Security test script walk through video – Update 1

I have made some updates to my free security test script:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

The main improvement is the inclusion of a menu that allows you to select which test you want to run.

image

You can use the CTRL and SHIFT key to make multiple selections here.

The video also shows the results when the test script is run on a Windows 10 environment with Trend Micro and a Chrome browser.

Don’t forget to keep checking back for further script updates and improvements.

Security test script walk through video

I’ve create this video to give you a basic walk through of the free security testing PowerShell script I’ve created. You’ll find the script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

In the video you’ll see how to quickly get and run the script as well the results it generates on a stand alone Windows 10 device.

Apart from Windows 10, PowerShell and Word there are no special requirements and it can be used on stand alone, domain or Azure Ad joined, etc. It doesn’t matter. It is designed to help you better evaluate your security posture.

Is security working? PowerShell script

I was inspired by this article:

How to make sure your antivirus is working without any malware

to create an simple automated process to test security settings and alerts for the Microsoft Cloud environment. I have thus created this script:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

which you can download for free from my Github repo.

You can run the script by launching PowerShell and running

.\sec-test.ps1

image

You don’t need to run the script as an administrator or with elevate privileges.

The first thing the script will attempt to do is download the EICAR testing file and save it locally as a file called eicar.com.txt.

image

Your security should prevent this and that file should not appear on your machine, which the script will verify, as shown above.

image

Your environment should also generate some sort of alert. In my case, one such alert appeared in Azure Sentinel.

image

Next, the script will attempt to create a new file in current directory called eicar1.com.txt with a signature that should be detected by your environment.

The script will then check the local Windows Defender logs for mention of the file eicar1.com.txt. If you are using a third party AV solution you’ll need to manually dig around in the logs to confirm this action has been detected. However, if you use Windows Defender, I have done that for you as you see above. The results are returned in order with Item 1 being the latest.

image

The script will then check to see whether the file eicar1.com.txt has been created. In most cases, the file will exist but it should be of zero length ensuring the creation process was terminated. If the eicar1.com.txt file exists and does not have a length of zero, then you’ll need to take action.

image

Next, the script will attempt to do a process dump for LSASS.EXE. To achieve this you’ll need to have SysInternals Procdump in the currently directory. If procdump.exe is not located in the current directory, you’ll be prompted to download it into the current directory.

The script will then try a process dump of LSASS.EXE using the command:

.\procdump.exe -ma lsass.exe lsass.dmp

The dump process should fail as shown above.

image

The final check is to prompt you for an email address and then attempt to login to Microsoft 365 using this.

image

Doing so should generate a log or alert as shown above that you can view and verify.

The aim of the scripts is largely to check that your security configuration is correctly enabled and configured. Generally, all the tests here should fail and all should report some where that can review to ensure your configuration is correct. Remember, good security is not to ‘assume’ and never test, it is to regularly test and understand where to look for specific types of alerts.

As I come up with more things to test, I’ll add them to the script, so make sure you check to see whether I have updated it in the future.