☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Detector Test Alerts

detectors

You can test Secureworks® Taegis™ XDR event ingestion using the following actions.

Log Ingestion & Normalization Tests ⫘

DNS Query ⫘

On a host that is monitored, execute actions which trigger a DNS query for watchlist-test.ctpx.secureworks.com.

Note

The Taegis™ XDR Endpoint Agents for Linux and macOS do not provide DNS query telemetry.

Windows host ⫘

ping watchlist-test.ctpx.secureworks.com

Note

This ping will not be successful, but should trigger DNS query telemetry.

On a host that is monitored, fail a login with username TAEGIS_TEST_ALERT.

This should generate an alert and indicate that authentication events are being monitored and normalized.

Endpoint Process Execution ⫘

Execute the following to trigger a test alert on a host with the Taegis™ XDR Endpoint Agent or Red Cloak™ Endpoint Agent.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

notepad.exe TaegisTest

On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

vi taegistest

XDR Detector Tests ⫘

Netflow Threat Intel ⫘

Detection: IP addresses linked to threat intel indicating suspicious/malicious activity.

Windows host: This IP address is not hosting any open ports, so to generate an alert you need to generate UDP traffic to this IP address. On Windows, you can use netcat to generate UDP packets.

ncat.exe -u -p 53 96.82.141.209

Linux host:

traceroute 96.82.141.209

Tactic Graphs Detector ⫘

To trigger a Tactic Graphs™ Detector Alert for Multiple Attempts to Stop/Disable Windows Services, execute the following on a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent.

Open a command line and execute the following in succession:

sc delete taegistest1
sc delete taegistest2
sc delete taegistest3
sc delete taegistest4
sc delete taegistest5

Taegis Watchlist Detections ⫘

Taegis Watchlist alerts are presented in XDR from the Taegis Watchlist detector.

PowerSploit Recon Script ⫘

Detection: Threat actor getting a shell after a host has been compromised, this will generate a Critical alert.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

powershell.exe get-httpstatus

An error should be displayed that indicates the term get-httpstatus is not recognized.

References ⫘

https://www.pentestgeek.com/penetration-testing/powersploit-invoke-shellcode

Mimikatz Activity — command line ⫘

Detection: Targeted credential theft after the host has been compromised, this will generate a High alert.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command:

cmd.exe mimikatz

Suspicious FTP Downloader Command ⫘

Detection: Threat actor attempting to download additional tools or malware after host has been compromised.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command.

cmd.exe echo open get

Note

There is no risk in executing this command, it essentially just echoes output to the CLI.

Suspicious Invocation of Script Host Via WMIC ⫘

Detection: A process event associated with a suspicious invocation of a scripting host was identified. This activity may indicate that malware is being installed or launched on the system. This will generate a Medium alert.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

cmd /c WMIC Process Call Create C:\Windows\System32\Wscript.exe //NOLOGO %AppData%\Local\Temp\C-Dlt-C-Org-T.vbs

Windows Defender Service Deleted ⫘

Detection: A process event associated with the deletion of the Windows Defender service.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

WARNING: This does disable Windows Defender on the host. Re-enable the service after performing this test.

sc delete WinDefend

Possible Netcat Backdoor ⫘

Detection: This may indicate that threat actors are creating a backdoor to listen for inbound connections to the system.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

C:\Recovery\nc.exe -l -p 8080 -e cmd.exe

Tip

If NetCat isn’t available on the system, you can also use the command shell: "cmd.exe -l -p 8080 -e cmd.exe", as this watchlist looks for specific parameters.

Filesystem Journal Cleared ⫘

Detection: A process event associated with the filesystem journal being cleared was identified. This activity may indicate that ransomware is preparing to encrypt files on the system.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

Do NOT execute this command on a Production system because it will delete file system information.

"fsutil.exe usn deletejournal /D C:"

Suspicious RAR Archive Command ⫘

Detection: A process event associated with RemCom activity was detected. This may indicate that threat actors are attempting to move laterally and execute commands on a target system within the network.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

rar.exe a -m5 -s -r -v1m exfil.rar *.pdf

Tip

If rar.exe isn’t available on the system, you can also use the command shell "cmd.exe a -m5 -s -r -v1m exfil.rar *.pdf", as this watchlist looks for specific parameters. There is no risk running this command.

Detection: A process event associated with creating a file share with a suspicious name was identified. This activity may indicate that specific threat actors are attempting to move laterally in the network.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

Note

The share name is misspelled on purpose.

cmd.exe /c net share adnim

Note

There is no risk in executing this command.

Powershell Encoded Command ⫘

Detection: A process event associated with potentially malicious powershell usage was identified. The presence of this activity may indicate that threat actors are attempting to move laterally or execute tools within the environment.

On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

powershell.exe -enc cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAGMAYQBsAGMA

Note

There is no risk in executing this command.

Kernel security module unloaded - rmmod ⫘

Detection: A process event associated with attempting to unload a kernel security module was identified. This activity may indicate that threat actors are attempting to disable defensive controls on the system.

On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

DO NOT execute this as root or with sudo.

rmmod ipchains

Audit Rule and Watch Deletion ⫘

Detection: A process event associated with attempting to disable security controls was identified. This activity may indicate that threat actors are attempting to evade detection on a host.

On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

DO NOT execute this as root or with sudo.

auditctl -D

Process Wipes Bash Command History ⫘

Detection: A process event associated with an attempt to wipe bash command history was identified. This activity may indicate that threat actors are active on the system.

On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

This will erase your bash_history.

/bin/sh -c touch .bash_history && rm .bash_history

Log Ingestion & Normalization Tests
DNS Query
Login Failures
Endpoint Process Execution
XDR Detector Tests
Netflow Threat Intel
Tactic Graphs Detector
Taegis Watchlist Detections
PowerSploit Recon Script
Mimikatz Activity — command line
Suspicious FTP Downloader Command
Suspicious Invocation of Script Host Via WMIC
Windows Defender Service Deleted
Possible Netcat Backdoor
Filesystem Journal Cleared
Suspicious RAR Archive Command
Suspicious Share Creation
Powershell Encoded Command
Kernel security module unloaded - rmmod
Audit Rule and Watch Deletion
Process Wipes Bash Command History

Detector Test Alerts

Log Ingestion & Normalization Tests ⫘

DNS Query ⫘

Windows host ⫘

Login Failures ⫘

Endpoint Process Execution ⫘

XDR Detector Tests ⫘

Netflow Threat Intel ⫘

Tactic Graphs Detector ⫘

Taegis Watchlist Detections ⫘

PowerSploit Recon Script ⫘

References ⫘

Mimikatz Activity — command line ⫘

Suspicious FTP Downloader Command ⫘

Suspicious Invocation of Script Host Via WMIC ⫘

Windows Defender Service Deleted ⫘

Possible Netcat Backdoor ⫘

Filesystem Journal Cleared ⫘

Suspicious RAR Archive Command ⫘

Suspicious Share Creation ⫘

Powershell Encoded Command ⫘

Kernel security module unloaded - rmmod ⫘

Audit Rule and Watch Deletion ⫘

Process Wipes Bash Command History ⫘

On this page: