How To Perform A Simulated Attack To Validate The Analytic And Automation Rules

This is a continuation of my previous post, you can check it from here

We will need to perform a simulated attack to validate that the Analytic and Automation rules create an incident and assign it to the User. We will perform a simple Privilege Escalation attack on our resource.

Task 1 - Perform a simulated Privilege Escalation attack
Use simulated attacks to test analytic rules in Microsoft Sentinel.

1. Locate and select the resource, that is the virtual machine in Azure, scroll down the menu items to Operations, and select Run command
2. On the Run command pane, select RunPowerShellScript
3. Copy the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run

Code

net user theusernametoadd /add
 net user theusernametoadd ThePassword1!
 net localgroup administrators theusernametoadd /add

Note: Make sure there is only one command per line, and you can rerun the commands by changing the username.

1. In the Output window you should see The command completed successfully three times

Task 2 - Verify an incident is created from the simulated attack
Verify that an incident is created that matches the criteria for the analytic rule and automation.

1. In Microsoft Sentinel, go to the Threat Management menu section and select Incidents
2. You may or may not see an incident that matches the Severity and Title you configured in the NRT rule you created. It all depends on how your virtual machine was set up or what you used as your resource.
3. Select the Incident and the detail pane opens
4. The Owner assignment should be the user, created from the Automation rule, and the Tactics and techniques should be Privilege Escalation (from the NRT rule)
5. Select View full details to see all the Incident management capabilities and Incident actions