Introduction
This is the final post in our series on setting up Sentinel and Defender for threat detection. In previous posts, we established a sentinel and defender, populated it with units, connected it to a VM, and created an analytic rule to notify a user when an incident occurs. Now, let's test the entire system by simulating a privilege escalation attack.
Understanding the Attack:
A privilege escalation attack aims to grant unauthorized users higher-level privileges. In this simulation, we'll create a new user account and then elevate it to the administrators group.
Steps:
-
Locate the Target VM: Access the Windows VM you created in a previous step.
-
Execute PowerShell Script: Navigate to the "Operations" section and select "Run PowerShell Script."
Create a New User: Paste the following command into the PowerShell script, replacing "labusername" and "LabPassword1!" with your desired credentials:
net user labusername /add
net user labusername LabPassword1!
net localgroup administrators labusername /add
This command creates a new user, sets a password, and adds the user to the administrators group.
- Verify Attack Success: You should see three successful messages confirming the creation of the user, setting the password, and adding the user to the administrators group.
-
Monitor for Incident: Return to Microsoft Sentinel and navigate to the "Threat Management" section, then select "Incidents."
-
Identify the Incident: Look for an incident matching the name you configured in your analytic rule.
-
Review Incident Details: Select the incident and click "View full details" to examine the incident information. Verify that the owner assigned to the incident is the user specified in your automation rule.
Conclusion
By following these steps and carefully analyzing the results, you can validate the effectiveness of your Sentinel and Defender setup in detecting and responding to potential threats.
Top comments (0)