Back to Blog

How I Validate Detections with Safe Simulations

January 10, 20261 min read
#Incident Response#MITRE ATT&CK#Testing

How I Validate Detections with Safe Simulations

You have a firewall. You have a SIEM. You have an IDS. But do they work?

Unless you test them, you don't know. This is the concept of Detection Engineering.

The MITRE ATT&CK Mindset

I don't just "hack" my lab; I test specific TTPs (Tactics, Techniques, and Procedures).

Example: T1003.001 (OS Credential Dumping: LSASS Memory)

I can't run Mimikatz safely on my main PC, so I use Atomic Red Team or simple safe simulations.

The Test

I used a simple command to simulate an attempt to touch the shadow file:

cat /etc/shadow

(As a non-root user, this fails, but it generates an access denied audit log).

Verifying the Alert

I checked Wazuh.

  • Did it trigger? Yes.
  • Rule ID: 5503
  • Level: 5 (Lower severity, but logged)

If I run it as root, does it trigger a "High Severity" alert? Testing these scenarios ensures that when a real bad actor tries it, the bells actually ring.

Conclusion

"Trust but verify" isn't just a political slogan; it's the golden rule of Security Operations.