Generating Test Threats in Red Canary

Issue

I need to generate test threats in Red Canary.

Resolution

You can generate test threats to suit your needs! You may be familiar with EICAR test files used by many security vendors to validate that the product is working. Red Canary has a similar way to test for data flow validation by executing one of the following commands:

cmd.exe /c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar
bash -c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar

Once you issue this command, it should be inspected by your endpoint detection and response sensor, sent to Red Canary's investigation platform, and returned to you in the form of a threat verifying the data was received. The threat will have a low severity so it doesn't get mixed in with other (hopefully few) high-priority threat in your environment.

Generate a test to validate an Automate trigger
Customers often use Automate to take action when a new threat is published. You may want to generate a test threat to check that Automate triggers are working as expected. Red Canary has specific test strings that will create a low, medium, or high severity threat.

To generate a test threat, open a new Command Prompt or Terminal session, enter one of the following commands, and close the window.  To ensure you receive a new threat, mark all previous test threat for the endpoint as remediated.

Warning: These strings will create real Red Canary threats. If your organization has an active Automate trigger for published threats, the corresponding playbook will run against your machine. Please be careful when executing these tests.

Low Severity:

cmd  /c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar
bash -c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar

Medium Severity:

cmd  /c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar
bash -c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar

High Severity:

cmd  /c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar
bash -c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar

Events generated by these strings will bypass our CIRT team and threats will be sent to you as soon as we receive and process the telemetry.

If there's an existing test threat on the endpoint with the same severity, the new event will be appended instead of generating a new threat. Customers need to remediate existing test threat before running another test.

Important: Following these tests, please be sure to mark these threats as testing. In order to mark a threat as testing, follow the below instructions. 

The importance of marking a threat as This was testing- Similar activity won’t be appended to this threat.

Use the drop downs to specify whether the testing was internal or external and the tool used for testing.

Note: If you configured your Red Canary profile to exclude tests from reports, you won't see this activity in the Report Library.

Optionally, select I want to discuss this with my Threat Hunter to talk to a Red Canary threat hunter about this unremediated threat.

Click Mark as will not remediate.