DEV Community

Cover image for Simulating a Privelege Escalation attack to Test Your Sentinel and Defender Setup (Final)
Jimi
Jimi

Posted on

Simulating a Privelege Escalation attack to Test Your Sentinel and Defender Setup (Final)

Introduction

This is the final post in our series on setting up Sentinel and Defender for threat detection. In previous posts, we established a sentinel and defender, populated it with units, connected it to a VM, and created an analytic rule to notify a user when an incident occurs. Now, let's test the entire system by simulating a privilege escalation attack.

Understanding the Attack:
A privilege escalation attack aims to grant unauthorized users higher-level privileges. In this simulation, we'll create a new user account and then elevate it to the administrators group.

Steps:

  1. Locate the Target VM: Access the Windows VM you created in a previous step.

    Locating the VM and run command

  2. Execute PowerShell Script: Navigate to the "Operations" section and select "Run PowerShell Script."

    Running a command script

  3. Create a New User: Paste the following command into the PowerShell script, replacing "labusername" and "LabPassword1!" with your desired credentials:

   net user labusername /add
   net user labusername LabPassword1!
   net localgroup administrators labusername /add
Enter fullscreen mode Exit fullscreen mode

This command creates a new user, sets a password, and adds the user to the administrators group.

  1. Verify Attack Success: You should see three successful messages confirming the creation of the user, setting the password, and adding the user to the administrators group.
  2. Monitor for Incident: Return to Microsoft Sentinel and navigate to the "Threat Management" section, then select "Incidents."

    Locating the Incidents in Sentinel

  3. Identify the Incident: Look for an incident matching the name you configured in your analytic rule.

    Finding the event

  4. Review Incident Details: Select the incident and click "View full details" to examine the incident information. Verify that the owner assigned to the incident is the user specified in your automation rule.

    Looking at the event details

Conclusion

By following these steps and carefully analyzing the results, you can validate the effectiveness of your Sentinel and Defender setup in detecting and responding to potential threats.

Top comments (0)