points
On some windows 10 workstation in our organization, I am seeing the following log entry:
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" GetDeviceTicket -AccessKey <RANDOM_HEX_STRING>
I've been trying to find documentation on the GetDeviceTicket option, but can't seem to find anything. It is not an option presented in the mpcmdrun.exe command line help file.
Is anyone able to provide any information on this option? I'd just like to understand what this is.
Thank you for any help you can provide.
Regards,
Chris
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
4 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 1%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Jean-Francois Brouillette 1 Reputation point2021-08-03T15:51:39.873+00:00 Got any news regarding this? Got the same detection today and can't find documentation about "GetDeviceTicket -AccessKey".
Thank you
-
chrisbaio 6 Reputation points
2020-09-09T18:17:56.19+00:00 Hello Sunny,
Thank you for replying. It was actually recorded by our enterprise EDR solution as a possible indication of compromise.
At this point, we feel this may be part of the definition upgrade process. But wanted to confirm.
I can provide detailed logs if you think they will help.
Regards,
Chris
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-09-11T07:41:16.68+00:00 Hello Chris,
Sorry for the late reply.
Please share the detailed logs to for further troubleshooting.
Best Regards,
Sunny -
chrisbaio 6 Reputation points
2020-09-11T12:57:16.137+00:00 Hello Sunny,
Thank you. Unfortunately, full log files have aged out of our SEIM. But the specific commands that were flagged as potentially malicious were:
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" GetDeviceTicket -AccessKey 91835DEE-329F-25BC-B508-9639E0F274B6
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" -DisableService
\??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1
All three commands were viewed as Privilege Escalation via Access Token Manipulation
I hope this helps.
Chris
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
Brandon nesbitt 1 Reputation point2022-02-25T20:10:01.057+00:00 Did you ever get confirmation as to whether this is standard procedure say when Win 10 OS updates defender signatures? I have system recently log this in our XDR solution that was logged as possible unexpected behavior.
Sign in to comment -
-
Anonymous
2020-09-09T08:54:22.967+00:00 Hi,
Thanks for posting in Q&A platform.
Before we go further, could you please help to verify how did you find this log entry and this log appeared in which kind of scenario?
I also find an article regarding of “Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool”, please kindly check if it is helpful.
Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
Best Regards,
Sunny Qi=======================================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.