The aim of this test is to verify that your Security Operations Center (SOC) can effectively detect the “cmdkey /list” command execution. This command is used on Windows systems to list stored credentials and could be exploited by malicious actors to gather sensitive information. Detecting this command allows your SOC to respond promptly to suspicious activities and prevent security breaches.
- Test Preparation:
- Set up a monitored Windows machine in a controlled environment.
- Ensure “cmdkey” utility availability on the machine.
- Baseline Monitoring:
- Take a snapshot of the system’s current state (processes and user sessions).
- Test Execution:
- Open Command Prompt on the Windows machine.
- Execute the command: `cmdkey /list`
- Expected SOC Detection:
- SOC’s monitoring should detect the execution of `cmdkey /list`.
- SOC team receives an alert with details (timestamp, source IP, username, command).
- Review and Analysis:
- SOC team analyzes the alert to confirm legitimacy.
- If legitimate, the test is successful.
- If suspicious/unauthorized, initiate incident response.
- Post-Test Validation:
- Verify threat mitigation.
- Compare post-test system state with baseline.
- Reporting:
- Document test results and response process in a detailed report.
- Highlight vulnerabilities and areas for improvement.
- Remediation:
- Address identified weaknesses in SOC monitoring.
- Enhance logging, alerting rules, or security measures as needed.
Note: Conduct security testing in a controlled environment, with proper authorization to avoid negative impacts on production systems.
Receive all Test Your SOC guides directly to your inbox : Subscribe here.