I was inspired by this article:
to create an simple automated process to test security settings and alerts for the Microsoft Cloud environment. I have thus created this script:
which you can download for free from my Github repo.
You can run the script by launching PowerShell and running
You don’t need to run the script as an administrator or with elevate privileges.
The first thing the script will attempt to do is download the EICAR testing file and save it locally as a file called eicar.com.txt.
Your security should prevent this and that file should not appear on your machine, which the script will verify, as shown above.
Your environment should also generate some sort of alert. In my case, one such alert appeared in Azure Sentinel.
Next, the script will attempt to create a new file in current directory called eicar1.com.txt with a signature that should be detected by your environment.
The script will then check the local Windows Defender logs for mention of the file eicar1.com.txt. If you are using a third party AV solution you’ll need to manually dig around in the logs to confirm this action has been detected. However, if you use Windows Defender, I have done that for you as you see above. The results are returned in order with Item 1 being the latest.
The script will then check to see whether the file eicar1.com.txt has been created. In most cases, the file will exist but it should be of zero length ensuring the creation process was terminated. If the eicar1.com.txt file exists and does not have a length of zero, then you’ll need to take action.
Next, the script will attempt to do a process dump for LSASS.EXE. To achieve this you’ll need to have SysInternals Procdump in the currently directory. If procdump.exe is not located in the current directory, you’ll be prompted to download it into the current directory.
The script will then try a process dump of LSASS.EXE using the command:
.\procdump.exe -ma lsass.exe lsass.dmp
The dump process should fail as shown above.
The final check is to prompt you for an email address and then attempt to login to Microsoft 365 using this.
Doing so should generate a log or alert as shown above that you can view and verify.
The aim of the scripts is largely to check that your security configuration is correctly enabled and configured. Generally, all the tests here should fail and all should report some where that can review to ensure your configuration is correct. Remember, good security is not to ‘assume’ and never test, it is to regularly test and understand where to look for specific types of alerts.
As I come up with more things to test, I’ll add them to the script, so make sure you check to see whether I have updated it in the future.