Overview
You can proactively test specific Blumira detections that support automated host isolation instead of waiting for a finding to be triggered by a security event. Follow the procedures below for the named detection rule then look for a related finding and auto-isolation notification after completing the testing steps.
Note: Logs collected by Blumira Agent can take a few minutes to process, so you may notice a short lag time between completing the actions below and the time of auto-isolation.
Dump LSASS.exe Memory using Windows Task Manager - P1 Threat
To test the detection “Dump LSASS.exe Memory using Windows Task Manager”:
- On the host device, open Task Manager.
- Click More details if needed.
- Navigate to the Details tab.
- Right-click lsass.exe.
- In the options menu, click Create dump file.
- A dump file is created and saved in the location shown in the confirmation window.
Rclone Execution via Command Line or PowerShell - P2 Threat
Note: For the sake of testing, you do not need to craft an entire rclone execution but rather trigger it as an attacker would.
To test the detection “Rclone Execution via Command Line or PowerShell”:
- On the host device, download rclone https://downloads.rclone.org/rclone-current-windows-amd64.zip and unzip the file.
- Open a PowerShell prompt (it does not have to be administrative) and navigate to the unzipped rclone directory.
- Execute the following command:
.\rclone.exe --help
findstr Password Discovery Activity - P2 Suspect
To test the detection “findstr Password Discovery Activity”:
-
Open a command prompt and type this command, replacing <domain> with the local domain that the endpoint is on:
findstr /S /I cpassword \\<domain>\sysvol\<domain>\policies\*.xml - Press Enter.
Nltest Domain Enumeration - P3 Threat
To test the detection “Nltest Domain Enumeration”:
- On the host device, open a command prompt.
- Type
nltest /domain_trusts
and press Enter.