Microsoft Defender Sensor Configuration with Credentials
Detects Microsoft Defender for Identity (MDI) SensorConfiguration.json files containing DirectoryServicesAccount credentials and Microsoft Defender for Endpoint (MDE) mdatp_managed.json files containing onboardingInfo blobs, both of which represent high-value security tool configuration secrets. Mirrors Snaffler rule KeepDefenderConfigByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- medium
- Confidence justification
- Medium confidence: the DirectoryServicesAccount + Password co-occurrence is specific to MDI sensor config and highly unlikely in other JSON files. The onboardingInfo form is less structurally constrained. Both patterns are flagged as plausible-but-unverified against actual Defender on-disk formats; false positives are possible if other security tools use similar field names.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials, security
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
"DirectoryServicesAccount"[\s\S]{0,200}"(?:Password|EncryptedPassword)"\s*:\s*"[^"]{6,}"Corroborative evidence keywords
DirectoryServicesAccount, onboardingInfo, SensorConfiguration, mdatp, cloudService, DefenderForIdentity, MicrosoftDefender
Proximity: 300 characters
Should match
{"DirectoryServicesAccount": {"Username": "svc-mdi@corp.local", "Password": "S3cr3tMDIp@ss", "IsManagedPassword": false}}— MDI SensorConfiguration.json with DirectoryServicesAccount Password field{"DirectoryServicesAccount":{"Username":"corp\\svcMDI","EncryptedPassword":"AQAAANCMnd8BFdERjHoAwE/B","IsManagedPassword":false}}— MDI SensorConfiguration.json with EncryptedPassword (DPAPI-encrypted) field{"onboardingInfo": "eyJPbmJvYXJkaW5nSW5mbyI6eyJUZW5hbnRJZCI6ImV4YW1wbGUtdGVuYW50LWlkLTEyMzQ1Njc4OTAifX0="}— MDE mdatp_managed.json with onboardingInfo base64 blob (40+ chars){"onboardingInfo":"dGVzdC1vbmJvYXJkaW5nLWluZm8tYmxvYi10aGF0LWlzLWxvbmctZW5vdWdoLXRvLW1hdGNoLXBhdHRlcm4="}— MDE onboardingInfo with longer base64 onboarding token
Should not match
{"DirectoryServicesAccount": {"Username": "corp\\svc", "Password": "abc"}}— Password value too short (fewer than 6 chars){"onboardingInfo": "short"}— onboardingInfo value too short (fewer than 40 chars){"username": "admin", "password": "Password123"}— Generic JSON credentials without DirectoryServicesAccount or onboardingInfo
Known false positives
- Other Microsoft security product JSON configurations that use DirectoryServicesAccount as a field name for non-MDI purposes. Mitigation: Require proximity to MDI-specific field names (SensorConfiguration, SensorId, cloudService) or mdatp-specific terms.
- JSON test fixtures, mock data, or developer environment configs that use DirectoryServicesAccount as sample data. Mitigation: Check for placeholder values and documentation file contexts; note that exact MDI/MDE on-disk JSON format is not publicly documented.
- The onboardingInfo pattern may match any long base64-like JSON value in a field named onboardingInfo in other contexts. Mitigation: Gate onboardingInfo form at 75+ with MDE/mdatp-specific evidence (mdatp, cloudService, DefenderForEndpoint).