Overview
You can proactively test specific Blumira detections that support automated host isolation instead of waiting for a finding to be triggered by a security event. Follow the procedures below for the named detection rule then look for a related finding and auto-isolation notification after completing the testing steps.
Blumira Agent: LSASS Dump File Created - P2 Suspect
To test the “LSASSDump File Created” detection, do the following:
- On the host device, open Task Manager.
- Click More details if needed.
- Navigate to the Details tab.
- Right-click lsass.exe.
- In the options menu, click Create dump file.
- A dump file is created and saved in the location shown in the confirmation window.
Rclone Execution via Command Line or PowerShell - P2 Threat
To test the “Rclone Execution via Command Line or PowerShell” detection, do the following:
- On the host device, download the rclone ZIP file and unzip the file.
- Open a PowerShell prompt (it does not have to be administrative) and navigate to the unzipped rclone directory.
- Execute the following command:
.\rclone.exe --help
findstr Password Discovery Activity - P2 Suspect
To test the “findstr Password Discovery Activity” detection, do the following:
- Open a command prompt and type this command, replacing <domain> with the local domain that the endpoint is on:
findstr /S /I cpassword \\<domain>\sysvol\<domain>\policies\*.xml
- Press Enter.
Nltest Domain Enumeration - P3 Threat
The nltest utility is included in the Windows operating system. It is meant for use by system administrators for troubleshooting active directory trusts and communication. While this utility can be used by systems administrators for legitimate activity, it may also be leveraged by threat actors for domain reconnaissance. Nltest can be used to discover domain trusts and identify domain controllers.
To test the “Nltest Domain Enumeration” detection, do the following:
- On the host device, open a command prompt.
- Run the following command:
nltest /domain_trusts