March 26, 2021

Best way to test an AV/EDR Solution

Currently going through a POC with Crowdstrike – are their any open source IOC’s or scripts that we can use to test this solution? Something that’s non malicious ideally. We primarily wanna see if it can block data exfil scripts and ransomware.

thanks

Comments

Ghawblin

Typically when I’ve done POC’s the vendor gave me some to try out. Does your sales/tech rep have any to give?

Other than that, I’ve had all AV’s freak out over pentesting tools like BloodHound or mimicatz, so you could try to use some of those. You don’t even have to run them, just downloading the files and maybe exacting them would be enough to trigger an action.

Dump-ster-Fire

Data exfil and Ransomware are both post compromise techniques. The environment would already have been compromised before either of these were an option. The bad thing already happened.
Here’s a non malicious Defender for Endpoint test for ya. Pretty simple:
[https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-worldwide)
I’d reckon CrowdStrike should pick up and alert on the same powershell behavior.

CrowdStrike is GOOD PEOPLE. Their tools, properly configured, and MONITORED, provide a great deal of protection. I’m a Microsoft dude, so my experience and testing comes from there.

Dump-ster-Fire

Oh, and proving data exfil is HARD, unless you’re specifically set up to monitor that kind of thing before hand. You might see rar.exe get written to c:\programdata. You might see system.hive git RARd in the same location. Does that prove exfil? Are you logging sufficiently at some sort of perimeter device? How is CrowdStrike or any other EDR vendor supposed to differentiate between legitimate data transferred out and non-legitimate data transferred out? What does ‘normal’ look like in the environment, and is your solution alerting on deviations from normal?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.