Detector Test Detections๐
You can test Secureworksยฎ Taegisโข XDR event ingestion using the following actions.
Log Ingestion & Normalization Tests๐
DNS Query๐
On a host that is monitored, execute actions which trigger a DNS query for watchlist-test.ctpx.secureworks.com.
Note
The Taegisโข XDR Endpoint Agents for Linux and macOS do not provide DNS query telemetry.
Windows host๐
Note
This ping will not be successful, but should trigger DNS query telemetry.
Login Failures๐
On a host that is monitored, fail a login with username TAEGIS_TEST_ALERT.
This should generate a detection and indicate that authentication events are being monitored and normalized.
Endpoint Process Execution๐
Execute the following to trigger a test detection on a host with the Taegisโข XDR Endpoint Agent or Red Cloakโข Endpoint Agent.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
XDR Detector Tests๐
Netflow Threat Intel๐
Detection: IP addresses linked to threat intel indicating suspicious or malicious activity.
Windows host: This IP address is not hosting any open ports, so to generate a detection you need to generate UDP traffic to this IP address. On Windows, you can use netcat to generate UDP packets.
Linux host:
Tactic Graphs Detector๐
To trigger a Tactic Graphsโข Detector detection for Multiple Attempts to Stop or Disable Windows Services, execute the following on a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent.
Open a command line and execute the following in succession:
sc delete taegistest1
sc delete taegistest2
sc delete taegistest3
sc delete taegistest4
sc delete taegistest5
Taegis Watchlist Detections๐
Taegis Watchlist detections are presented in XDR from the Taegis Watchlist detector.
PowerSploit Recon Script๐
Detection: Threat actor getting a shell after a host has been compromised, this will generate a Critical detection.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
An error should be displayed that indicates the term get-httpstatus is not recognized.
References๐
Mimikatz Activity โ command line๐
Detection: Targeted credential theft after the host has been compromised, this will generate a High detection.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command:
Suspicious FTP Downloader Command๐
Detection: Threat actor attempting to download additional tools or malware after host has been compromised.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Note
There is no risk in executing this command, it essentially just echoes output to the CLI.
Suspicious Invocation of Script Host Via WMIC๐
Detection: A process event associated with a suspicious invocation of a scripting host was identified. This activity may indicate that malware is being installed or launched on the system. This will generate a Medium detection.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
cmd /c WMIC Process Call Create C:\Windows\System32\Wscript.exe //NOLOGO %AppData%\Local\Temp\C-Dlt-C-Org-T.vbs
Windows Defender Service Deleted๐
Detection: A process event associated with the deletion of the Windows Defender service.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
WARNING: This does disable Windows Defender on the host. Re-enable the service after performing this test.
Possible Netcat Backdoor๐
Detection: This may indicate that threat actors are creating a backdoor to listen for inbound connections to the system.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Tip
If NetCat isnโt available on the system, you can also use the command shell: cmd.exe -l -p 8080 -e cmd.exe, as this watchlist looks for specific parameters.
Filesystem Journal Cleared๐
Detection: A process event associated with the filesystem journal being cleared was identified. This activity may indicate that ransomware is preparing to encrypt files on the system.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
Do NOT execute this command on a Production system because it will delete file system information.
Suspicious RAR Archive Command๐
Detection: A process event associated with RemCom activity was detected. This may indicate that threat actors are attempting to move laterally and execute commands on a target system within the network.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Tip
If rar.exe isnโt available on the system, you can also use the command shell "cmd.exe a -m5 -s -r -v1m exfil.rar *.pdf", as this watchlist looks for specific parameters.
There is no risk running this command.
Suspicious Share Creation๐
Detection: A process event associated with creating a file share with a suspicious name was identified. This activity may indicate that specific threat actors are attempting to move laterally in the network.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Note
The share name is misspelled on purpose.
Note
There is no risk in executing this command.
Powershell Encoded Command๐
Detection: A process event associated with potentially malicious powershell usage was identified. The presence of this activity may indicate that threat actors are attempting to move laterally or execute tools within the environment.
On a Windows host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Note
There is no risk in executing this command.
Kernel security module unloaded - rmmod๐
Detection: A process event associated with attempting to unload a kernel security module was identified. This activity may indicate that threat actors are attempting to disable defensive controls on the system.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
Do NOT execute this as root or with sudo.
Audit Rule and Watch Deletion๐
Detection: A process event associated with attempting to disable security controls was identified. This activity may indicate that threat actors are attempting to evade detection on a host.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
Do NOT execute this as root or with sudo.
Process Wipes Bash Command History๐
Detection: A process event associated with an attempt to wipe bash command history was identified. This activity may indicate that threat actors are active on the system.
On a Linux host with the Taegis Endpoint Agent or Red Cloak Endpoint Agent, open a command line and execute the following command to trigger this detection.
Important
This will erase your bash_history.