Hi all,

Last year when Defender Deception was introduced, we enabled the default rule. By July this year, we started noticing some bat.backup files with these deception users in few computers which are in scope of this deception rule. (Mostly C:usersdefault or C:UsersUsername directory) and file names are usually loginmonitor.bat.backup)

Content of the file sample as below

net user \devicenamemonitor /USER:DECEPTION_USER PASSWORD
ping 8.8.8.8 >> \devicenamemonitor%HOSTNAEM%.txt
date >> \devicenamemonitor%HOSTNAEM%.txt
ipconfig /a >> \devicenamemonitor%HOSTNAEM%.txt

Some devices will have ping 1.1.1.1

Could map those users to deception users created, but wondering what happend in the last month or so that Defender creating these, possibly lure files as mentioned in the setup window (attached)

Anyone else noticed this?

​Hi all, Last year when Defender Deception was introduced, we enabled the default rule. By July this year, we started noticing some bat.backup files with these deception users in few computers which are in scope of this deception rule. (Mostly C:usersdefault or C:UsersUsername directory) and file names are usually loginmonitor.bat.backup) Content of the file sample as belownet user \devicenamemonitor /USER:DECEPTION_USER PASSWORDping 8.8.8.8 >> \devicenamemonitor%HOSTNAEM%.txtdate >> \devicenamemonitor%HOSTNAEM%.txtipconfig /a >> \devicenamemonitor%HOSTNAEM%.txtSome devices will have ping 1.1.1.1Could map those users to deception users created, but wondering what happend in the last month or so that Defender creating these, possibly lure files as mentioned in the setup window (attached)Anyone else noticed this?    Read More

​