Quick Links

Testing Microsoft Windows detections

Overview

Below are several options to test the sensor-based Microsoft Windows integration with Blumira. Each test is associated with a detection rule that will trigger a finding in the app.

Required: The Windows host must be set up with NxLog configuration and GPO Advanced Logging (Logmira) must be installed for proper logging to Blumira.

User With Non-Expiring Password

Setting a non-expiring password could be an indicator of a hacker attempting to gain a foothold in your environment.

To test the "User With Non-Expiring Password" detection rule, do the following:

  1. Log in to your domain controller, which must be actively sending logs to Blumira.
  2. Navigate to Active Directory > Users and Computers.

  3. Create a new user account for testing.

  4. Under Account options, click the check box for Password never expires.
  5. After verifying the finding is open in Blumira, delete the test user, or you can proceed to the next test below and re-use this test user account.

User Added to Privileged Group

Detecting when new Windows domain administrator accounts have been created is important to audit and ensure that they have been created for business purposes. These accounts often result in significant risk and exposure to an organization and access should be limited as much as possible.

To test the "User Added to Privileged Group" detection, do the following:

  1. Log in to your domain controller, which must be actively sending logs to Blumira.
  2. Navigate to Active Directory > Users and Computers.

  3. Create a new user account.

  4. Assign the test user to one of the following privileged groups:
    Domain Admins
    Schema Admins
    Enterprise Admins
    Backup Operators
    Cert Publishers
    Certificate Service DCOM
    Debugger Users
    DHCP Administrators
    DnsAdmins
    Event Log Readers
    Group Policy Creator Owners
    Hyper-V Administrators
    IIS_IUSRS Incoming Forest Trust Builders Network Configuration Operators Server Operators WinRMRemoteWMIUsers_
  5. After verifying the finding is open in Blumira, delete the test user.

Clearing of Windows Security Event Log

The deletion of a Windows Security Event log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this activity, you can have immediate awareness of what should be an unusual activity with the benefit of having those same deleted event logs stored in Blumira for analysis.

To test the "Clearing of Windows Security Event Log" detection rule, do one of the following:

  • On the Windows machine, open PowerShell with "Run as Administrator" and run this command:
    Clear-EventLog "Security"
  • In the Windows machine’s Event Viewer, do the following:

    1. Under Windows Logs, right-click Security.

    2. In the options menu, click Clear Log, then click Clear to confirm the action.

      Screenshot_2023-04-06_at_3.48.50_PM.png

      Screenshot_2023-04-06_at_3.49.01_PM.png

PowerShell: Execution Policy Bypass

Note: This rule is disabled by default, so you must enable it before testing.

The PowerShell execution policy determines which types of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, attackers and malicious software often use it to execute code on a system without having administrative-level access.

To test the "PowerShell: Execution Policy Bypass" detection rule, do the following:

  1. Download our Blumira PowerShell Execution Policy Bypass testing script here. The file is non-threatening and is only used to demonstrate the detection.
  2. Open a command prompt window.
  3. Change to the directory where you saved the script file in Step 1.
  4. Run this command:
    PowerShell.exe PowershellTest.ps1
  5. The output should resemble the following:
    Screen-Shot-2022-02-22-at-2.29.06-PM
  6. In Blumira, look for the finding "Potentially Malicious PowerShell Command - Event ID 4688."
  7. Open PowerShell.
  8. Change to the directory where you saved the script file in Step 1.
  9. Run this command:
    .\PowershellTest.ps1
  10. Output should resemble the following:
    Screen-Shot-2022-02-22-at-2.29.22-PM
  11. In Blumria, look for the finding "Potentially Malicious PowerShell Command - Event ID 4104."