Explanation:
You're configuring a Deception rule in Microsoft Defender XDR and need to provide a custom lure file.
* You set the Planting path to HOME, which means the file will be deployed into user home directories.
You must determine:
* Which file types are supported for custom lure files.
* Which home directory the file should reside in.
# Verified Answer = EXE, XLSX, and PDF
As per Microsoft Defender for Endpoint Deception documentation:
"Custom lure files can be created using EXE, XLSX, or PDF file types. These file types are supported for deception scenarios and can trigger alerts when accessed or executed by an attacker." The platform uses these file types because they are commonly interacted with by adversaries during lateral movement or reconnaissance.
* EXE: Simulates executables that appear valuable or tempting.
* XLSX / PDF: Represent business-related or sensitive document lures.
Therefore, you can upload EXE, XLSX, and PDF lure files simultaneously or select one of them.
# Correct selection: EXE, XLSX, and PDF
# Verified Answer = The active user
When you set the Planting path = HOME, Defender plants the deception artifact (lure file) under the active user's home directory.
This ensures that the lure file is visible and accessible within the context of the currently logged-in user- precisely where attackers are most likely to browse or exfiltrate files.
According to Microsoft's deception feature reference:
"When the planting path is set to HOME, the deception files are placed in the home directory of the active user on the device. This ensures that the files are visible during an interactive session and accessible to adversaries using that account." Other options such as "Active Directory user," "Local user," or "Planted cached user" are not used for standard HOME planting. The deception system targets the context of the active session to maximize effectiveness and reduce false positives.
# Correct selection: The active user
Configuration Aspect
Correct Option
File types:
EXE, XLSX, and PDF
Home directory of:
The active user
Summary:
When creating a custom lure file in Microsoft Defender XDR Deception with the planting path set to HOME, you should:
* Use EXE, XLSX, and PDF file types.
* Place them in the active user's home directory on the target device.
These selections align with Microsoft Defender XDR Deception's official documentation and M365 E5 SecOps study material.
Question Part 1: Which types of files can you use for the custom lure?
The Answer:
EXE, XLSX, and PDF
According to your screenshot (File types drop-down), you can use the following file types for a custom lure in Microsoft Defender XDR deception rules:
* EXE
* XLSX
* PDF
You can select any combination of these, so EXE, XLSX, and PDF are all supported as custom lure file types.
Question Part 2: In which home directory should the file be located on a device?
The Answer:
The Active Directory user
When you set the Planting path to HOME in a deception rule, the file should be planted in the home directory of a user. According to the available drop-down options and Microsoft documentation, the typical recommended choice for corporate environments (and specifically for most deception scenarios) is "The Active Directory user". This ensures the lure is placed where the intended target (a domain user) is likely to encounter it.