Issue
User wants to generate a test threat in Red Canary.
Environment
Red Canary Portal
Supported EDR platforms (see EDR class in this table)
Windows, macOS, Linux operating systems
Resolution
You may be familiar with EICAR test files used by many security vendors to validate their product is working. Red Canary has a similar way to validate data flow for integrated platforms, called RCCAR.
Table of Contents
- Quick Start
- RCCAR and Automation
- Generating Threats with a Desired Severity
- Resolving RCCAR Threats
- Generating Threats for Other Platforms
Quick Start
To generate a Medium-severity Suspicious Activity (Process) threat in Red Canary, run either command below from an endpoint running your preferred EDR sensor (
cmd for Windows or bash for macOS/Linux).
cmd.exe /c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar bash -c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar
Once you issue this command, the execution should be sent to your EDR platform, then forwarded to Red Canary's platform for investigation, and finally returned to you in the Red Canary Portal as a threat verifying the data was received. It's important to note that RCCAR tests are specific to Red Canary's detection logic and are not expected to be detected nor blocked by your native EDR platform.
RCCAR and Automation
Threats published by RCCAR tests are treated identical to legitimate threats by Automation in Red Canary. As a result, any RCCAR threats meeting When a threat is published trigger conditions in your subdomain will run linked playbooks. Playbooks can include actions like device isolation, phone call/SMS notifications, or outbound webhooks.
You may want to generate a test threat to check that Automation is working as expected. Be sure to review your Automations page before running an RCCAR test to understand which Automate actions may run.
If you want your existing Automation to ignore RCCAR-related threats, add a criteria to existing triggers for the following condition (see screenshot for complete example).
- IntelligenceProfile > name > does not contain any of > Rccar
Generating Threats with a Desired Severity
Each of the following tests will generate a Suspicious Activity (Process) threat at the desired severity. Run the cmd command for Windows endpoints or bash for macOS/Linux.
Low-Severity
cmd /c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar bash -c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar
Medium-Severity
cmd /c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar bash -c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar
High-Severity
cmd /c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar bash -c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar
Events generated by these commands will be published in the Red Canary Portal as soon as we receive and process the telemetry.
Resolving RCCAR Threats
Following these tests, please be sure to resolve these threats as testing. In order to mark a threat as testing, follow the below instructions.
- From the end of the Threat timeline, click Not Remediated
- Select This was testing then complete the form
- Finalize selections by clicking the Mark as will not remediate button
If your subdomain's Company Profile is configured to exclude test threats, threats resolved as testing will not be included in your Reports.
Generating Threats for Other Platforms
While the commands in this article are only applicable to EDR platforms, Red Canary offers similar RCCAR tests for other platforms. View the guidance linked below for steps to publish test threats for other platforms you may have integrated with Red Canary.
Comments
0 comments
Please sign in to leave a comment.