🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Detector Test Alerts

detectors


You can test Secureworks® Taegis™ XDR event ingestion using the following actions.

Log Ingestion & Normalization Tests

DNS Query

On a host that is monitored, execute actions which trigger a DNS query for watchlist-test.ctpx.secureworks.com.

Note

The Taegis™ Endpoint Agents for Linux and macOS do not provide DNS query telemetry.

Windows host

ping watchlist-test.ctpx.secureworks.com

Note

This ping will not be successful, but should trigger DNS query telemetry.

Login Failures

On a host that is monitored, fail a login with username TAEGIS_TEST_ALERT.

This should generate an alert and indicate that authentication events are being monitored and normalized.

Endpoint Process Execution

Execute the following to trigger a test alert on a host with the Red Cloak™ Endpoint Agent.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

notepad.exe TaegisTest

On a Linux host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

vi taegistest

Secureworks® Taegis™ XDR Detector Tests

Netflow Threat Intel

Detection: IP addresses linked to threat intel indicating suspicious/malicious activity.

Windows host: This IP address is not hosting any open ports, so to generate an alert you need to generate UDP traffic to this IP address. On Windows, you can use netcat to generate UDP packets.

ncat.exe -u -p 53 96.82.141.209

Linux host:

traceroute 96.82.141.209

Tactic Graphs™ Detector

To trigger a Tactic Graphs™ Detector Alert for Multiple Attempts to Stop/Disable Windows Services, execute the following on a Windows host with the Red Cloak™ Endpoint Agent.

Open a command line and execute the following in succession:

sc delete taegistest1
sc delete taegistest2
sc delete taegistest3
sc delete taegistest4
sc delete taegistest5

Secureworks® Taegis™ XDR Watchlist Detections

Red Cloak™ Endpoint Agent Watchlist alerts are presented in Secureworks® Taegis™ XDR from the Red Cloak™ Endpoint Agent Watchlist detector. The severity levels are translated from the Red Cloak™ Endpoint Agent Watchlist to one of Info, Low, Medium, High, or Critical.

PowerSploit Recon Script

Detection: Threat actor getting a shell after a host has been compromised, this will generate a Critical alert.

On a Windows host with the Red Cloak™ Endpoint Agent open a command line and execute the following command to trigger this detection.

powershell.exe get-httpstatus

An error should be displayed that indicates the term get-httpstatus is not recognized.

References

Mimikatz Activity — command line

Detection: Targeted credential theft after the host has been compromised, this will generate a High alert.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command:

cmd.exe mimikatz

Suspicious FTP Downloader Command

Detection: Threat actor attempting to download additional tools or malware after host has been compromised.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command.

cmd.exe echo open get

Note

There is no risk in executing this command, it essentially just echoes output to the CLI.

Suspicious Invocation of Script Host Via WMIC

Detection: A process event associated with a suspicious invocation of a scripting host was identified. This activity may indicate that malware is being installed or launched on the system. This will generate a Medium alert.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

cmd /c WMIC Process Call Create C:\Windows\System32\Wscript.exe //NOLOGO %AppData%\Local\Temp\C-Dlt-C-Org-T.vbs

Windows Defender Service Deleted

Detection: A process event associated with the deletion of the Windows Defender service.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

WARNING: This does disable Windows Defender on the host. Re-enable the service after performing this test.

sc delete WinDefend

Possible Netcat Backdoor

Detection: This may indicate that threat actors are creating a backdoor to listen for inbound connections to the system.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

C:\Recovery\nc.exe -l -p 8080 -e cmd.exe

Tip

If NetCat isn’t available on the system, you can also use the command shell: "cmd.exe -l -p 8080 -e cmd.exe", as this watchlist looks for specific parameters.

Filesystem Journal Cleared

Detection: A process event associated with the filesystem journal being cleared was identified. This activity may indicate that ransomware is preparing to encrypt files on the system.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

Do NOT execute this command on a Production system because it will delete file system information.

"fsutil.exe usn deletejournal /D C:"

Suspicious RAR Archive Command

Detection: A process event associated with RemCom activity was detected. This may indicate that threat actors are attempting to move laterally and execute commands on a target system within the network.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

rar.exe a -m5 -s -r -v1m exfil.rar *.pdf

Tip

If rar.exe isn’t available on the system, you can also use the command shell "cmd.exe a -m5 -s -r -v1m exfil.rar *.pdf", as this watchlist looks for specific parameters. There is no risk running this command.

Suspicious Share Creation

Detection: A process event associated with creating a file share with a suspicious name was identified. This activity may indicate that specific threat actors are attempting to move laterally in the network.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

Note

The share name is misspelled on purpose.

cmd.exe /c net share adnim

Note

There is no risk in executing this command.

Powershell Encoded Command

Detection: A process event associated with potentially malicious powershell usage was identified. The presence of this activity may indicate that threat actors are attempting to move laterally or execute tools within the environment.

On a Windows host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

powershell.exe -enc cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAGMAYQBsAGMA

Note

There is no risk in executing this command.

Kernel security module unloaded - rmmod

Detection: A process event associated with attempting to unload a kernel security module was identified. This activity may indicate that threat actors are attempting to disable defensive controls on the system.

On a Linux host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

DO NOT execute this as root or with sudo.

rmmod ipchains

Audit Rule and Watch Deletion

Detection: A process event associated with attempting to disable security controls was identified. This activity may indicate that threat actors are attempting to evade detection on a host.

On a Linux host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

DO NOT execute this as root or with sudo.

auditctl -D

Process Wipes Bash Command History

Detection: A process event associated with an attempt to wipe bash command history was identified. This activity may indicate that threat actors are active on the system.

On a Linux host with the Red Cloak™ Endpoint Agent, open a command line and execute the following command to trigger this detection.

Important

This will erase your bash_history.

/bin/sh -c touch .bash_history && rm .bash_history

 

On this page: