Last week, we made a post on [how to test EDR software](https://www.reddit.com/r/cybersecurity/comments/pc07oy/how_to_test_your_edrantivirus_software/).
Once you’ve completed tests for a single system, you’ll want to take it a bit further and look at lateral movement and some later-stage actions that a threat actor would take. So for phase two of testing, model out lateral movement to a domain controller (DC) and threat actor activity on a DC.
Like in Phase One, you should provide a few handicaps using an assumed breach methodology and not require some tedious actions that would be necessary for a full, real-life intrusion; this will include things like providing a user with privileges high enough to pivot to our server, and password or hash material to allow authentication.
## Lateral Movement
Once a threat actor has a foothold in an environment and has gathered enough initial information of the target environment, they’ll want to move laterally. In a full, live environment it may take many steps of lateral movement for the threat actor to reach their goals. For our test, we’re going to speed up and use domain administrator credentials to pivot to our domain controller server and see if our endpoint tool can pick up on remote service execution, which is used by many post-exploitation frameworks.
For step-by-step instructions see [here](https://github.com/blumirabrian/endpoint-detection-methology/blob/main/msf/MSF-Phase-2.md#lateral-movement).
## Process Injection
In any intrusion there is never a straight path following [the traditional “kill-chain” model;](https://www.blumira.com/ransomware-kill-chain/) you often see a circular pattern as threat actors repeat certain steps as they move through to their goals. Here, we will repeat a process injection on the server and see if the tool we are testing can detect it.
See the step-by-step instructions [here](https://github.com/blumirabrian/endpoint-detection-methology/blob/main/msf/MSF-Phase-2.md#process-injection).
## Domain Credential Access
Once on a domain controller, most threat actors want to get access to all of the domain credentials, allowing them many ways to return to a domain later, or to sell access off to others. These are some of the crown jewels of any enterprise network and we want to see if the endpoint tool being tested will observe unusual access on the domain controller to the files that store the domain credentials.
See the step-by-step instructions [here](https://github.com/blumirabrian/endpoint-detection-methology/blob/main/msf/MSF-Phase-2.md#credential-access-dump-ntdsdit).
## Defense Evasion
Now we are getting toward the final steps of our simulated intrusion. Some threat actors will attempt to clear evidence of their actions before leaving an environment, so we will simulate that with clearing the Windows logs on our domain controller here.
The step-by-step instructions for the test are [here](https://github.com/blumirabrian/endpoint-detection-methology/blob/main/msf/MSF-Phase-2.md#defense-evasion-clear-logs).
For the last test, we’ll execute another built-in Windows utility that [ransomware](https://www.blumira.com/glossary/ransomware/) groups often execute to lock systems in return for a payment. If you haven’t detected or stopped a threat actor by this point it is already too late, but in a large environment drastic measures may limit some fallout. Here, we want to see if the endpoint technology can detect unusual access and use of this administrative utility.
Step-by-step instructions can be found [here](https://github.com/blumirabrian/endpoint-detection-methology/blob/main/msf/MSF-Phase-2.md#impact).
With these tests, you should now have a handle on the basic capabilities of the endpoint technology being tested. You can also craft actionable detections for a security team to take action on, prioritizing the high fidelity alerts from basic adware noise.
*This post was* [*originally published on Blumira’s blog*](https://www.blumira.com/test-antivirus-edr-software/?mrls=Organic_Social&mrsp1=Reddit&mrsp2=*)*.*