Behavior Monitoring demonstration
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender Antivirus
- Microsoft Defender for Individuals
Behavior monitoring in Microsoft Defender Antivirus monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on content matching, which identifies known malware patterns, behavior monitoring focuses on observing how software behaves in real-time.
Scenario requirements and setup
Windows 11, Windows 10, Windows 8.1, Windows 7 SP1
Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2
macOS
Windows
Verify Microsoft Defender real-time protection is enabled
To verify real-time protection is enabled, open PowerShell as an administrator, and then run the following command:
get-mpComputerStatus |ft RealTimeProtectionEnabled
When real-time protection is enabled, the result shows a value of True.
Enable Behavior Monitoring for Microsoft Defender for Endpoint
For more information on how to enable Behavior Monitoring for Defender for Endpoint, see how to enable Behavior Monitoring.
Demonstration of how Behavior Monitoring works in Windows and Windows Server
To demonstrate how Behavior Monitoring blocks a payload, run the following PowerShell command:
powershell.exe -NoExit -Command "powershell.exe hidden 12154dfe-61a5-4357-ba5a-efecc45c34c4"
The output contains an expected error as follows:
hidden : The term 'hidden' is not recognized as the name of a cmdlet, function, script, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+hidden 12154dfe-61a5-4357-ba5a-efecc45c34c4
+""""""
CategoryInfo : ObjectNotFound: (hidden:String) [], CommandNotFoundException
FullyQualifiedErrorId : CommandNotFoundException
In the Microsoft Defender portal, in the Action center, you should see the following information:
- Windows Security
- Threats found
- Microsoft Defender Antivirus found threats. Get details.
- Dismiss
If you select the link, your Windows Security app opens. Select Protection history.
You should see information that resembles the following output:
Threat blocked
Detected: Behavior:Win32/BmTestOfflineUI
Status: Removed
A threat or app was removed from this device.
Date: 6/7/2024 11:51 AM
Details: This program is dangerous and executes command from an attacker.
Affected items:
behavior: process: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe, pid:6132:118419370780344
process: pid:6132,ProcessStart:133621698624737241
Learn more Actions
In the Microsoft Defender portal, you should see information like this:
Suspicious 'BmTestOfflineUI' behavior was blocked
When you select it, you see the alert tree that has the following information:
Defender detected and terminated active 'Behavior:Win32/BmTestOfflineUI' in process 'powershell.exe' during behavior monitoring
macOS
Verify Microsoft Defender Real-time protection is enabled
To verify real-time protection (RTP) is enabled, open a terminal window and copy and execute the following command:
mdatp health --field real_time_protection_enabled
When RTP is enabled, the result shows a value of 1.
Enable Behavior Monitoring for Microsoft Defender for Endpoint
For more information on how to enable behavior monitoring for Defender for Endpoint, see Deployment instructions.
Demonstration of how Behavior Monitoring works
To demonstrate how Behavior Monitoring blocks a payload:
Create a bash script using a script/text editor such as nano or Visual Studio Code (VS Code):
#! /usr/bin/bash echo " " >> /tmp/9a74c69a-acdc-4c6d-84a2-0410df8ee480.txt echo " " >> /tmp/f918b422-751c-423e-bfe1-dbbb2ab4385a.txt sleep 5Save as
BM_test.sh.Run the following command to make the bash script executable:
sudo chmod u+x BM_test.shRun the bash script:
sudo bash BM_test.shThe result should look like this
zsh: killed sudo bash BM_test.shThe file was quarantined by Defender for Endpoint on macOS. Use the following command to list all the detected threats:
mdatp threat listThe result shows information like this:
ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" Name: Behavior: MacOS/MacOSChangeFileTest Type: "behavior" Detection time: Tue May 7 20:23:41 2024 Status: "quarantined"
If you have Microsoft Defender for Endpoint P2/P1 or Microsoft Defender for Business, go to the Microsoft Defender portal, and you see an alert titled, Suspicious 'MacOSChangeFileTest' behavior was blocked.