Detector Test Alerts
You can test Secureworks® Taegis™ XDR event ingestion using the following actions.
Log Ingestion & Normalization Tests ⫘
DNS Query ⫘
On a host that is monitored, execute actions which trigger a DNS query for watchlist-test.ctpx.secureworks.com
.
Note
The Taegis™ XDR Endpoint Agents for Linux and macOS do not provide DNS query telemetry.
Windows host ⫘
ping watchlist-test.ctpx.secureworks.com
Note
This ping will not be successful, but should trigger DNS query telemetry.
Login Failures ⫘
On a host that is monitored, fail a login with username TAEGIS_TEST_ALERT.
This should generate an alert and indicate that authentication events are being monitored and normalized.
Endpoint Process Execution ⫘
Execute the following to trigger a test alert on a host with the Taegis™ XDR Endpoint Agent or Red Cloak™ Endpoint Agent.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
notepad.exe TaegisTest
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
vi taegistest
XDR Detector Tests ⫘
Netflow Threat Intel ⫘
Detection: IP addresses linked to threat intel indicating suspicious/malicious activity.
Windows host: This IP address is not hosting any open ports, so to generate an alert you need to generate UDP traffic to this IP address. On Windows, you can use netcat to generate UDP packets.
ncat.exe -u -p 53 96.82.141.209
Linux host:
traceroute 96.82.141.209
Tactic Graphs Detector ⫘
To trigger a Tactic Graphs™ Detector Alert for Multiple Attempts to Stop/Disable Windows Services, execute the following on a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent.
Open a command line and execute the following in succession:
sc delete taegistest1
sc delete taegistest2
sc delete taegistest3
sc delete taegistest4
sc delete taegistest5
Taegis Watchlist Detections ⫘
Taegis Watchlist alerts are presented in XDR from the Taegis Watchlist detector.
PowerSploit Recon Script ⫘
Detection: Threat actor getting a shell after a host has been compromised, this will generate a Critical alert.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
powershell.exe get-httpstatus
An error should be displayed that indicates the term get-httpstatus
is not recognized.
References ⫘
- https://www.pentestgeek.com/penetration-testing/powersploit-invoke-shellcode
Mimikatz Activity — command line ⫘
Detection: Targeted credential theft after the host has been compromised, this will generate a High alert.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command:
cmd.exe mimikatz
Suspicious FTP Downloader Command ⫘
Detection: Threat actor attempting to download additional tools or malware after host has been compromised.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command.
cmd.exe echo open get
Note
There is no risk in executing this command, it essentially just echoes output to the CLI.
Suspicious Invocation of Script Host Via WMIC ⫘
Detection: A process event associated with a suspicious invocation of a scripting host was identified. This activity may indicate that malware is being installed or launched on the system. This will generate a Medium alert.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
cmd /c WMIC Process Call Create C:\Windows\System32\Wscript.exe //NOLOGO %AppData%\Local\Temp\C-Dlt-C-Org-T.vbs
Windows Defender Service Deleted ⫘
Detection: A process event associated with the deletion of the Windows Defender service.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
WARNING: This does disable Windows Defender on the host. Re-enable the service after performing this test.
sc delete WinDefend
Possible Netcat Backdoor ⫘
Detection: This may indicate that threat actors are creating a backdoor to listen for inbound connections to the system.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
C:\Recovery\nc.exe -l -p 8080 -e cmd.exe
Tip
If NetCat isn’t available on the system, you can also use the command shell: "cmd.exe -l -p 8080 -e cmd.exe"
, as this watchlist looks for specific parameters.
Filesystem Journal Cleared ⫘
Detection: A process event associated with the filesystem journal being cleared was identified. This activity may indicate that ransomware is preparing to encrypt files on the system.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
Do NOT execute this command on a Production system because it will delete file system information.
"fsutil.exe usn deletejournal /D C:"
Suspicious RAR Archive Command ⫘
Detection: A process event associated with RemCom activity was detected. This may indicate that threat actors are attempting to move laterally and execute commands on a target system within the network.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
rar.exe a -m5 -s -r -v1m exfil.rar *.pdf
Tip
If rar.exe
isn’t available on the system, you can also use the command shell "cmd.exe a -m5 -s -r -v1m exfil.rar *.pdf"
, as this watchlist looks for specific parameters.
There is no risk running this command.
Suspicious Share Creation ⫘
Detection: A process event associated with creating a file share with a suspicious name was identified. This activity may indicate that specific threat actors are attempting to move laterally in the network.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Note
The share name is misspelled on purpose.
cmd.exe /c net share adnim
Note
There is no risk in executing this command.
Powershell Encoded Command ⫘
Detection: A process event associated with potentially malicious powershell usage was identified. The presence of this activity may indicate that threat actors are attempting to move laterally or execute tools within the environment.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
powershell.exe -enc cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAGMAYQBsAGMA
Note
There is no risk in executing this command.
Kernel security module unloaded - rmmod ⫘
Detection: A process event associated with attempting to unload a kernel security module was identified. This activity may indicate that threat actors are attempting to disable defensive controls on the system.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
DO NOT execute this as root or with sudo
.
rmmod ipchains
Audit Rule and Watch Deletion ⫘
Detection: A process event associated with attempting to disable security controls was identified. This activity may indicate that threat actors are attempting to evade detection on a host.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
DO NOT execute this as root or with sudo
.
auditctl -D
Process Wipes Bash Command History ⫘
Detection: A process event associated with an attempt to wipe bash command history was identified. This activity may indicate that threat actors are active on the system.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
This will erase your bash_history.
/bin/sh -c touch .bash_history && rm .bash_history