Create a Free Lab with Microsoft Defender for Endpoint and Simulate a Ransomware Attack

Microsoft’s Defender for Endpoint (MDE) is a cloud-based security platform that empowers the largest enterprises in the world with Threat & Vulnerability Management, Endpoint Detection & Response, Attack Surface Reduction, and so much more.

You can take advantage of Microsoft’s free trial (no credit card needed) to learn about this technology in a testing environment and hone your cloud security skills with the evaluation lab.

Whether you already use MDE in your organization, you’re thinking about switching to MDE, or you’re looking to gain some cloud security skills to add to your resume, having a lab environment is the best way to learn and play with these features without causing mass chaos at work.

In this blog, I’ll show you how to set up a test environment in no time and we’ll even simulate a ransomware attack against your environment! (Mwuahaha)

Let’s cut to the chase…

First, head over to:
Microsoft Defender for Endpoint to start a free trial (click here)
Before you can hit the ground running, we need to set up your account (it wont take long).

1. Click Start free trial and enter your email address in the new window.

2. Click Set up account then you will need to enter a first name, last name, phone number, and choose a company name.

3. Verify your phone number with a call or text then choose a name for your tenant. This name will be used when you sign in to your test tenant so pick a good one!

4. Time to create the account that you will be using to access MDE. You can also review the trial agreement here (which I strongly recommend).

5. Confirm your details then click Get Started!

6. Once you sign in with your new account, you will be at http://security.microsoft.com – This is your new playground – This is Microsoft Defender for Endpoint!

Yeah.. Okay Great – Now What?

Now, we can actually get our hands dirty with the many features of MDE. Fortunately for us, Microsoft offers an evaluation lab where we can access virtual machines, and simulate attacks that are provided in the MDE portal (you can also use your own attacks if you want!)

The evaluation lab allows us to learn about Microsoft Defender for Endpoint without having to onboard our own devices, although I will touch on that later, because that is something you should be familiar with!

Attack Simulations

Setting up the evaluation lab is quite simple, first click Evaluation lab in the left pane under the Evaluation & tutorials drop-down then click the blue Setup lab button.

Tweet to @laboccupiedhttps://platform.twitter.com/widgets.js

Choose the amount of devices you want for the lab. They will be deleted after a certain amount of time, but you can request more after they are deleted.

Agree to the terms and enter your email and name.

On the summary page, click Setup lab then your evaluation lab will look like this:

Click on Add device and choose the operating system, currently you can choose from Windows 10 or Windows Server 2019. Then click Add device

Once you add the device, you will see a machine name along with login credentials. Make sure to copy the password, because you will actually be able to access this virtual machine with these credentials.

Your new device will take a few minutes to get started up, but while you wait, you can head over to Tutorials & simulations in the left pane of MDE and check out some of the attack simulations provided there.

Once your device is ready, head back to the Evaluation lab in the left pane and click on Create simulation near the middle.

Select your device and the simulation you want to run then click the blue Create simulation button. For this tutorial, I will be going with the Known Ransomware Infection simulation.

Once your simulation has been created, click the Devices tab so you can watch the fireworks. Click the three dots next to your device then click Connect. This will allow you to download an RDP file and connect to your device with the password you made sure to copy.. right?

Once connected you may see Defender antivirus security notifications popping up as your device battles for its life against the simulation attack.

You can click on the notifications to see more details within the Windows Defender GUI

Back in your MDE portal, alerts will be lighting up like a Christmas tree so head over to Alerts under the Incidents & alerts drop-down in the left pane.

Click one of the alerts and you’ll see an abundance of information about the alert

Microsoft Defender for Endpoint automatically lumped all of these alerts into an incident and began an automated investigation. This investigation provides defenders with context about the alerts.

Click on Incidents in the left pane.

Click on the incident name then click the Investigations tab.

Here you can see the automated investigation. Click on it to dive deeper.

Here you’ll see an interactive graph of the investigation. Click on one of the components of the graph or on one of the tabs and dive into the information generated by the investigation.

That was exciting wasn’t it? There’s plenty more to explore in the Microsoft Defender for Endpoint portal so I urge you to try more simulations, play around with the numerous features, check out the official Microsoft docs about MDE, and subscribe to this blog as there will be more MDE content to come.

Enter your email below to subscribe and be the first to know when new content is released.

Bonus Content Below!

As promised, below is a quick guide on how to onboard one of your own devices or virtual machines to Microsoft Defender for Endpoint.

Onboarding Your First Device

Onboarding devices to your test tenant will allow you to get hands-on experience with the many features of Microsoft Defender for Endpoint (MDE) using your own machines and virtual machines.

For this tutorial, I will onboard a Windows 10 device. MDE supports Windows 7, 8, 10, 11, Windows Servers 2008 R2, 2012, 2016, 2019, and 2022, as well as MacOS, Linux, and even Android and iOS. Onboarding process can vary depending on the operating system. You can find guidance for onboarding Linux here.

With that being said, Windows 10, Windows 11, and Windows Server 2019 and 2022 all have the same onboarding process and it is very simple and quick to do. Just follow along with the instructions below:

Head over to Settings towards the bottom in the left pane then click on Endpoints.

Here you will find loads of fun things you can play around with on your test devices, but before you can explore those, you must onboard your first device.

Scroll down and click on Onboarding

Leave the Deployment method drop-down as the default option of Local Script, but understand that if you wish to onboard numerous devices at once, you can use other methods such as group policy, Intune, MECM, and SCCM.

Click Download onboarding package, unzip it, then right-click the cmd script and Run as administrator.

Once the script is complete, your newly-onboarded device will soon appear in MDE in your Device inventory!

Now, the world is yours and there are plenty of cool things you can do with your test tenant as we got to experience during our simulation. There’s much more to Defender for Endpoint so I encourage you to explore.

If you’ve read this far, thank you from the bottom of my heart and also, be sure to follow my Twitter or sign up for email notifications when I post future blogs here, because if you managed to get this far, then you will certainly like my future blogs. Thank you for reading!