MpCmdRun.exe Undocumented Option

chrisbaio 6 Reputation points
2020-09-08T13:39:30.247+00:00

On some windows 10 workstation in our organization, I am seeing the following log entry:

"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" GetDeviceTicket -AccessKey <RANDOM_HEX_STRING>

I've been trying to find documentation on the GetDeviceTicket option, but can't seem to find anything. It is not an option presented in the mpcmdrun.exe command line help file.

Is anyone able to provide any information on this option? I'd just like to understand what this is.

Thank you for any help you can provide.

Regards,

Chris

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,909 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Sunny Qi 11,036 Reputation points Microsoft Vendor
    2020-09-09T08:54:22.967+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Before we go further, could you please help to verify how did you find this log entry and this log appeared in which kind of scenario?

    I also find an article regarding of “Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool”, please kindly check if it is helpful.

    Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool

    Best Regards,
    Sunny Qi

    =======================================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. chrisbaio 6 Reputation points
    2020-09-09T18:17:56.19+00:00

    Hello Sunny,

    Thank you for replying. It was actually recorded by our enterprise EDR solution as a possible indication of compromise.

    At this point, we feel this may be part of the definition upgrade process. But wanted to confirm.

    I can provide detailed logs if you think they will help.

    Regards,

    Chris


  3. Jean-Francois Brouillette 1 Reputation point
    2021-08-03T15:51:39.873+00:00

    Got any news regarding this? Got the same detection today and can't find documentation about "GetDeviceTicket -AccessKey".

    Thank you

    0 comments No comments

  4. Rémi P 0 Reputation points
    2023-04-10T21:08:49.08+00:00

    Any news regarding this? I still can't find any documentation about command "MpCmdRun GetDeviceTicket -AccessKey A1A1A1A1-A1A1-A1A1-A1A1-A1A1A1A1A1A1"

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.