Below are several options to test the sensor-based Microsoft Windows integration with Blumira. Each test is associated with a detection rule that will trigger a finding in the app.
Required: The Windows host must be set up with NxLog configuration and GPO Advanced Logging (Logmira) must be installed for proper logging to Blumira.
User With Non-Expiring Password
Setting a non-expiring password could be an indicator of a hacker attempting to gain a foothold in your environment.
To test the "User With Non-Expiring Password" detection rule, do the following:
- Log in to your domain controller, which must be actively sending logs to Blumira.
-
Navigate to Active Directory > Users and Computers.
-
Create a new user account for testing.
- Under Account options, click the check box for Password never expires.
- After verifying the finding is open in Blumira, delete the test user, or you can proceed to the next test below and re-use this test user account.
User Added to Privileged Group
Detecting when new Windows domain administrator accounts have been created is important to audit and ensure that they have been created for business purposes. These accounts often result in significant risk and exposure to an organization and access should be limited as much as possible.
To test the "User Added to Privileged Group" detection, do the following:
- Log in to your domain controller, which must be actively sending logs to Blumira.
-
Navigate to Active Directory > Users and Computers.
-
Create a new user account.
- Assign the test user to one of the following privileged groups:
Domain Admins
Schema Admins
Enterprise Admins
Backup Operators
Cert Publishers
Certificate Service DCOM
Debugger Users
DHCP Administrators
DnsAdmins
Event Log Readers
Group Policy Creator Owners
Hyper-V Administrators
IIS_IUSRS
Incoming Forest Trust Builders
Network Configuration Operators
Server Operators
WinRMRemoteWMIUsers_ - After verifying the finding is open in Blumira, delete the test user.
Clearing of Windows Security Event Log
The deletion of a Windows Security Event log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this activity, you can have immediate awareness of what should be an unusual activity with the benefit of having those same deleted event logs stored in Blumira for analysis.
To test the "Clearing of Windows Security Event Log" detection rule, do one of the following:
- On the Windows machine, open PowerShell with "Run as Administrator" and run this command:
Clear-EventLog "Security"
. -
In the Windows machine’s Event Viewer, do the following:
-
Under Windows Logs, right-click Security.
-
In the options menu, click Clear Log, then click Clear to confirm the action.
-
PowerShell: Execution Policy Bypass
Note: This rule is disabled by default, so you must enable it before testing.
The PowerShell execution policy determines which types of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, attackers and malicious software often use it to execute code on a system without having administrative-level access.
To test the "PowerShell: Execution Policy Bypass" detection rule, do the following:
- Download our Blumira PowerShell Execution Policy Bypass testing script here. The file is non-threatening and is only used to demonstrate the detection.
- Open a command prompt window.
- Change to the directory where you saved the script file in Step 1.
- Run this command:
PowerShell.exe PowershellTest.ps1
- The output should resemble the following:
- In Blumira, look for the finding "Potentially Malicious PowerShell Command - Event ID 4688."
- Open PowerShell.
- Change to the directory where you saved the script file in Step 1.
- Run this command:
.\PowershellTest.ps1
- Output should resemble the following:
- In Blumria, look for the finding "Potentially Malicious PowerShell Command - Event ID 4104."