Overview
You can test specific Blumira detections after installing Blumira Agent on a Windows device. Follow the procedures below for the named detection rule and look for a related finding in the app after completing the steps.
Enumeration of Credentials in Registry
In many Windows environments credentials and passwords can be found in many locations, left by users or software. One location threat actors often look for credentials is in the Windows registry hives, these can often contain passwords that may allow the threat actor to move laterally or escalate privileges.
To test the “Enumeration of Credentials in Registry” detection, do the following:
- Open a command prompt and type
reg query HKLM /f password /t REG_SZ /s - Press Enter.
Clearing of Windows Security Event Log
To test the detection “Clearing of Windows Security Event Log”:
- Open the machine’s Event Viewer.
- Under Windows Logs, right-click Security.
- In the options menu, click Clear Log, then click Clear to confirm the action.
findstr Password Discovery Activity
This utility has been observed in use by threat actors to discover plaintext credentials in local files and folders and shared folders.
To test the “findstr Password Discovery Activity” detection, do the following:
- Open a command prompt and type this command, replacing <domain> with the local domain that the endpoint is on:
findstr /S /I cpassword \\<domain>\sysvol\<domain>\policies\*.xml - Press Enter.