Quick Links

Testing detections that support automated host isolation

Overview

You can proactively test specific Blumira detections that support automated host isolation instead of waiting for a finding to be triggered by a security event. Follow the procedures below for the named detection rule then look for a related finding and auto-isolation notification after completing the testing steps. 

Note: Logs collected by Blumira Agent can take a few minutes to process, so you may notice a short lag time between completing the actions below and the time of auto-isolation.

Blumira Agent: LSASS Dump File Created - P2 Suspect

To test the “LSASSDump File Created” detection, do the following:

  1. On the host device, open Task Manager.
  2. Click More details if needed.
    Screenshot_2023-04-13_at_2.38.26_PM.png
  3. Navigate to the Details tab.
    Screenshot_2023-04-13_at_2.38.34_PM.png
  4. Right-click lsass.exe.
  5. In the options menu, click Create dump file.
    Screenshot_2023-04-13_at_2.38.45_PM.png
  6. A dump file is created and saved in the location shown in the confirmation window.
    Screenshot_2023-04-13_at_2.39.07_PM.png

Rclone Execution via Command Line or PowerShell - P2 Threat

Note: For the sake of testing, you do not need to craft an entire rclone execution but rather trigger it as an attacker would.

To test the “Rclone Execution via Command Line or PowerShell” detection, do the following:

  1. On the host device, download the rclone ZIP file and unzip the file.
  2. Open a PowerShell prompt (it does not have to be administrative) and navigate to the unzipped rclone directory.
  3. Execute the following command: .\rclone.exe --help

findstr Password Discovery Activity - P2 Suspect

To test the “findstr Password Discovery Activity” detection, do the following:

  1. Open a command prompt and type this command, replacing <domain> with the local domain that the endpoint is on:
    findstr /S /I cpassword \\<domain>\sysvol\<domain>\policies\*.xml
  2. Press Enter.

Nltest Domain Enumeration - P3 Threat

To test the “Nltest Domain Enumeration” detection, do the following:

  1. On the host device, open a command prompt.
  2. Run the following command:
    nltest /domain_trusts