Next Level Learning

Simulate a real threat using the EICAR test file.

1. Check Protection Status

Check we have real time protection enabled before attempting to simulate a threat.

1.1 User Activity

Check real time protection is enabled

mdatp health | grep real_time

1.1 Background Activity

Example output

real_time_protection_enabled is true and managed from the preference file.

[labmin@centos-01 ~]$ mdatp health | grep real_time
real_time_protection_enabled                : true [managed]
real_time_protection_available              : true
real_time_protection_subsystem              : "fanotify"

1.2 User Activity

Optional: Enable Real Time Protection

Enable Real Time Protection

mdatp config real-time-protection --value enabled

1.2 Background Activity

Example output

real_time_protection_enabled is true.

[labmin@centos-01 ~]$ mdatp health | grep real_time
real_time_protection_enabled                : true 
real_time_protection_available              : true
real_time_protection_subsystem              : "fanotify"

End Section 1 - Check Protection Status

2. Simulate a Threat

Simulate a threat.

2.1 User Activity

Simulate a threat

We can use a test file to simulate a threat. The EICAR test file is a harmless file that is detected as malware by antivirus software.

curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

2.1 Background Activity

Sample output

The eicar.com.txt file we have been prevented by mdatp

No eicar.com.txt file is present in the current directory.

[labmin@centos-01 ~]$ curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    68  100    68    0     0     68      0  0:00:01 --:--:--  0:00:01    68
[labmin@centos-01 ~]$ ls -la
total 128
drwx------. 7 labmin labmin  4096 Oct 24 20:55 .
drwxr-xr-x. 5 root   root      57 Oct 10 17:42 ..
-rw-------. 1 labmin labmin  4772 Oct 25 23:18 .bash_history
-rw-r--r--. 1 labmin labmin    18 Jul 27  2021 .bash_logout
-rw-r--r--. 1 labmin labmin   141 Jul 27  2021 .bash_profile
-rw-r--r--. 1 labmin labmin   376 Jul 27  2021 .bashrc
drwx------. 3 labmin labmin    20 Aug 31 21:51 .config
drwxrwxr-x. 3 labmin labmin    30 Sep 28 17:41 etc
-rw-r--r--. 1 root   mdatp     95 Sep 28 17:14 hot_event_source_1a1767f9-a135-40ec-8286-fc289623d0d4.json
-rw-rw-r--. 1 labmin labmin     0 Sep 13 17:48 installon.log
-rw-------. 1 labmin labmin    61 Sep 28 21:25 .lesshst
-rw-r--r--. 1 root   root   91109 Aug 12  2021 libxcrypt-compat-4.4.18-3.el9.x86_64.rpm
drwx------. 2 labmin labmin    29 Aug 23 22:10 .ssh
drwxrwxr-x. 4 labmin labmin    28 Sep 28 17:42 unzip
drwxrwxr-x. 4 labmin labmin    28 Sep 28 17:41 var
-rw-------. 1 labmin labmin  1879 Oct 24 20:55 .viminfo

End Section 2 - Simulate a Threat

3. Review the Threat

3.1 User Activity

View Threat Details: CLI

We can check MDATP for threats using the following command.

mdatp threat list

3.1 Background Activity

Sample output

[labmin@centos-01 ~]$ mdatp threat list
Id: "ca6161a5-e76b-46e6-8959-17b08e1a8b76"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Detection time: Mon Oct 30 18:16:08 2023
Status: "quarantined"

3.2 User Activity

View Threat Details: Microsoft Defender Portal

We can check Microsoft 365 Defender portal for alerts in the Incidents & Alerts pane.

https://securitycenter.microsoft.com/incidents

3.3 User Activity

View Threat Details: Microsoft Defender Portal Advanced Hunting

We can check Microsoft 365 Defender portal for alerts using an Advanced Hunting KQL query.

https://securitycenter.microsoft.com/hunting

1
2

AlertInfo 
| where * contains "EICAR"

3.3 Background Activity

Sample output

End Section 3 - Review the Threat