Utd Traps Workshop Guide PDF

Ultimate Test Drive - Advanced Endpoint Protection
ULTIMATE
TEST DRIVE:
Advanced Endpoint Protection
Workshop Guide
UTD-AEP 2.2 © 2017 Palo Alto Networks, Inc. | Confidential and Proprietary 20171117
Table of Contents
Activity 1 - Initiate the UTD Workshop 5

Task 1 – Log in to Your UTD Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 - Adjust Display as Necessary 7
Activity 2 - Conduct a Ransomware Attack 9

Task 1 - Understand the Attack Sequence 9
Task 2 - Prepare the Drive-By Download 10
Task 3 - Activate the Spear Phishing Email 11
Task 4 - Upload the Ransomware to Victim Client 13
Task 5 - Run Ransomware Malware on Victim Client 15
Activity 3 - Prevent Ransomware Attack 19

Task 1 - Verify Traps is Running on Client Desktop 19
Task 2 - Attempt Ransomware Attack 20
Task 3 - Witness Traps Preventing Ransomware Attack 21
Activity 4 - Explore the Endpoint Security Manager (ESM) 23

Task 1 - Access the ESM Console 23
Task 2 - Review Traps Prevention Event 24
Task 3 - Review Multi-Method Prevention Settings 27
Activity 5 - Prevent Exploit Attack 33

Task 1 - Attempt Ransomware Attack 33
Task 2 - Disable Traps Exploit Prevention Modules 35
Activity 6 - Prevent Malware Attack 42

Task 1 - Review Traps Multi-Method Malware Prevention 42
Task 2 - Attempt to Execute Ransomware 43
Task 3 - Create Unknown Malware 46
Task 4 - Attempt to Run Ransomware Again 47
Task 5 - Disable WildFire and Static Analysis 50
Task 6 - Attempt Ransomware Attack Again 52
Activity 7 - Next-Generation Security Platform in Action 55

Task 1 - Review the Next-Generation Security Platform 55
Task 2 - Review Ransomware Attack Progression 55
UTD-AEP 2.2 2
Task 3 - Retrieve Ransomware Through Firewall 57
Activity 8 – Anti-Ransomware Protection 59

Task 1 – Review Anti-Ransomware Protection Module 59
Task 2 – Revert Victim Client VM 59
Task 3 – Execute Ransomware on Victim Client 60
Task 4 – Attempt Execution of Ransomware on Traps Client 61
Activity 9 – Microsoft Office File Protection 64

Task 1 – Review Microsoft Office File Protection 64
Task 2 – Prepare Attacker system 64
Task 3 – Generate Unknown Malicious Macro 65
Task 4 – Enable Microsoft Office File Protection 66
Task 5 – Attempt Execution of Unknown Malicious Macro 67
Task 6 – Attempt Execution of Known Malicious Macro 70
Task 7 – Attempt Execution of Macro Containing Child Process Creation 72
Activity 10 - Complete the UTD Evaluation 75

Appendix 1 - Enabling the Firewall 76
Appendix 2 - Access Attacker VM via SSH 79
UTD-AEP 2.2 3
How to use this guide

The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the
information necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot
any potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.
Note: This workshop covers only basic topics and is not a substitute for training classes conducted by
Palo Alto Networks Authorized Training Centers (ATC). Please contact your partner or regional sales
manager for more information on available training and how to register for one near you.
UTD-AEP 2.2 4
Activity 1 - Initiate the UTD Workshop

In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop
• Understand the layout of the environment and its various components
• Enable the Firewall to facilitate connectivity
Task 1 – Log in to Your UTD Class Environment

Step 1: Confirm System Requirements
Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We recommend using the
latest version of Firefox, Chrome or Internet Explorer. We also recommend you verify that the latest Java
client is installed in your browser.
Step 2: Navigate to Class URL

Open a browser window and navigate to the class URL. If you have an invitation email, you can find the Class
URL and Passphrase in the invitation email. Otherwise, your instructor will provide you with the class URL and
Passphrase.
Enter your email address and the Passphrase.
Step 3: Log in to the UTD Environment

Complete the Registration form and click “Login” at the bottom.
Step 4: Enter the UTD Environment

Once you have successfully logged in, the system will automatically create a unique UTD environment for
you. Please note that this process may take a while, as indicated by the green progress bar on top of the
screen.
UTD-AEP 2.2 5
Once the environment has been created, the system will display a welcome page. Click “Start Using This
Environment” to begin using the environment.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the “Shortcut Menu” at the top of your browser window. You will use this Shortcut Menu
throughout the workshop to switch between the available desktops.
Task 2 - Understand the UTD Environment Setup

The UTD environment consists of the following components:
A. Attacker: This virtual machine is a Kali Linux system that hosts Metasploit, a penetration testing tool.
It is the platform that you will use to take on the role of the attacker in our workshop exercises.
B. ESM Server: The Endpoint Security Manager (ESM) is the administrative backend for Traps. It is the
system through which you will modify the settings of Traps for our workshop exercises.
C. Traps Client: This Windows 7 virtual system is the main workstation through which you will carry out
the exercises in our workshop. It is equipped with Traps.
UTD-AEP 2.2 6
D. Victim Client: This virtual system is identical to the Traps Client system with one exception: it is not
equipped with Traps. You will use this system as the victim of the ransomware attack in our workshop.
E. VM-Series Security Platform: This system is a Palo Alto Networks virtual next-generation firewall.
Review the diagram below to better understand the UTD environment setup.
Task 3 - Adjust Display as Necessary

In this Task, you will learn how to adjust the CloudShare display to suit your preferences.
Step 1. Access the Traps Client Desktop

In your browser, click the “Traps Client” link on the Shortcut Menu that lists the available desktop
environments in the UTD. This will connect you to the “Traps Client” through your browser.
UTD-AEP 2.2 7
Step 2. Modify Screen Dimensions

If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust the resolution
from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
Note: By default, the various desktops used in this UTD rely on RDP connections over HTML 5 protocol
through the browser. A HTML5 compatible browser is required.
If you encounter connection issues with any of the desktop interfaces, click the “Reconnect” link in the left-
hand pane of the desktop display to re-establish your connection.
If reconnection to the environment remains unsuccessful, please inform the instructor for further assistance.
End of Activity 1
UTD-AEP 2.2 8
Activity 2 - Conduct a Ransomware Attack
In this Activity, you will:

• Become the attacker and launch a ransomware attack on a victim via a drive-by download,
control the victim machine, and upload and run a ransomware malware on the system
• Experience a spear phishing attack as the victim and witness first-hand the breach of your
endpoint system
Task 1 - Understand the Attack Sequence

In this Activity, you will assume the role of the Attacker and prepare and launch your ransomware attack
against a victim machine. As a prerequisite, you must understand how the attack compromises the victim
machine in this demonstration.
This ransomware attack involves two main stages:
1. Compromise endpoint via exploit
2. Deliver ransomware malware
To complete the first phase of the attack, you will use the Metasploit tool hosted on the Attacker workstation to
prepare a webserver that delivers an exploit to the victim. When the victim clicks a link in a phishing email, he
or she is redirected to the Attacker’s website, where a zero-day Flash Player exploit (CVE-2015-5119)
compromises the victim’s endpoint system.
Once the victim’s system is compromised, the Attacker uploads the ransomware malware to the victim’s
machine and executes it. This process is depicted in the figure below.
UTD-AEP 2.2 9
Task 2 - Prepare the Drive-By Download

In this task, you will configure the attacker system to serve the Hacking Team Flash zero-day exploit to the
victim in response to the request for the web page that the phishing email sent to the victim links to.
Step 1. Access the Attacker Desktop
Click the “Attacker” link on the Shortcut Menu that lists the available desktop environments in the UTD.
Note: If the Attacker VM GUI is slow, see Appendix 2 for an alternative access method.
Step 2. Launch the Metasploit Listener
In the terminal window, type the following command at the prompt and press the “enter/return” key:
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. This process may take a while, so please be patient.
When Metasploit has completed loading, it should display the following prompt:
“msf exploit(adobe_flash_hacking_team_uaf) >”
The attacker system is now ready and online, waiting for a connection from the victim system.
Note: If using a non-US keyboard layout, you may use the “Virtual Keyboard” in the left-hand pane to send
text.
UTD-AEP 2.2 10
Task 3 - Activate the Spear Phishing Email

In this task, you take on the role of the victim. We assume that you (as the victim) have received a spear
phishing email from the attacker, which includes a link to the attacker’s listener service that you configured in
the previous Task. You happily click the link and activate the next stage of the attack.
Step 1. Access the Victim Client Desktop
Click the “Victim Client” link on the Shortcut Menu that lists the available desktop environments in the UTD.
Note: You should not need the credentials for the user associated with the Victim Client. However, if
the system does present you with a login screen on the Victim Client, click the icon associated with the
user “Jen” and supply the password associated with that user (shown above the desktop display area).
This password is “Password1”.
UTD-AEP 2.2 11
Step 2. Launch Outlook and Access the Spear Phishing Email
Microsoft Outlook is already open and running on the desktop. An email with the subject line: “Someone has
your password” is selected and displayed in the preview pane.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login page.
At this point, the attacker has already compromised the endpoint.
UTD-AEP 2.2 12
Task 4 - Upload the Ransomware to Victim Client

As noted in Step 2 of the previous Task, the Victim Client was already compromised as soon as the website
content served from the Attacker systems began to display in the browser. In this Task, you will return to the
role of the Attacker, upload your ransomware onto the Victim Client, and infect the machine.
Click the tab that is associated with the Attacker environment.

Notice that the Metasploit listener service received a request, sent a SWF file in reply, and opened a
“Meterpreter” session to the Victim Client.
Click inside the Terminal window that is open on the desktop. Then, press the “enter/return” key a few times to
get a new Metasploit prompt.
Note: If your connection to the Attacker desktop has been severed, click the “Reconnect” link in the left-
hand pane of the desktop display area to re-establish your connection to that environment.
If you see the lock screen, click in that window and hit the Enter/Return key to get a login prompt.
UTD-AEP 2.2 13
Step 2. Verify Open Session to Victim Client
In the Terminal window on the Attacker’s desktop, type the following command to verify that you have an
active Meterpreter session to the Victim Client system:
sessions
This will display a list of all active sessions currently running within Metasploit.
An open session indicates that the Attacker has an active, direct connection to the Victim Client, which he or
she can use to further compromise the system.
Note the “ID” of the active session connected to the Victim Client. This is the “Session ID” that you will need to
enter in the next step; it should be session #1, although that might not be the case if you refreshed the
browser on the Victim Client desktop at any point.
Step 3. Initiate an Interactive Session with the Victim Client
Initiate an interactive session with the Victim Client by entering the following command at the Metasploit
prompt (if the “Session ID” your noted in the previous step was not “1,” remember to substitute your “Session
ID” for the number “1” in this command):
sessions -i 1
This will initiate the interactive session, display the message “Starting interaction with 1,” and change the
prompt to a Meterpreter prompt: “meterpreter>”
At this point, you have connected to the Victim Client and can execute any number of available commands to
exploit the system. To see a list of available commands, simply type “?” and press “enter/return” at the
Meterpreter prompt.
We will not explore the available Meterpreter commands in this exercise, but feel free to scroll up and down
the list to see the available commands. These include commands such as: reboot, shutdown, and
keyscan_start (a keylogger), among others.
UTD-AEP 2.2 14
Step 4. Upload the Ransomware to the Victim Client
The Petya ransomware that is part of this attack sequence already resides on the Attacker machine. Upload it
to the Victim Client by typing the following commands at the Meterpreter prompt:
cd /Windows
upload happy.exe
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Victim Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our ransomware attack and infect the Victim Client.
Task 5 - Run Ransomware Malware on Victim Client

For this Task, you must be prepared to quickly switch over to the tab for the Victim Client as soon as you have
launched the ransomware malware. This malware acts very quickly to infect a system, and if you remain in the
Attacker environment, you will miss its actions.
Step 1. Execute the Ransomware Malware on the Victim Machine
Be prepared to switch to the tab for the Victim Client as soon as you enter the following command at the
Meterpreter prompt (in the Attacker Terminal window):
execute -f happy.exe -H
UTD-AEP 2.2 15
Step 2. Witness the Ransomware Infect the Victim Machine

At this point, you should have quickly switched over to the tab for the Victim Client. Once the ransomware
malware begins executing on the Victim Machine, it will simulate a “blue screen of death” that typically
accompanies a Windows system crash and reboot the Victim Client.
The ransomware will simulate the process of checking the disk on the Victim Client (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.
Click the “Send ctrl+alt+delete” button in the left-hand pane of the Victim Client desktop display to send that
key sequence to the system.
UTD-AEP 2.2 16
This will display a flashing red and grey “skull and cross bone” image and prompts the user to “PRESS ANY
KEY.”
Click inside the “skull and cross bone” image and press the space bar. This should change the image to a
ransomware warning page, with demands and instructions to submit your payment in order to unlock your
system.
Congratulations! You are simultaneously and attacker and your own victim.
Step 3. Close the Attacker Session
On the Attacker desktop, click inside the Terminal window and press the “enter/return” key a few times to
display a Metasploit prompt.
UTD-AEP 2.2 17
We no longer need this attacker session, so type the following command to shut down Meterpreter:
exit
This will return you to the Metasploit prompt. Type the following command to shut down Metasploit as well.
exit
This will stop the attacker server and return you to the Terminal prompt.
End of Activity 2
UTD-AEP 2.2 18
Activity 3 - Prevent Ransomware Attack

• Access the Traps-Client desktop and verify that Traps is enabled
• Attempt the ransomware attack from the previous Activity
• Witness Traps preventing the ransomware attack
Task 1 - Verify Traps is Running on Client Desktop

In this Task, you will access the Traps Client environment and verify that Traps is running and activated
before attempting the ransomware attack you used in the previous Activity.
Click the “Traps Client” tab to display that environment.
Step 2. Display Traps Client Console
Click the Traps icon on the Windows taskbar at the bottom of the desktop. This should display the Traps client
console, which indicates that “Advanced Endpoint Protection is Enabled”
Note the date and time of the “Last Check-in” indicated on the bottom of the Traps client console.
Click the “Check In Now” link to reconnect to the Traps Endpoint Security Manager (ESM) backend systems
and retrieve any updated security policies.
The link should change momentarily to “Connecting” and once the Traps client has completed the check-in
process, it should return to “Check In Now.”
UTD-AEP 2.2 19
At this point, you have verified that Traps is running on the Client desktop.
Task 2 - Attempt Ransomware Attack

In this Task, you will restart the processes that facilitate the ransomware attack we carried out against the
Victim Client systems in our previous Activity.
You will configure the attacker system to serve the Hacking Team Flash zero-day exploit to the victim in
response to the request for the web page that the phishing email sent to the victim links to.
Click the “Attacker” tab to display the Attacker desktop.

There should be a terminal window already open on the desktop. If one is not open, simply click the “Terminal”
link on the very top of the desktop window and select “New Terminal” from the drop-down menu.
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. When Metasploit has completed loading, it should display the following
prompt
UTD-AEP 2.2 20
Task 3 - Witness Traps Preventing Ransomware Attack

In this task, we once again assume that you (as the victim) have received a spear phishing email from the
attacker that includes a link to the attacker’s listener service, which you configured in the previous Task.
However, you now have Traps installed on your system. You happily click the link and activate the next stage
of the attack.
Click the “Traps Client” tab to display that desktop. This returns you to the Traps Client desktop with the Traps
client console still visible (from Task 1, Step 2 above).
Step 2. Launch Outlook and Access the Spear Phishing Email
Microsoft Outlook is already open and running, and an email with the subject line: “Someone has your
password” is displayed in the inbox.
(depending on your network speed), display a webpage that resembles the Google account login website.
Recall from our previous Activity that the Attacker server detects the incoming connection and serves the
SWF file for the Hacking Team zero-day exploit in reply to the request.
At this point, Traps will detect the exploitation attempt, block it, and display a dialog box to inform you that it
has prevented the security breach.
UTD-AEP 2.2 21
Traps freezes the Internet Explorer processes running in the browser tab, collects forensic data about the
attack, and then terminates the exploitation attempt.
Click “OK” in the Traps notification dialog box to dismiss it. This will close the dialog box and terminate the
Internet Explorer process that was targeted by the exploitation attempt.
Step 3. Verify that Traps Has Prevented the Attack
Click the “Attacker” tab. This should display the Attacker desktop.
Notice that the Attacker’s system has detected the incoming request, served the SWF file that contains the
exploit, but failed to establish an active session to the Trap Client machine.
Click inside the Terminal window on the Attacker desktop and press “enter/return” a few times to get a new
Metasploit prompt: “msf exploit (adobe_flash_hacking_team_uaf) >.”
Enter the following command at the Metasploit prompt:
sessions
This should display a response indicating that there are no active sessions.
This verifies that the Attacker’s exploitation attempt failed, despite the fact that the SWF file containing the
Hacking Team Flash zero-day exploit was delivered to the Traps Client machine.
End of Activity 3
UTD-AEP 2.2 22
Activity 4 - Explore the Endpoint Security Manager

(ESM)

• Access the ESM Console
• Review the prevention notice from Traps, issued when it blocked the ransomware attack in the
last Activity
• Learn more about the multi-method malware and exploit prevention capabilities of Traps and
where to find their settings in the ESM
Task 1 - Access the ESM Console

In this Task, you will access the ESM Server environment and log in to the management console.
Step 1. Access the ESM Desktop
Click the “ESM Server” link on the Shortcut Menu that lists the available desktop environments in the UTD.
This will display the ESM Server desktop. The Chrome browser should already be open and displaying the
login prompt for the ESM management console.
If Chrome is not open, simply click the Chrome icon in the Windows Taskbar (on the left of the display) to
launch Chrome. If necessary, click the “ESM Server-Login” shortcut on the Chrome bookmark bar to access
the login prompt.
UTD-AEP 2.2 23
Step 2. Log in to the ESM Console
Use the following credentials to log in to the ESM console:

Name: student
Password: utd135
This should log you in to the console and display the main dashboard.
Task 2 - Review Traps Prevention Event

In this task, you will review the prevention event that Traps generated when it blocked the ransomware attack
in its initial stages. Since the drive-by download begins with an exploitation attempt (Hacking Team Flash
zero-day exploit), we expect to see an exploit prevention notice from your Traps Client system.
Step 1. View the Ransomware Prevention Security Event
Click the “Security Events” tab inside the ESM console. This should display a table that summarizes all the
threats reported to the ESM by all endpoint agents.
In the case of our UTD environment, we should only have one security event reported: and exploit prevention
listed in the row labeled “Exploits.”
Step 2. View the Exploit Prevention Record
At this point, you can simply click the number in the summary table (the red number “1” in our case) to
navigate directly to the exploit prevention event.
Click “Exploits” in the left column of the display, under the “Preventions” heading. This will display all the
exploit prevention events recorded in the ESM.
UTD-AEP 2.2 24
Notice that you can learn a great deal from the record displayed in the table, even without opening the event
record itself:
• Date and time of the event
• Which computer was affected (Traps Client)
• The IP address of the user
• Who the user was (user Jen on Traps Client)
• What operating system is running on the system (Windows 7)
• What version of the Traps agent is running on the system
• Which process was exploited (iexplore.exe - Internet Explorer)
• What exploit prevention module in Traps prevented the exploitation attempt
Step 3. Open the Exploit Prevention Record
Click the record in the table that corresponds to our exploit prevention event. This will display additional details
about the prevention event, including:
• Source Path: the path to the application that was exploited
• Source Version: the version number of the application
• File Quarantine: whether the executable file (iexplore.exe) was quarantined
• Source Signers: who (if any) signed the executable file
UTD-AEP 2.2 25
Note that you can also display additional details about the prevention event by clicking the “Additional
Information” in the prevention event record display. Click that link now.
Scroll down in the list of “Recent Files and URIs” and take note of the files and web addresses that were
associated with this ransomware attack. Specifically, notice the web address for the “Attacker” system
displayed in this list (“http://192.168.21.150:8080”). This type of information is critical to forensic investigations,
should you choose to conduct one after Traps prevents an attack.
UTD-AEP 2.2 26
Task 3 - Review Multi-Method Prevention Settings

Traps replaces legacy antivirus and secures endpoints with its multi-method approach to prevention, which
deploys a unique combination of highly-effective malware and exploit prevention capabilities to preemptively
block both known and unknown threats – before they can compromise a system.
In this Task, you will review the settings for some of the malware and exploit prevention capabilities of Traps.
This knowledge will provide you with the context that is necessary for you to understand the Tasks in the next
Activity.
Step 1. Review the Multi-Method Malware Prevention Capabilities of Traps
Traps provides several malware prevention methods, each of which includes multiple, purpose-built
prevention techniques that are tuned for maximum performance and accuracy.
Please refer to the overview presentation that your workshop instructor delivered for an in-depth discussion of
each malware prevention capability.
Step 2. Review WildFire, Static Analysis, and Quarantine Settings
Click the “Policies” tab inside the ESM console. This should display a table that summarizes the policies
configured in the ESM. You can display the policies for each of “Exploit,” “Malware,” and “Forensics”
capabilities by clicking on the associated link in the column on the left of this display.
Click the “WildFire” link under the “Malware” heading in the left column. This will display a table containing the
default policies for WildFire.
UTD-AEP 2.2 27
Next, click the “WildFire On” policy in the table, which is the second policy in the list. This will display a
summary of the settings of the policy.
Notice the policy settings that are visible in this view:

• WildFire activation is on: Traps will check unknown executables with WildFire for a verdict
• Action is prevention: Traps will prevent unknown executables that are deemed to be malicious
• Action is applied on grayware: Traps will apply the prevention action to grayware as well
• User alert is on: Traps will alert the user when an unknown executable is prevented from running
• Upload file for WildFire analysis is enabled: Traps will upload unknown executables to WildFire for
analysis
• Local analysis is enabled: Traps will examine unknown executables with its local, static analysis
engine
• Quarantine files is enabled: Traps will quarantine files that are deemed to be malicious
Click the “Edit” button to see how these settings are specified (and modified) in the policy. This will display the
policy settings overlay window.
Feel free to click the other tabs in this display (“Conditions,” “Objects,” and “Name”) to see the additional
conditions and settings that you could specify for each policy of this type.
When you have finished looking at the policy settings, click “Cancel” to close the window.
UTD-AEP 2.2 28
Step 3. Review Execution Restrictions Settings
Click the “Restrictions” link under the “Malware” heading in the left column. This will display a table containing
the Execution Restrictions policies defined in the ESM.
Click the first item in the table, which is a policy named “Prevent Execution from Temp Folders.” This will
expand the display and show you additional details about the specific restrictions included in this policy.
This policy only includes local folder restrictions, but you can specify many other restrictions. Click the “Edit”
button in the policy details view. This will display the “Restrictions” edit window.
Note the various restrictions that you can specify with policies such as this one; they are listed on the left of
the edit window. Click through them to better understand what restrictions are available.
When you have finished reviewing the policy settings, click “Cancel” to close the window.
UTD-AEP 2.2 29
Step 4. Review Admin Override Policy Settings
Click the “Hash Control” link under the “Malware” heading in the left column. This will display a table that lists
all recent file executions (such as “iexplore.exe” and “taskhost.exe”), their hash values, associated WildFire
verdicts, and other relevant information that define the Admin Override Policies in the ESM. You might need to
change the “First Seen” / “after” search parameter to “First Seen” / “before” to see more entries (click “Search”
on the left to apply the filter).
Click the first item in the table. This will expand the display and show you additional details about the specific
executable file. Notice the buttons in this expanded display that allow you to override or specify any of the
following actions for each executable (due to limitations of the CloudShare environment, you may need to use
the right-arrow key on your keyboard to scroll the display to the right to see all available options):
• Treat as Benign
• Treat as Malware
• WildFire Report
• Recheck Verdict
• Report as Incorrect
UTD-AEP 2.2 30
Step 5. Review the Multi-Method Exploit Prevention Capabilities of Traps
Similar to its malware prevention capabilities, Traps provides several exploit prevention methods, each of
which includes multiple, purpose-built prevention techniques that are tuned for maximum performance and
accuracy.
Please refer to the overview presentation that your workshop instructor delivered for an in-depth discussion of
each exploit prevention capability.
Step 6. Review Exploit Prevention Settings
Click the “Application Protection Modules” link under the “Exploit” heading in the left column. This will display a
table containing the default exploit prevention policies included with Traps.
This is also where all custom exploit prevention policies will be listed (we will return to this table in a future
Activity).
Click the first policy in the list, labeled “Test Exploit Protection Rule.” This will expand the display and show
additional details about this particular policy.
Click the “Edit” button in the expanded display. This will display the “Exploit Protection Rule” edit window.
Note the various Exploit Protection Modules (EPMs) that correspond to the Traps exploit prevention methods;
they are listed in a list on the left of this edit window.
UTD-AEP 2.2 31
Flip through the remaining tabs in the edit window to see the additional settings that you can specify for each
exploit prevention policy.
When you have finished viewing the policy settings, click “Cancel” to close the window.
End of Activity 4
UTD-AEP 2.2 32
Activity 5 - Prevent Exploit Attack

• Attempt the same ransomware attack from our previous Activity, but this time with Traps
installed on the system
• Disable all Traps exploit prevention mechanisms in sequence to allow the ransomware attack
to eventually continue
Task 1 - Attempt Ransomware Attack

In this Task, you will repeat the same set of actions from 0 above to access the Traps Client environment,
verify that Traps is running and enabled, and attempt the ransomware attack once again. Because Traps is
installed on the Traps Client, it will prevent the ransomware attack by blocking its initial stage, which is the
exploitation of Adobe Flash Player.
Step 1. Access the Traps Client Desktop and Verify Traps is Enabled
Click the “Traps Client” tab to access that desktop.

Next, click the icon for Traps in the Windows Taskbar (bottom of the display) to open the Traps client console.
Verify that Traps is active and that “Advanced Endpoint Protection is Enabled.”
You have now verified that Traps is running on the Traps Client desktop.
Step 2. Verify that Attacker Systems Are Ready
Click the “Attacker” tab. This should display the Attacker Desktop.
There should be a terminal window already open on the desktop, with Metasploit loaded and displaying the
following prompt
UTD-AEP 2.2 33
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to ensure the
Metasploit system is running. If it is not, please reconnect to the Attacker desktop.
At this point, the attacker system is ready and online, waiting for a connection from the victim system.
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop with the
Traps client console still visible.
Step 4. Access the Spear Phishing Email in Outlook
This Step repeats the same sequence of actions you completed to trigger the exploitation of the Victim Client
in the previous Activity. This is necessary to observe Traps in action.
Click the Outlook application window to activate it. The email with the subject line: “Someone has your
password” is displayed in the inbox.
(depending on your network speed), display a webpage that resembles the Google account login website.
UTD-AEP 2.2 34
At this point, Traps will detect the exploitation attempt, block it, and display a dialog box to inform you that it
has prevented the security breach.
Click “OK” in the Traps notification dialog box to dismiss it. This will close the dialog box and terminate the
Internet Explorer process that was targeted by the exploitation attempt.
Task 2 - Disable Traps Exploit Prevention Modules

In this Task, you will disable the Traps EPMs, in sequence, until the exploitation attempt finally succeeds.
Step 1. Disable the DLL Security EPM
Click the “ESM Server” tab to display that desktop environment.

Next, click the “Security Events” tab in the ESM console, followed by the “Exploits” link on the left navigation
list (under “Preventions” heading). This will display the exploit prevention event from our ransomware
prevention in the previous Task.
Click the first item in the list, which should be associated with “Traps Client” system, “iexplore.exe” process,
and “DLL Security” module. This will display an expanded view of the security event.
Now click the “Create Rule” button. This will display the “Exploitation Protection Rule” edit window and
automatically fill in the necessary information from the security event to create a policy that disables the EPM
(DLL Security, in this case).
UTD-AEP 2.2 35
Click the “Name” tab in the “Exploit Protection Rule” edit window and take note of the name that is
automatically assigned to this new Policy.
Next, click “Apply” to create and activate this new policy rule. This disables the DLL Security EPM for the
“iexplorer.exe” process on the “Traps Client” system.
Verify this rule has been created by clicking the “Policy” tab in the ESM console display. By default, this will
display the Application Protection Modules under the “Exploit” heading of the left navigation column.
Note that the first policy in this table has the following specifications:
• ID: A unique policy identifier assigned to this new policy
• Name: “Exploitation policy from Prevention on Traps Client”
• Description: “DLL Security on iexplore.exe is disabled where Traps Client included”
Be sure to note the ID of this new policy. You will use this information in the next Step.
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
Finally, click the “Check In Now” link on the bottom of the Traps console window to retrieve the policy we just
created in the previous step from the ESM Server.
Once the check-in process is completed, click the “Advanced” link to the right of the “Status” tab on the top
portion of the Traps console window. This will display several additional tabs. Click the “Policy” tab and verify
UTD-AEP 2.2 36
that the new EPM policy that you created in the previous Step has been applied to the Traps client. The ID
associated with this policy should match the one you noted in the previous Step.
Click the Outlook application window to activate it.

Next, click the link “Review Your Devices Now” in the email that is displayed in the inbox. This will open
Internet Explorer, and after a small delay (depending on your network speed), begin to load the content our
Attacker systems are serving
Traps will detect yet another exploitation attempt, block it, and display a new prevention alert window. Note
that the “Prevention description” noted in this window refers to “ROP chain utilization...”
Click the “Show Details” button in the Traps prevention alert window. Then scroll down to the bottom of the list
that appear. You will notice the “Component” referenced here is “ROP Mitigation.” We will see this information
again in our next Step.
Click “OK” in the Traps prevention alert window to dismiss it. This will also terminate the Internet Explorer
process, as expected.
UTD-AEP 2.2 37
Step 4. Disable the ROP Mitigation EPM

list (under “Preventions” heading). This will display the exploit prevention events from our ransomware
prevention so far.
and “ROP Mitigation” module. This will display an expanded view of the security event.
Now click the “Create Rule” button. This will display the “Exploitation Protection Rule” edit window and
automatically fill in the necessary information from the security event to create a policy that disables the EPM
(ROP Mitigation, in this case).
Simply click “Apply” to create and activate this new policy rule. This disables the ROP Mitigation EPM for the
display the Protection Modules under the “Exploit” heading of the left navigation column.
• Name: “Exploitation policy from Prevention on Traps Client”
• Description: “ROP Mitigation on iexplore.exe is disabled where Traps Client included”
The “Policy” tab should be visible (recall that we displayed this tab by clicking the “Advanced” link adjacent to
the “Status” tab in previous Steps).
UTD-AEP 2.2 38
Verify that the new EPM policy that you created in the previous Step has been applied to the Traps client.
Notice how the policy name is the same as the one we created in our previous Steps. Ideally, an administrator
would provide a more descriptive name instead of the default name assigned by the system in order to
distinguish policies from one another. We will do that in the next step.

Attacker systems are serving.
Traps will detect yet another exploitation attempt, block it, and display a new prevention alert window. Note
that the “Prevention description” noted in this window refers to “Suspicious API call from an unsafe area
(JIT)...”
Click the “Show Details” button in the Traps prevention alert window. Then scroll down to the bottom of the list
that appear. You will notice the “Component” referenced here is “JIT Mitigation” We will see this information
again in our next Step.
Click “OK” in the Traps prevention alert window to dismiss it. This will also terminate the Internet Explorer
process, as expected.
UTD-AEP 2.2 39
Step 7. Disable the JIT Mitigation EPM

list (under “Preventions” heading). This will display the exploit prevention events from our ransomware
prevention so far.
and “JIT Mitigation” module. This will display an expanded view of the security event.
Now click the “Create Rule” button. This will display the “Exploitation Protection Rule” edit window and fill in
the necessary information from the security event to disable the EPM (JIT Mitigation, in this case).
Click the “Name” tab in the edit window. This will display the “Rule Summary” area. Replace the name for this
rule with “Disable JIT Mitigation on Traps Client.”
Then click “Apply” to create and activate this new policy rule. This disables the JIT Mitigation EPM for the
display the Protection Modules under the “Exploit” heading of the left navigation column.
• Name: “Disable JIT Mitigation on Traps Client”

• Description: “JIT Mitigation on iexplore.exe is disabled where Traps Client included”
UTD-AEP 2.2 40
The “Policy” tab should be visible (recall that we displayed this tab by clicking the “Advanced” link adjacent to
the “Status” tab in previous Steps).
Verify that the new EPM policy that you created in the previous Step (“Disable JIT Mitigation on Traps Client”)
has been applied to the Traps client.

Attacker systems are serving.
Now that we have disabled all relevant EPMs used by this exploit in Traps, Traps will not block the exploitation
and the ransomware attack can finally continue to its next stage.
End of Activity 5
UTD-AEP 2.2 41
Activity 6 - Prevent Malware Attack

• Understand the sequence by which the multi-method malware prevention mechanisms of
Traps are invoked
• Attempt the ransomware attack from our previous Activity
• Explore the multi-method malware prevention mechanisms of Traps as they prevent the
ransomware attack
Task 1 - Review Traps Multi-Method Malware Prevention

As we discussed earlier, Traps includes multiple malware prevention methods to block malicious executables,
including the ransomware attack in our workshop exercise. Traps invokes these methods in sequence,
depending on the specific circumstances and requirements, as depicted in the figure below.
Review this sequence with your workshop instructor.
UTD-AEP 2.2 42
Task 2 - Attempt to Execute Ransomware

In this Task, you will access the Attacker environment, upload the ransomware malware you have used in
previous activities to the Traps Client environment, and attempt to execute the ransomware.
Step 1 Verify that Attacker Systems Are Ready
Click the “Attacker” tab to display the Attacker Desktop.

There should be a terminal window already open on the desktop, with Metasploit loaded and displaying
several entries indicating that weaponized SWF files were transmitted to the Traps Client system. These
prompts are the results of your repeated attempts to activate the spear phishing email in the previous Activity,
while you disabled the EPM protections of Traps in sequence.
The last entry in the Metasploit terminal window should indicate that a Meterpreter session was opened to the
Traps Client system.
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to get a Metasploit
prompt:
At the Metasploit prompt, type the following command to verify that you have an active Meterpreter session to
the Victim Client system:
sessions
This will display a list of all active sessions currently running within Metasploit.
Note the “ID” of the active session with the Traps Client. We will use session ID #1 for the instructions below,
but you should use the number that corresponds to your session ID.
UTD-AEP 2.2 43
Step 2. Initiate an Interactive Session with the Traps Client
Initiate an interactive session with the Traps Client by entering the following command at the Metasploit
prompt (assuming your session ID is 1):
sessions -i 1
This will initiate the interactive session, display the message “Starting interaction with 1,” and change the
prompt to a Meterpreter prompt: “meterpreter>”
At this point, you have connected with the Traps Client and can now upload your ransomware sample to that
system.
Step 3. Upload the Ransomware to the Traps Client
The Petya ransomware that is part of this attack sequence already resides on the Attacker machine. Upload it
to the Traps Client by typing the following commands at the Meterpreter prompt:
cd /Windows
upload happy.exe
Traps Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our ransomware attack and infect the Traps Client.
Step 4. Execute the Ransomware Malware on Traps Client
Enter the following command at the Meterpreter prompt:

UTD-AEP 2.2 44
At this point, Meterpreter should indicate that a new process was created and executed on the target system,
Traps Client.
Step 5. Observe Traps Malware Prevention (WildFire Inspection)
Click the “Traps Client” tab. This should display the Traps Client desktop.
At this point, Traps will either have already identified and blocked this malware, or it will be in the process of
doing so. In either case, you should see a Traps Prevention Alert window open on the Traps Client machine.
The “Prevention Description” field should indicate Traps blocked this based on a “Suspicious process
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here is “WildFire”
If you recall our review of the sequence of prevention methods in Task 1 of this Activity, Traps has already
conducted the following prevention checks to arrive at this point:
1. Admin Override Policy: None exists, so Traps proceeded to the next step.
2. Trusted Publisher Identification: This executable is not signed, so Traps proceeded to the next step.
3. WildFire Check: This malware is already known to WildFire (as identified by its file hash), so Traps
blocked it.
4. Quarantine: Since the executable file was a known malware, Traps quarantined the file.
Click “OK” to dismiss the alert window.

Switch over to the Traps console by clicking its icon in the Windows Taskbar. Then click the “Events” tab in
the Traps console window (recall that we displayed this tab by clicking the “Advanced” link adjacent to the
“Status” tab in previous Steps). This will display all recent security events recorded on this system.
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per WildFire Module) and
terminated the process.
UTD-AEP 2.2 45
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that in the “Details” window, it indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Since this malware has a file hash that is identified as a known malware in the WildFire threat intelligence
cloud (and now in the local cache of this Traps agent and the ESM), Traps will block it every time it attempts
to run.
In order to see the local Static Analysis prevention method, we need to create a malware sample with a file
hash that is unknown to both Traps and WildFire.
Task 3 - Create Unknown Malware

In this Task, you will change the file hash of our ransomware sample, “happy.exe” using a command line tool.
This will create a file that is essentially unknown to Traps and WildFire.
Click the “Attacker” tab. This will display the Attacker desktop with a terminal window already open with a
Meterpreter prompt. Since we will use this prompt once again in a few moments, we need to open a new
Terminal window.
Right-click the “Terminal” link on the very top of the Attacker desktop window, then select “New Terminal” from
the drop-down list. This will display a new Terminal window.
Note: If accessing the Attacker VM via SSH, return to Appendix 2 for additional steps.
In the new Terminal window, type the following command to get a listing of all files in the root directory:
ls
The file “hashchange.sh” will be listed among the files on the root user’s home directory.
In the new Terminal window, type the following command to modify the file hash for the “happy.exe”
ransomware sample:
UTD-AEP 2.2 46
./hashchange.sh
This will display the 64-character hash value of the file “happy.exe,” add a small segment of random data to
the end of the file, and display the new hash value for the modified file. Note the difference between the hash
values before and after the change.
This malware file is now essentially unknown to Traps and WildFire because it has a new file hash.
Task 4 - Attempt to Run Ransomware Again

In this Task, you will upload the ransomware malware you created in the previous Task to the Traps Client
environment and attempt to execute the ransomware.
Step 1. Upload Modified Ransomware to the Traps Client
In the Attacker desktop window, click inside the initial terminal window that still displays the Meterpreter
prompt (“meterpreter >”). This window should still be visible under the new Terminal window that you used in
the previous Task to modify the ransomware sample.
Upload the modified ransomware sample you created in the previous Task to the Traps Client by typing the
following commands at the Meterpreter prompt:
upload happy.exe
We are now ready to launch our new ransomware with an unknown file hash to infect the Traps Client.

Traps Client.
UTD-AEP 2.2 47
Step 3. Observe Traps Malware Prevention (Static Analysis)
The “Prevention Description” field should again indicate Traps blocked based on a “Suspicious process
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here this time is “Local Analysis”
If you recall our review of the sequence of prevention methods in Task 1 of this Activity, Traps has already
conducted the following prevention checks to arrive at this point:
1. Admin Override Policy: None exists, so Traps proceeded to the next step.
2. Trusted Publisher Identification: This executable is not signed, so Traps proceeded to the next step.
3. WildFire Check: This malware is unknown to WildFire (as identified by its file hash), so Traps
proceeded to the next step.
4. Static Analysis: Static analysis correctly identifies this new malware sample as malicious and blocks
its execution.
5. Quarantine: Since the executable file was identified as malware, Traps quarantined the file.
6. Upload to WildFire for Analysis: Since the executable is unknown to WildFire, Traps uploaded it to
WildFire for full analysis.
If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window. This will display all recent security events
recorded on this system.
UTD-AEP 2.2 48
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Local Analysis Module) and
terminated the process.
security event.
Note that the “Details” window indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Step 4. Observe Upload of Unknown Malware to WildFire for Full Analysis
Click the “ESM Server” tab to access that desktop environment. This should display the ESM Server console.
Note: Since we have not used this environment for some time now, it is possible that the CloudShare
system has disconnected your session. If you realize that the environment does not respond to your
mouse clicks or keystrokes at this point, simply click the “Reconnect” button in the left-hand pane. That
will reconnect you to the ESM Server system.
In the ESM Server console, click the “Policies” tab. This will display the Exploit Protection Modules (by
default).
In the left navigation area, click the “Hash Control” link under the “Malware” heading. This will display a table
of all executable files that have been run on the endpoints connected to the ESM Server, along with their
respective verdicts.
Notice “happy.exe” among the first few entries in this table, along with its (new) hash and a verdict of malware
(indicated by the red “X”) obtained via Local Analysis (another name for Static Analysis). Also note that the
ESM is uploading this malware to WildFire, as indicated by the icon under the “Upload Status” column in the
table.
UTD-AEP 2.2 49
This upload process occurs without delay in production environment deployments. However, in the bandwidth-
limited CloudShare environment, the upload process may take some time.
Once the upload has been completed, WildFire will analyze the unknown malware sample, render a verdict,
and transmit that verdict back to the ESM Server. The updated verdict will then be visible in this table.
Task 5 - Disable WildFire and Static Analysis

In this Task, you will disable the WildFire and Static Analysis malware prevention capabilities of Traps allow
the execution of your malware on Traps Client.
Step 1. Disable WildFire and Static Analysis Policy
In the ESM Server console, click the “Policies” tab, followed by the “WildFire” link under the “Malware”
heading in the left column navigation area. This will display the list of WildFire policies currently configured on
the ESM.
Click the second entry in the table (the policy named “WildFire On”) to display its expanded information area.
Notice the policy settings that are visible in this view:
• WildFire activation is on: Traps will check unknown executables with WildFire for a verdict
• Action is prevention: Traps will prevent unknown executables that are deemed to be malicious
UTD-AEP 2.2 50
• Action is applied on grayware: Traps will apply the prevention action to grayware as well
• User alert is on: Traps will alert the user when an unknown executable is prevented from running
• Upload file for WildFire analysis is enabled: Traps will upload unknown executables to WildFire for
analysis
• Local analysis is enabled: Traps will examine unknown executables with its local, static analysis
engine
• Quarantine files is enabled: Traps will quarantine files that are deemed to be malicious
Click the “Edit” button to modify this policy. This will display the WildFire policy editor window, with the
“Settings” tab visible. From the “WildFire Activation” drop-down, select the “Off” option. This will disable
WildFire, Static Analysis, and Quarantine features of Traps.
Next, click the “Name” tab in the same editor window to display the name that is automatically assigned to this
policy (“WildFire On”).
Change the name of the policy to “WildFire is Off” in the text box labeled “Fill in the rule name” and click the
“Apply” button to save your changes.
This will return you to the list of WildFire policies currently configured on the ESM.
Step 2. Check-in on the Traps Client Desktop
The Traps client console should already be visible. Otherwise, click the Traps icon in the Windows Taskbar
UTD-AEP 2.2 51
(bottom of the display) to open the Traps client console.

Next, click the “Check In Now” link on the bottom of the Traps console window to retrieve from the ESM
Server the changes in the WildFire policy that you just enacted in the previous Step.
Click the “Policy” tab in the Traps client console. Verify that the “WildFire is OFF” policy that you created in the
previous Step is now displayed among the policies in effect on this Traps client.
You may notice that a message pops up on the Windows desktop indicating that virus protection has been
disabled. This is due Traps being able to register with Microsoft Security Center as an official Anti-virus
product.
Task 6 - Attempt Ransomware Attack Again

In this Task, you will upload the updated ransomware malware you created in the previous Task (the malware
with the new file hash) to a temporary directory on the Traps Client environment and attempt to execute the
ransomware.
Step 1. Create a Temp Directory on the Traps Client
Click the “Attacker” tab to access that desktop window.

Click inside the initial terminal window that still displays the Meterpreter prompt (“meterpreter >”). Next, hit the
“enter/return” key a few times to make sure your session is still active.
Create the new directory “C:\Temp” on the Traps Client machine by entering the following commands at the
Meterpreter prompt in sequence (and hitting the “enter/return” key after each command):
cd /
mkdir Temp
cd Temp
UTD-AEP 2.2 52
Step 2. Upload Modified Ransomware to Traps Client
Now upload the modified ransomware sample you created in the previous Task to the Traps Client by typing
the following commands at the Meterpreter prompt:
upload happy.exe
We are now ready to launch our new ransomware with an unknown file hash to infect the Traps Client.

Traps Client.
Step 4. Observe Traps Malware Prevention (Execution Restrictions)
The “Prevention Description” field indicates that Traps blocked an “Attempted execution from a restricted
folder.”
If you recall our review of the Execution Restrictions policies through the ESM Server console (Activity 4, Task
3, Step 3), Traps was programmed to prevent execution of programs from the “C:\Temp” directory. This is
precisely what happened in this Step.
If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window. This will display all recent security events
recorded on this system.
UTD-AEP 2.2 53
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Execution Protection
Module) and terminated the process.
security event.
Note that the “Details” window indicates that Traps did not quarantine the malware (as shown by the entry
“Quarantine: No”), because it was not specifically identified as malware.
Step 5. Clean Up the Environment
Close Internet Explorer, and Outlook by clicking the “X” on the top-right corner of each window.
Click the “Attacker” tab to display that desktop environment.
Next, click inside the Terminal window that should still be displaying the Meterpreter prompt (“meterpreter >”).
Hit the “enter/return” key a few times to display a new prompt. The Meterpreter session should have
automatically terminated (since you shut down Internet Explorer in the Traps Client environment).
At the Metasploit prompt (“msf exploit(adobe_flash_hacking_team_uaf) >”), type the following commands,
hitting the “enter/return” key after each:
exit
clear
End of Activity 6
UTD-AEP 2.2 54
Activity 7 - Next-Generation Security Platform in Action

• Learn how the Palo Alto Networks Next-Generation Security Platform automates prevention
• Validate the threat intelligence gained from Traps preventions result in new prevention
capabilities automatically programmed into the firewall
Task 1 - Review the Next-Generation Security Platform

Review the Palo Alto Networks Next-Generation Security platform with your workshop instructor.
Task 2 - Review Ransomware Attack Progression

In this Task, you will review the threat intelligence that Traps has gathered so far from your actions in previous
Activity tasks.
Step 1. Verify Ransomware Upload to WildFire
In the last set of tasks of the previous Activity, you used a command line tool to modify the ransomware
executable “happy.exe” to create a new malware with a file hash that was unknown to both Traps and
WildFire.
UTD-AEP 2.2 55
The local Static Analysis check in Traps correctly blocked this newly modified ransomware, quarantined the
file, and transmitted the file to WildFire for full analysis.
Click the “ESM Server” tab to access that desktop environment. This should display the ESM Server console.
Note: Since we have not used this environment for some time now, it is possible that the CloudShare
system has disconnected your session. If you realize that the environment does not respond to your
mouse clicks or keystrokes at this point, simply click the “Reconnect” button in the left-hand pane. That
will reconnect you to the ESM Server system.
In the ESM Server console, click the “Policies” tab. This will display the Exploit Protection Modules (by
default).
In the left navigation area, click the “Hash Control” link under the “Malware” heading. This will display a table
of all executable files that have been run on the endpoints connected to the ESM Server, along with their
respective verdicts.
Notice “happy.exe” among the first few entries in this table, along with its (new) hash and a verdict of malware
(indicated by the red “X”) obtained via Local Analysis (another name for Static Analysis).
The ESM upload of this malware to WildFire should have been completed at this point, as indicated by the
icon under the “Upload Status” column in the table. Note, if you have worked through the tasks quickly, the
verdict may not be available. Please recheck after a couple of minutes.
Step 2. Retrieve WildFire Report
In the Hash Control table, click the record that corresponds to the (modified) “happy.exe.” This will display an
expanded information area.
Use the right-arrow key on your keyboard to scroll right in the table to display the “WildFire Report” button in
this expanded information area.
Click the “WildFire Report” button to download the report.
UTD-AEP 2.2 56
Chrome will download the report and display a download bar on the bottom of the browser window.
Click the button on the download bar that corresponds to the file you just download. This will open the PDF file
in a separate browser tab.
Review the WildFire report to learn more about the types of information WildFire reveals through its full
analysis of the ransomware file.
The threat intelligence gained through the WildFire analysis will have automatically reprogrammed the Next-
Generation Firewall in the UTD environment to prevent access to the malware file.
Task 3 - Retrieve Ransomware Through Firewall

In this Task, you will retrieve the modified ransomware file through the Next-Generation Firewall that is
deployed in the UTD environment.
Step 1. Transfer Ransomware to Web Server
For this step, we will use the web server that is located on the Attacker system. The Attacker system is
equipped with a separate network interface that is routed through the Next-Generation Firewall, so the firewall
UTD-AEP 2.2 57
will evaluate and secure any requests directed to the web server through this interface.
Click the “Attacker” tab to display that desktop environment.
Next, click inside either of the terminal windows that are currently open on the Attacker desktop system, and
type the following command to transfer “happy.exe” to the root directory of the web server:
cp happy.exe /var/www/ngfw/
Step 2. Verify Ransomware Transfer to Web Server
Click the “Traps Client” tab to display that desktop environment.

Next, launch Internet Explorer by clicking its icon in the Windows Taskbar.
Finally, click the “Web Server” shortcut on the Favorites bar of Internet Explorer to access the root directory of
the web server. This should display the index of the web server files, including “happy.exe.”
Step 3. Attempt to Retrieve the Ransomware File
In the list of files from the web server that are displayed in the browser, click the name of our ransomware file,
“happy.exe.”
The browser should now display a message stating that “Virus/Spyware Download Blocked” and identify the
file that you attempted to download, “happy.exe.”
This verifies that when Traps encountered an unknown malware (the modified ransomware) and submitted it
to WildFire for analysis, the threat intelligence gained from that analysis automatically reprogrammed the
Next-Generation Firewall in the UTD environment to block the transfer of the file through the firewall.
Close Internet Explorer by clicking the “X” on the top-right corner of that window. If Outlook is still open, close
it as well.
End of Activity 7
UTD-AEP 2.2 58
Activity 8 – Anti-Ransomware Protection

• Experience a file based ransomware attack on Victim Client
• Attempt file based ransomware attack on Traps Client
Task 1 – Review Anti-Ransomware Protection Module

The Anti-Ransomware Protection module provides additional protection against ransomware. The module
targets encryption-based activity associated with ransomware with the ability to analyze and halt ransomware
activity before any data loss occurs.
In a ransomware attack, the attacker typically uses DLLs, macros, shell scripts and other methods to encrypt
important data. The attacker can then hold the data hostage until the user pays a ransom to unlock it. To
combat these attacks, Traps analyzes common ransomware behavior to prevent the ransomware from
encrypting and holding files hostage.
This behavior based protection is an additional layer of prevention to the pre-existing malware and exploit
prevention capabilities.
Task 2 – Revert Victim Client VM

Our Victim Client still has its master boot record encrypted by the Petya attack so we will need to revert it to its
original state.
Step 1. Access the Virtual Machine List
From the “Shortcut Menu” at the top of the browser, click “VM List”. This page will show all the available VMs.
UTD-AEP 2.2 59
Step 2. Revert Victim Client
Scroll down to find the “Victim Client” and click “Revert”
Click “Revert VM” to start the revert process. This should take 5-10 minutes.
Step 3. Access Victim Client Desktop
Click “Victim Client” tab and switch over to RDP.
Step 4. Exit Outlook Client
Exit the Outlook client by clicking the red “X”.
Task 3 – Execute Ransomware on Victim Client

Our previous ransomware attack used Petya which encrypted the MBR (master boot record). In this task, we
will be using the Gryphon ransomware which restricts access to data by encrypting individual files.
Step 1. Launch Ransomware
From the “Victim Client” desktop, double-click the “OnlineGames” executable.
UTD-AEP 2.2 60
Step 2. Observe attack
It may take up to 5 minutes for the effects of the attack to become noticeable. Once the Gryphon ransomware
has finished encrypting files, it will launch Notepad with the ransom note.
Notice that even the folder on the desktop has been encrypted. All files encrypted will have the extension
“[chines34@protonmail.ch].gryphon”.
Task 4 – Attempt Execution of Ransomware on Traps Client

Our previous activities have disabled the WildFire protection module which would normally stop this malware
right away. In this task, we will see the Anti-Ransomware module in action.
Step 1. Launch Ransomware
From the “Traps Client” desktop, double-click the “OnlineGames” executable.
UTD-AEP 2.2 61
Step 2. Observe Anti-Ransomware Protection
The default Traps policy will stop the ransomware before any files are encrypted.
Click “Show Details” to see that the “Anti-Ransomware Protection” module was activated.
Click “OK” to dismiss the Traps dialog box.
Step 3. Verify Prevention in the Event Log
Click the “Events” tab in the Traps console window. This shows that the Anti-Ransomware Protection module
caught the process “OnlineGames.exe” and terminated it.
UTD-AEP 2.2 62
Step 4. Verify ESM Server
Click the “ESM Server” tab to display that environment.

Next, click the “Security Events” tab in the ESM console, followed by the “Malware Modules” link on the left
navigation list (under the “Preventions” heading).
Click the first item in the list, which should be associated with the “Traps Client” system, “onlinegames.exe”
process and “Anti-Ransomware Protection” module.
Notice that a WildFire report is already available. As this file is already known to WildFire and would have
been stopped immediately as known malware. We had previously disabled WildFire so you could see the
multi-layer capabilities that can detect and prevent ransomware launched using malicious executable files.
End of Activity 8
UTD-AEP 2.2 63
Activity 9 – Microsoft Office File Protection

• Generate an Office file with a malicious macro
• Block known and unknown malicious macros
• Prevent script based attack with Enhanced child process protection
Task 1 – Review Microsoft Office File Protection

Traps can now block malicious macros that are embedded in Microsoft office documents on Windows
endpoints. By default, Traps automatically blocks malicious macros run from Microsoft Excel and Microsoft
Word files and includes protection of the following file formats:
• Microsoft Office 2003 to Office 2007—doc, xls
• Microsoft Office 2010 and later releases—docm, docx, xlsm, xlsx
Traps evaluates Office macros using the following steps:

1. Traps examines macros in Excel and Word files as they are opened, and queries its local cache with
the hash of the macro embedded in each document.
2. If Traps identifies a verdict for a macro (issued either by a previous evaluation via WildFire threat
analysis service or by admin override policy), it allows or blocks the macro according to that verdict.
3. If the macro verdict is unknown locally, Traps queries the ESM for an official verdict.
4. If the ESM has identified the macro as malicious, Traps blocks the macro.
5. If the ESM does not have a verdict for the macro, it queries WildFire for the verdict associated with the
file containing the macro and optionally submits the file to WildFire for analysis.
6. If the file containing the macro is unknown to WildFire, Traps uses local analysis via machine learning
to issue an immediate verdict and block or allow the macro according to that verdict. WildFire, in turn,
analyzes the unknown macros in the file and renders a verdict.
Task 2 – Prepare Attacker system

In this Task, you will configure the attacker system to set up a reverse HTTP listener to receive a connection
from the successful execution of the malicious Excel macro.
UTD-AEP 2.2 64
Click the “Attacker” tab to access that desktop.
./macro.sh
This will load Metasploit and configure it to listen for incoming HTTP connections from the victim system.
When Metasploit has completed loading, it should display the following prompt
“msf exploit(handler) >”
Task 3 – Generate Unknown Malicious Macro

In this Task, you will generate a malicious macro, currently unknown to WildFire.
Step 2. Generate Malicious Macro
Find the “GenerateMacro” PowerShell script on the Traps Client desktop.
UTD-AEP 2.2 65
Next, right click the icon and select Run with PowerShell.
Enter a document name of your choosing.
Enter “1” for Meterpreter Shell with Logon Persistence.
Enter “2” for Meterpreter Reverse HTTP.
Once complete, the PowerShell window will close. There will be a new Excel file on the desktop with the
document name you provided.
Task 4 – Enable Microsoft Office File Protection

In this Task, you will enable Office macro protection. In order to create the new Excel file in the previous task,
Office macro protection on Traps was disabled. Had it been enabled, Traps would have prevented the macro
from being written to the file when it was detected in the Excel document.
Step 1. Access the ESM Server
Step 2. Enable WildFire for Office Files
In the ESM Server console, click the “Policies” tab. This will display the Application Protection Modules (by
default).
In the left navigation area, click the “WildFire” link under the “Malware” heading.
Click the “WildFire for Office files: Off” policy.
“Settings” tab visible. From the “Activation” drop-down, select the “On” option. This will enable WildFire and
Static Analysis features of Traps for Office files.
UTD-AEP 2.2 66
Next, click the “Name” tab in the same editor window to display the name that is assigned to this policy
(“WildFire for Office files: Off”).
Change the name of the policy to “WildFire for Office files: On” in the text box labeled and click the “Apply”
button to save your changes.
This will return you to the list of WildFire policies currently configured on the ESM.
Task 5 – Attempt Execution of Unknown Malicious Macro

In this Task, you will attempt to open the Excel file that you just generated which contains a previously
unknown malicious macro.
Server the changes in the WildFire policy that you just enacted in the previous Task.
Click the “Policy” tab in the Traps client console. Verify that the “WildFire for Office files: On” policy that you
created in the previous Task is now displayed among the policies in effect on this Traps client.
UTD-AEP 2.2 67
Step 2. Observe Traps Office Macro Protection (Static Analysis)
Find the Excel file that you previously generated in Task 3, Step 2 and double-click it to open the document.
This will launch Excel and attempt to open the document. Traps should stop the file from opening and display
a prevention dialog box informing you that Traps has blocked a malicious activity.
Click the “Show Details” button to see that this previously-unknown macro was stopped by Local Analysis.
UTD-AEP 2.2 68

Close out of Excel by clicking the “X” in the upper right-hand corner of the two pop-up windows and then the
application itself.
Click the “Events” tab in the Traps console window. This shows that Local Analysis caught the macro running
in the process “excel.exe” and terminated it.

Next, click the “Security Events” tab in the ESM console, followed by the “WildFire/Hash Control” link on the
left navigation list (under the “Preventions” heading). This will display the WildFire prevention events from our
malicious Office macro prevention so far.
Click the first item in the list, which should be associated with “Traps Client” system, “excel.exe” process, and
“Local Analysis” module. This will display an expanded view of the security event.
Next, click the “Hash Control” button to directly access the admin override policy associated with the Excel file
that you tried to open.
Click on the entry to open it and view additional details.
UTD-AEP 2.2 69
Task 6 – Attempt Execution of Known Malicious Macro

In this Task, you will attempt to open an Excel file that contains a malicious macro already known to WildFire.
Step 1. Observe Traps Office Macro Protection (WildFire Inspection)

Next, find the Excel file named “FinancialReport” on the desktop and double-click the file to open it.
This will launch Excel and attempt to open the file. However, Traps will stop the file from opening and display
a dialog box informing you that it has prevention a malicious action.
Click “Show Details” to see that this previously known macro was stopped by WildFire.
UTD-AEP 2.2 70

Close out of Excel by clicking the “X” in the upper right-hand corner of the two pop-up windows and then the
application itself.
Click the “Events” tab in the Traps console window. This shows that WildFire prevented the macro running in
the process “excel.exe” and terminated it.

Next, click the “Security Events” tab in the ESM console, followed by the “WildFire/Hash Control” link on the
left navigation list (under the “Preventions” heading). This will display the WildFire prevention events from our
malicious macro prevention so far.
“WildFire” module. This will display an expanded view of the security event.
Next, click “Hash Control” button to directly access the admin override policy associated with the Excel file
(FinancialReport.xls) that you tried to open.
Click on the entry to open it and view additional details.
Note the date that the macro was first reported to WildFire. WildFire uses the hash of the Office file to identify
the malicious macro, not the hash of the macro itself. The ESM tracks the hash of the macro as well as the
Office files that have been seen with that macro embedded within them. This is how the ESM can render an
immediate verdict for any Office file that embeds a known macro, even if the contents of the Office file are
changed or if the macro appears in Office files that are completely different.
UTD-AEP 2.2 71
Task 7 – Attempt Execution of Macro Containing Child Process Creation

In this Task, you will attempt to open an Excel file that creates a child process.
Step 1. Disable WildFire Macro Protection
In the ESM Server console, click the “Policies” tab.

In the left navigation area, click the “WildFire” link under the “Malware” heading.
Click the “WildFire for Office files: On” policy.
“Settings” tab visible. From the “Activation” drop-down, select the “Off” option. This will disable WildFire and
Static Analysis features of Traps for Office files.
Next, click the “Name” tab in the same editor window to display the name that is assigned to this policy
(“WildFire for Office files: On”).
Change the name of the policy to “WildFire for Office files: Off” in the text box labeled and click the “Apply”
button to save your changes.
Server the changes in the WildFire policy that you just enacted in the previous Task.
Click the “Policy” tab in the Traps client console. Verify that the “WildFire for Office files: Off” policy that you
created in the previous Step is now displayed among the policies in effect on this Traps client.
UTD-AEP 2.2 72
Step 3. Observe Traps Child Process Protection
Find the Excel file named “FinancialReport” on the desktop and double-click it to open the file.
Excel will open to a blank spreadsheet. When prompted, click “Enable Content”
Traps will stop the macro from running due to a “Suspicious process creation detected”
Click “Show details” and scroll down to see that the macro attempted to launch the child process “wscript.exe.”
The Child Process Protection component of Traps stopped its execution.

Click the middle button named “End” to close the pop-up window and then click the “X” to close Excel.
Click the “Events” tab in the Traps console window. This shows that Child Process Protection prevented the
macro from running in the process ”excel.exe” and terminated it.
UTD-AEP 2.2 73

Next, click the “Security Events” tab in the ESM console, followed by the “Malware Modules” link on the left
navigation list (under the “Preventions” heading). This will display the malware module prevention event from
our malicious macro so far.
“Child process Protection” module. This will display an expanded view of the security event.
Step 6. Check in on the Attacker
Click the “Attacker” tab to display the Attacker Desktop.
Notice that no active connections have been established. Traps has prevented both known and unknown
malicious macros from compromising our endpoint.
End of Activity 9
UTD-AEP 2.2 74
Activity 10 - Complete the UTD Evaluation
Thank you for attending the Ultimate Test Drive event. We hope that you found the presentation and lab
activities enjoyable and informative.
In this Activity, we ask that you complete a short evaluation/survey to share your thoughts about this UTD.
We need and appreciate your guidance and advice.
Step 1. Complete a Brief Survey
In your browser, click the “Survey” tab among the list of the available desktop environments for the UTD.
Follow the on-screen instructions to complete the survey and submit your results.
End of Activity 10
UTD-AEP 2.2 75
Appendix 1 - Enabling the Firewall
If the firewall is not connected to the Internet, you can enable the firewall to allow internet connectivity.
In your browser, click the “Traps Client” link on the Shortcut Menu that lists the available desktop
environments in the UTD. This will connect you to the “Traps Client” through your browser.
Step 2. Log in to the Firewall Interface
Launch the Internet Explorer browser on the Traps Client.

Click the “NGFW” bookmark located on the Favorites bar directly below the address bar of the browser. This
will display the firewall authentication prompt.
Use the following credentials to log in to the Firewall:
Name: student
Password: utd135
This logs you in to the firewall and displays the main dashboard.
UTD-AEP 2.2 76
Step 3. Enable Firewall Interface “ethernet1/1”
Click the “Network” tab, then click the “Interfaces” node on the left-hand side. This will display all the interfaces
configured for the firewall.
Click the interface “ethernet1/1” under the “Ethernet” tab. This will display the configuration dialog box.
Click the “Advanced” tab and select “up” in the “Link State” drop-down to the right of the dialog box; then click
“OK” to return to the network interface listing.
UTD-AEP 2.2 77
Click “Commit” in the upper right-hand corner of the dashboard.
This will display a confirmation pop-up. Click “Commit” in the pop-up window to confirm your choice. This will
display the Commit Status dialog box containing a progress bar.
Once the process has completed, click “Close” in the pop-up window to return to the network interface listing.
The “Link Status” of “ethernet1/1” has turned green now that the interface is up.
Step 4. Verify Internet Connectivity
Open a new tab in the browser window and confirm Internet connectivity by visiting http://www.google.com.
(Note that only google-base application is enabled in the firewall policy, other web sites will be blocked.)
Once you have verified internet connectivity, close the browser by clicking the “X” in the top-right corner of the
browser’s application window.
UTD-AEP 2.2 78
Appendix 2 - Access Attacker VM via SSH
This appendix provides instructions to access the Attacker (Kali Linux) VM. If the GUI is slow using the default
console access, this is the alternative access method.
Click the “SSH” link.
You will automatically be logged into a SSH session instead of the GUI.
Since the SSH session is a single shell window, you will need to perform the following steps once you reach
UTD-AEP 2.2 79
Activity 6, Task 3 to create the unknown malware.
Type “^Z” (control + z) to send Metasploit/Meterpreter to a background job.
Continue with Activity 6, Task 3. When done, type “fg” to return Metasploit/Meterpreter to the foreground.
Proceed to Activity 6, Task 4.
UTD-AEP 2.2 80

Utd Traps Workshop Guide PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Utd Traps Workshop Guide PDF

Загружено:

Авторское право:

Доступные форматы

Ultimate Test Drive - Advanced Endpoint Protection

Activity 1 - Initiate the UTD Workshop 5

Activity 2 - Conduct a Ransomware Attack 9

Activity 3 - Prevent Ransomware Attack 19

Activity 4 - Explore the Endpoint Security Manager (ESM) 23

Activity 5 - Prevent Exploit Attack 33

Activity 6 - Prevent Malware Attack 42

Activity 7 - Next-Generation Security Platform in Action 55

Task 3 - Retrieve Ransomware Through Firewall 57

Activity 8 – Anti-Ransomware Protection 59

Activity 9 – Microsoft Office File Protection 64

Activity 10 - Complete the UTD Evaluation 75

How to use this guide

Activity 1 - Initiate the UTD Workshop

Task 1 – Log in to Your UTD Class Environment

Step 2: Navigate to Class URL

Enter your email address and the Passphrase.

Step 3: Log in to the UTD Environment

Step 4: Enter the UTD Environment

Task 2 - Understand the UTD Environment Setup

Task 3 - Adjust Display as Necessary

Step 1. Access the Traps Client Desktop

Step 2. Modify Screen Dimensions

Activity 2 - Conduct a Ransomware Attack

In this Activity, you will:

Task 1 - Understand the Attack Sequence

Task 2 - Prepare the Drive-By Download

Step 1. Access the Attacker Desktop

Step 2. Launch the Metasploit Listener

Task 3 - Activate the Spear Phishing Email

Step 1. Access the Victim Client Desktop

Step 2. Launch Outlook and Access the Spear Phishing Email

At this point, the attacker has already compromised the endpoint.

Task 4 - Upload the Ransomware to Victim Client

Step 1. Access the Attacker Desktop

Click the tab that is associated with the Attacker environment.

Step 2. Verify Open Session to Victim Client

Step 3. Initiate an Interactive Session with the Victim Client

Step 4. Upload the Ransomware to the Victim Client

Task 5 - Run Ransomware Malware on Victim Client

Step 1. Execute the Ransomware Malware on the Victim Machine

Step 2. Witness the Ransomware Infect the Victim Machine

Step 3. Close the Attacker Session

Activity 3 - Prevent Ransomware Attack

In this activity, you will:

Task 1 - Verify Traps is Running on Client Desktop

Step 1. Access the Traps Client Desktop

Click the “Traps Client” tab to display that environment.

Step 2. Display Traps Client Console

Task 2 - Attempt Ransomware Attack

Step 1. Access the Attacker Desktop

Click the “Attacker” tab to display the Attacker desktop.

Step 2. Launch the Metasploit Listener

“msf exploit(adobe_flash_hacking_team_uaf) >”

Task 3 - Witness Traps Preventing Ransomware Attack

Step 1. Access the Traps Client Desktop

Step 2. Launch Outlook and Access the Spear Phishing Email

Step 3. Verify that Traps Has Prevented the Attack

Activity 4 - Explore the Endpoint Security Manager

In this activity, you will:

Task 1 - Access the ESM Console

Step 1. Access the ESM Desktop

Step 2. Log in to the ESM Console