Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ULTIMATE
TEST DRIVE:
Advanced Endpoint Protection
Workshop Guide
UTD-AEP 3.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 20190822
Ultimate Test Drive - Advanced Endpoint Protection
Table of Contents
UTD-AEP 3.1 2
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 3
Ultimate Test Drive - Advanced Endpoint Protection
Note: This workshop covers only basic topics and is not a substitute for training classes conducted by
Palo Alto Networks Authorized Training Centers (ATC). Please contact your partner or regional sales
manager for more information on available training and how to register for one near you.
UTD-AEP 3.1 4
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 5
Ultimate Test Drive - Advanced Endpoint Protection
Once the environment has been created, the system will display a welcome page. Click “Go to my VM List” to
begin using the environment.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the “Shortcut Menu” at the top of your browser window. You will use this Shortcut Menu
throughout the workshop to switch between the available desktops.
UTD-AEP 3.1 6
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 7
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 8
Ultimate Test Drive - Advanced Endpoint Protection
Note: By default, the various desktops used in this UTD rely on RDP connections over HTML 5 protocol
through the browser. A HTML5 compatible browser is required.
If you encounter connection issues with any of the desktop interfaces, click the “Reconnect” link in the left-
hand pane of the desktop display to re-establish your connection.
If reconnection to the environment remains unsuccessful, please inform the instructor for further assistance.
UTD-AEP 3.1 9
Ultimate Test Drive - Advanced Endpoint Protection
This logs you in to the firewall and displays the main dashboard.
Click the interface “ethernet1/1” under the “Ethernet” tab. This will display the configuration dialog box.
UTD-AEP 3.1 10
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Advanced” tab and select “up” in the “Link State” drop-down to the right of the dialog box; then click
“OK” to return to the network interface listing.
This will display a confirmation pop-up. Click “Commit” in the pop-up window to confirm your choice. This will
display the Commit Status dialog box containing a progress bar.
Once the process has completed, click “Close” in the pop-up window to return to the network interface listing.
The “Link Status” of “ethernet1/1” has turned green now that the interface is up.
UTD-AEP 3.1 11
Ultimate Test Drive - Advanced Endpoint Protection
(Note that only google-base application is enabled in the firewall policy, other web sites will be blocked.)
Once you have verified internet connectivity, close the browser by clicking the “X” in the top-right corner of the
browser’s application window.
UTD-AEP 3.1 12
Ultimate Test Drive - Advanced Endpoint Protection
End of Activity 1
UTD-AEP 3.1 13
Ultimate Test Drive - Advanced Endpoint Protection
To complete the first phase of the attack, you will use the Metasploit tool hosted on the Attacker workstation to
prepare a webserver that delivers an exploit to the victim. When the victim clicks a link in a phishing email, he
or she is redirected to the Attacker’s website, where a zero-day Flash Player exploit (CVE-2015-5119)
compromises the victim’s endpoint system.
Once the victim’s system is compromised, the Attacker uploads the ransomware malware to the victim’s
machine and executes it. This process is depicted in the figure below.
UTD-AEP 3.1 14
Ultimate Test Drive - Advanced Endpoint Protection
Note: If using a non-US keyboard layout, you may use the “Virtual Keyboard” in the left-hand pane to send
text.
UTD-AEP 3.1 15
Ultimate Test Drive - Advanced Endpoint Protection
Note: You should not need the credentials for the user associated with the Victim VM. However, if the
system does present you with a login screen on the Victim VM, click the icon associated with the user
“Jen” and supply the password associated with that user (shown above the desktop display area). This
password is “Password1”.
UTD-AEP 3.1 16
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 17
Ultimate Test Drive - Advanced Endpoint Protection
Click inside the Terminal window that is open on the desktop. Then, press the “enter/return” key a few times to
get a new Metasploit prompt.
Note: If your connection to the Attacker desktop has been severed, click the “Reconnect” link in the left-
hand pane of the desktop display area to re-establish your connection to that environment.
If you see the lock screen, click in that window and hit the Enter/Return key to get a login prompt.
UTD-AEP 3.1 18
Ultimate Test Drive - Advanced Endpoint Protection
An open session indicates that the Attacker has an active, direct connection to the Victim, which he or she can
use to further compromise the system.
Note the “ID” of the active session connected to the Victim. This is the “Session ID” that you will need to enter
in the next step; it should be session #1, although that might not be the case if you refreshed the browser on
the Victim desktop at any point.
UTD-AEP 3.1 19
Ultimate Test Drive - Advanced Endpoint Protection
At this point, Meterpreter should display a message confirming that it successfully uploaded “happy.exe” to the
Victim Client: “uploaded : happy.exe -> happy.exe”
We are now ready to launch our ransomware attack and infect the Victim.
UTD-AEP 3.1 20
Ultimate Test Drive - Advanced Endpoint Protection
The ransomware will simulate the process of checking the disk on the Victim (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.
Click the “Send ctrl+alt+delete” button in the left-hand pane of the Victim desktop display to send that key
sequence to the system.
This will display a flashing red and grey “skull and cross bone” image and prompts the user to “PRESS ANY
KEY.”
Click inside the “skull and cross bone” image and press the space bar. This should change the image to a
ransomware warning page, with demands and instructions to submit your payment in order to unlock your
system.
UTD-AEP 3.1 21
Ultimate Test Drive - Advanced Endpoint Protection
We no longer need this attacker session, so type the following command to shut down Meterpreter:
exit
This will return you to the Metasploit prompt. Type the following command to shut down Metasploit as well.
exit
This will stop the attacker server and return you to the Terminal prompt.
UTD-AEP 3.1 22
Ultimate Test Drive - Advanced Endpoint Protection
Click “Revert VM” to start the revert process. This should take 5-10 minutes.
End of Activity 2
UTD-AEP 3.1 23
Ultimate Test Drive - Advanced Endpoint Protection
Click “Next”.
Check the box for “I accept the terms in the License Agreement” and then click “Next”.
Click “Finish” when done. You may notice some Action Center alerts in the System Tray due to Traps
registering itself with Windows.
UTD-AEP 3.1 24
Ultimate Test Drive - Advanced Endpoint Protection
Click “Next”.
Check the box for “I accept the terms in the License Agreement” and then click “Next”.
UTD-AEP 3.1 25
Ultimate Test Drive - Advanced Endpoint Protection
Click “Finish” when done. You may notice some Action Center alerts in the System Tray due to Traps
registering itself with Windows.
Traps is installed, connected and enabled. Note that “Anti-Exploit Protection” is disabled on this system. This
is a result of the “Policy Rules” applied to this endpoint. It may take a little time for the endpoint to have the
assigned policies pushed out. Instead of waiting, move to the next Task, as you will revisit this
endpoint later.
UTD-AEP 3.1 26
Ultimate Test Drive - Advanced Endpoint Protection
If the browser is not running, double-click the “Traps management service” icon on the desktop.
UTD-AEP 3.1 27
Ultimate Test Drive - Advanced Endpoint Protection
Click “LOGIN” on the Single Sign On page to be logged in with the supplied credentials.
Note: The Traps management service allows the use of role-based access controls. As the
TMS you are using is shared among all classes and students, you will be using an account
assigned with the Viewer role. This account has read-only access.
Screenshots shown in this workshop guide will be from the default Super Admin role. What
you see with the Viewer role may be different from the screenshots.
UTD-AEP 3.1 28
Ultimate Test Drive - Advanced Endpoint Protection
• Unresolved Security Events – Shows number of unresolved security events by the severity level of the
event and links to a filtered list of unresolved events by the severity that you select. By default, this chart
displays data from the last 30 days. Use the Events Time drop-down to change the data collection period.
• Platforms – Displays the total number of registered agents and the distribution of agents by platform. Also
provides links to filtered lists of endpoints for each platform.
• License – Displays information about your Traps management service license including the license
expiration date and the number of license seats that are currently allocated. To review all licensed
endpoints (excludes endpoints with Zombie or Unlicensed status), click the statistic about number of seats
used.
• Content Version – Displays the distribution of agents by content version and links to a filtered list of
endpoints by latest or outdated content versions.
After a new content update is available, agents gradually receive the latest policy as they check-in with the
Traps management service.
UTD-AEP 3.1 29
Ultimate Test Drive - Advanced Endpoint Protection
These installation packages have been previously created. The Windows and Linux install packages you see
here are the ones you installed in your environment previously. The macOS and Android installers are shown
as an example and not used in this workshop.
If you see an “Agent Version” highlighted in orange, this means there is a newer installer available.
This is the list of all registered endpoints. The list can be filtered using the drop-down boxes at the top of the
page. You can search for your installed endpoints by entering the base name you previously used for
“Endpoint Name”.
Note that the Windows endpoints show a green “TS” icon which indicates these were installed as a
“Temporary session” endpoint type. Other endpoint types include “Standard” as indicated by your Linux client,
“Virtual desktop infrastructure (VDI)” and Mobile.
UTD-AEP 3.1 30
Ultimate Test Drive - Advanced Endpoint Protection
Note: As an administrator the following actions can be performed from Endpoints. Your Viewer role
will not have access to this.
Click on your traps-win1 (eg, jdoe-win1) endpoint from the list to bring up additional details regarding that
client.
UTD-AEP 3.1 31
Ultimate Test Drive - Advanced Endpoint Protection
Click on the “Policy” tab to review the assigned policies and scanning report.
To easily apply policy rules to specific endpoints, you can define endpoint groups. These can be static or
dynamic. For dynamic groups, one or more criteria can be defined.
Hover the cursor over the “TrapsWin1group” and click the pencil icon to review the criteria (IPv4 address of
192.168.21.221) that was used for this group
UTD-AEP 3.1 32
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 33
Ultimate Test Drive - Advanced Endpoint Protection
Endpoint logs display entries for events monitored by the Traps agent. Server logs display entries for changes
to the Traps management service.
Admins may also create a new on-demand report or schedule reports on a daily, weekly or monthly basis to
be emailed.
UTD-AEP 3.1 34
Ultimate Test Drive - Advanced Endpoint Protection
Traps management service provides default security profiles that you can use out of the box to begin
protecting your endpoints from threats immediately. While security rules enable you to block or allow files to
run on your endpoints, security profiles help you customize and reuse settings across different groups of
endpoints.
• Exploit – Exploit profiles block attempts to exploit system flaws in browsers, and in the operating system.
For example, Exploit profiles help protect against exploit kits, illegal code execution, and other attempts to
exploit process and system vulnerabilities. Exploit profiles are supported for Windows, Mac, and Linux
platforms.
• Malware – Malware profiles protect against the execution of malware including trojans, viruses, worms,
and grayware. Malware profiles serve two main purposes: to define how to treat behavior common with
malware such as ransomware or script-based attacks, and to define how to treat known malware and
unknown files. Malware profiles are supported for all platforms.
• Restriction – Restrictions profiles limit where executables can run on the endpoint. For example, you can
restrict files from running from specific local folders or from removable media. Restriction profiles are
supported for Windows platforms.
• Agent Settings – Agent Settings profiles enable you to customize settings that apply to the Traps app
such as the disk space quota for log retention. For Mac and Windows platforms, you can also customize
user interface options for the Traps console such as accessibility and notifications.
Click on a Profile name to further explore the details for a given profile.
Note: Additional Profiles have been created for this workshop. Most of them disable certain functionality in
order to demonstrate the various methods of Traps multi-method prevention capabilities.
UTD-AEP 3.1 35
Ultimate Test Drive - Advanced Endpoint Protection
The Traps management service provides out-of-the-box protection for all registered endpoints with a default
security policy for each type of platform. To fine-tune your security policy, you customize settings in a security
profile and attach that profile to a policy rule. Each policy rule that you create must apply to one or more
endpoints, endpoint groups, or Active Directory (AD) objects.
As seen here, the Endpoint Groups previously defined have your Profiles assigned. These Profiles, assigned
by Endpoint Groups should be shown in Endpoints > traps-win1 > Policy.
A security event occurs when the Traps agent identifies an attempt to run a malicious file or process. Traps
agents report security events when the file or process matches your applied policy rules (either default policy
rules or custom rules you define). When the event occurs, Traps applies the action specified in the applied
security profile, either block the malicious activity, or allow and report the malicious activity.
UTD-AEP 3.1 36
Ultimate Test Drive - Advanced Endpoint Protection
The Traps management service ranks all events in order of severity so you can quickly and easily see the
most important events when you log in to the Traps management service. You can then drill down into the
security events to determine if a security event is a real threat and, if so, you can remediate it. In some cases,
you may determine that a security event does not pose a real threat and can create an exception for it.
Click a Security Event to get additional details, WildFire verdicts, any defined Exceptions, Comments and
History.
Note, the Status can be changed from New to Investigating or Closed as your assessment of the event
progresses.
Each time a file attempts to run on a Mac or Windows endpoint, Traps logs the event and reports it to the
Traps management service. The Files page in the Traps management service displays all the files that run on
your endpoints, their corresponding verdicts, and other details about the files. When a security event occurs or
a specific file warrants investigation, you can review the WildFire Analysis Report, view which endpoints have
attempted to run the file, and if necessary, create an exception to override the official verdict.
Click on a file to get additional details, which endpoints have that file, WildFire verdict and any defined
exceptions.
UTD-AEP 3.1 37
Ultimate Test Drive - Advanced Endpoint Protection
Click the “Quarantine” tab to review any files previous quarantined. You can enable Traps to quarantine
malicious files on Windows endpoints as part of a Malware security profile. When malware attempts to run,
Traps automatically quarantines the file by moving it from a local or removable hard-drive to a local quarantine
folder. This isolates and prevents the file from causing any harm to your endpoints.
In some cases, you may need to override the applied security policy to change whether Traps allows a
process or file to run on an endpoint. To override the security policy, you can configure any of the following
types of policy exceptions:
• Process Exception - Allow processes blocked by an exploit security module to run on an endpoint. You
can also disable all exploit protection modules for a process.
• Hash Exception - Explicitly define a verdict for a file (Benign or Malware). The Traps management service
distributes the verdict to all Traps agents that attempt to run the file. Traps will evaluate the verdict you
specify for the file instead of the WildFire verdict.
• Advanced Exceptions - Palo Alto Networks support defined exceptions that can be used to temporarily
address policy issues for specific customers.
UTD-AEP 3.1 38
Ultimate Test Drive - Advanced Endpoint Protection
You have now verified that Traps is running on the Traps-Win1 desktop.
UTD-AEP 3.1 39
Ultimate Test Drive - Advanced Endpoint Protection
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to ensure it is
responding. If it is not, please reconnect to the Attacker desktop.
In the terminal window, type the following command at the prompt and press the “enter/return” key:
./demo.sh
This will load Metasploit, configure it to listen for incoming connections, and serve the Hacking Team Flash
zero-day exploit to the victim system. When Metasploit has completed loading, it should display the following
prompt
The attacker system is now ready and online, waiting for a connection from the victim system.
This Step repeats the same sequence of actions you completed to trigger the exploitation of the Victim VM in
the previous Activity. This is necessary to observe Traps in action.
UTD-AEP 3.1 40
Ultimate Test Drive - Advanced Endpoint Protection
Click the Outlook application window to activate it. The email with the subject line: “Someone has your
password” is displayed in the inbox.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login website.
Recall from our previous Activity that the Attacker server detects the incoming connection and serves the
SWF file for the Hacking Team zero-day exploit in reply to the request.
At this point, Traps will detect the exploitation attempt, block it, and display a dialog box to inform you that it
has prevented the security breach.
Traps freezes the Internet Explorer processes running in the browser tab, collects forensic data about the
attack, and then terminates the exploitation attempt.
Click the “Show Details” button in the Traps prevention alert window. Then scroll down to the bottom of the list
that appear. You will notice the “Component” referenced here is “DLL security”. In this case, the Exploit
Prevention Module triggered was from an attempt to leverage a DLL on the Traps-Win1 VM.
UTD-AEP 3.1 41
Ultimate Test Drive - Advanced Endpoint Protection
Click “OK” in the Traps notification dialog box to dismiss it. This will close the dialog box and terminate the
Internet Explorer process that was targeted by the exploitation attempt.
Click inside the Terminal window on the Attacker desktop and press “enter/return” a few times to get a new
Metasploit prompt: “msf exploit (adobe_flash_hacking_team_uaf) >.”
Enter the following command at the Metasploit prompt:
sessions
This should display a response indicating that there are no active sessions.
This verifies that the Attacker’s exploitation attempt failed, despite the fact that the SWF file containing the
Hacking Team Flash zero-day exploit was delivered to the Traps-Win1 machine.
UTD-AEP 3.1 42
Ultimate Test Drive - Advanced Endpoint Protection
The prevention event from the previous task is logged as a “Medium Severity” event. The number of events
will vary, determined by the selected Timeframe and how many others have performed this UTD.
UTD-AEP 3.1 43
Ultimate Test Drive - Advanced Endpoint Protection
You can further refine the filter by entering in the host name for your endpoint (e.g. jdoe-win1).
The prevention event was a “Memory Corruption Exploit” against iexplorer.exe. You can also see the Profile
type, Exploit, that was triggered, along with the endpoint name and user of that system.
Click on the Event link to bring up further details.
Review details of this event which includes the information from the “Security Event” overview. You will also
find additional details regarding the Module, Endpoint, Processes, Files and Users.
An administrator role can also “Retrieve and Analyze Data”. The results will be available in the “Analysis” tab
for this event. You can track its progress there as well as in the “Action Tracker” node. Other actions are
“Retrieve Files”, Initiate Live Terminal”, “Create Exception” and “Isolate Endpoint”
Note: Your Viewer role does not have the ability to perform these actions.
UTD-AEP 3.1 44
Ultimate Test Drive - Advanced Endpoint Protection
Once completed, the Analysis will be finished, and data is available for download.
End of Activity 5
UTD-AEP 3.1 45
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 46
Ultimate Test Drive - Advanced Endpoint Protection
As can be seen here, the Exploit Profile that is assigned is “no exploit protection” and the Malware Profile is
“allow temp and macro”. There is also a Restriction Profile of “blacklist folder”.
Note that your traps-win2 endpoint belongs to the TrapsWin2group and has the same assigned profiles as
seen in the previous step.
Click the “no exploit protection” profile to bring up the details for that rule.
Note that all Exploit Protection Modules have been disabled. This has been done to allow the Attacker system
to deliver the Hacking Team Flash zero-day exploit to your traps-win2 client. As was previously seen with
traps-win1, if exploit protection is in place, the attack will be stopped there. We will be demonstrating malware
protection in this Activity.
UTD-AEP 3.1 47
Ultimate Test Drive - Advanced Endpoint Protection
Click on the “allow temp and macro” profile to bring up the details for that rule.
This profile has default actions for the Malware Protection Module other than a Whitelist File (which will be
used later to demonstrate file and folder restrictions). This profile also has quarantine enabled.
The “Anti-Exploit Protection” module should show that it is disabled (due to the “no exploit protection” profile).
This Step repeats the same sequence of actions you completed to trigger the exploitation of the Victim VM in
the previous Activity. This is necessary to observe Traps in action.
UTD-AEP 3.1 48
Ultimate Test Drive - Advanced Endpoint Protection
Click the Outlook application window to activate it. The email with the subject line: “Someone has your
password” is displayed in the inbox.
Click the link “Review Your Devices Now” in the email. This will open Internet Explorer, and after a small delay
(depending on your network speed), display a webpage that resembles the Google account login website.
Recall from our previous Activity that the Attacker server detects the incoming connection and serves the
SWF file for the Hacking Team zero-day exploit in reply to the request.
At this point, since Traps has the Exploit Protect Module disabled, the exploit will succeed, and the
ransomware attack can continue to its next stage.
UTD-AEP 3.1 49
Ultimate Test Drive - Advanced Endpoint Protection
Click inside the terminal window to activate it. Then press the “enter/return” key a few times to get a Metasploit
prompt:
At the Metasploit prompt, type the following command to verify that you have an active Meterpreter session to
the Victim Client system:
sessions
This will display a list of all active sessions currently running within Metasploit.
Note the “ID” of the active session with Traps-Win2. We will use session ID #1 for the instructions below, but
you should use the number that corresponds to your session ID.
UTD-AEP 3.1 50
Ultimate Test Drive - Advanced Endpoint Protection
We are now ready to launch our ransomware attack and infect Traps-Win2.
Click the “Traps-Win2” tab. This should display the Traps-Win2 desktop.
At this point, Traps will either have already identified and blocked this malware, or it will be in the process of
doing so. In either case, you should see a Traps Prevention Alert window open on the Traps-Win2 machine.
The “Prevention Description” field should indicate Traps blocked this based on a “Suspicious executable
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here is “WildFire”
UTD-AEP 3.1 51
Ultimate Test Drive - Advanced Endpoint Protection
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that in the “Details” window, it indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Since this malware has a file hash that is identified as a known malware in the WildFire threat intelligence
cloud (and now in the local cache of this Traps agent and the Traps management service), Traps will block it
every time it attempts to run.
In order to see the local Static Analysis prevention method, we need to create a malware sample with a file
hash that is unknown to both Traps and WildFire.
UTD-AEP 3.1 52
Ultimate Test Drive - Advanced Endpoint Protection
This malware file is now essentially unknown to Traps and WildFire because it has a new file hash.
UTD-AEP 3.1 53
Ultimate Test Drive - Advanced Endpoint Protection
The “Prevention Description” field should again indicate Traps blocked based on a “Suspicious executable
detected”. Click the “Show Details” button then scroll down to the bottom of the list. You will notice the
“Component” referenced here this time is “Local Analysis”
UTD-AEP 3.1 54
Ultimate Test Drive - Advanced Endpoint Protection
Note that the “Details” window indicates that Traps quarantined the malware (as shown by the entry
“Quarantine: Yes”).
Notice that the File “happy.exe” among the first couple of entries in this table, along with the Event and the
Malware Profile Type.
You can see that the older event was block as known “WildFire Malware”. Click the event to bring up more
details.
UTD-AEP 3.1 55
Ultimate Test Drive - Advanced Endpoint Protection
Review the details, including the Module, Endpoint, Process, Files and Users sections. Note, from the Module
section, that the WildFire module blocked the process and quarantined the file.
You can also click on the “WildFire” tab to display the details regarding this already WildFire known sample.
You will see more in the next Step.
Step 5. Review Local Analysis Malware Security Event on Traps Management Service
Click the “Local Analysis Malware” event to bring up more details.
Review the details, including the Module, Endpoint, Process, Files and Users sections. Note, from the Module
section, that the Local Analysis module blocked the process and quarantined the file.
Click the “WildFire” tab. As this sample was previously unknown to WildFire, it was uploaded and analyzed.
Once WildFire has completed this, it will render a verdict and transmit that back to the Traps management
service. That verdict will be visible in this section.
UTD-AEP 3.1 56
Ultimate Test Drive - Advanced Endpoint Protection
Depending on how much time has passed, you may see it analysis still in progress:
You will revisit this event later, if WildFire has not returned a verdict, please proceed to the next task.
UTD-AEP 3.1 57
Ultimate Test Drive - Advanced Endpoint Protection
Note that “c:\temp\happy.exe” is being allowed here. This will disable WildFire and Local Analysis protections
and allow your Restriction Profile to be evaluated. If this was not in place, Traps would stop the ransomware
executed from that directory as you experienced in the previous Task.
Again, from the “Profiles” node, select “blacklist folder” to bring up the details for it.
Note that the “Action mode” is set to “Block”. The “Blacklist Files / Folders” is set to “c:\temp\happy.exe”. This
will prevent the execution of happy.exe from “c:\temp\”.
UTD-AEP 3.1 58
Ultimate Test Drive - Advanced Endpoint Protection
cd /
mkdir temp
cd temp
If you recall our review of the Restrictions policy, Traps was programmed to prevent execution of programs
from the “c:\temp” directory. This is precisely what happened in this Step.
Click “OK” to dismiss the alert window.
If the Traps console is not visible on the desktop, bring it to the forefront by clicking its icon in the Windows
Taskbar. Then click the “Events” tab in the Traps console window.
UTD-AEP 3.1 59
Ultimate Test Drive - Advanced Endpoint Protection
Click “Check In Now” to pull the event details from your Traps management service.
Note the first line of this list. It should indicate that Traps blocked “happy.exe” (per Execution Protection
Module) and terminated the process.
Now click the record that corresponds to that security event. This should display additional details about the
security event.
Note that the “Details” window indicates that Traps did not quarantine the malware (as shown by the entry
“Quarantine: No”), because it was not specifically identified as malware.
UTD-AEP 3.1 60
Ultimate Test Drive - Advanced Endpoint Protection
Note the most recent event is “Execution From a Restricted Folder”. You may click that event to get further
details.
End of Activity 6
UTD-AEP 3.1 61
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 62
Ultimate Test Drive - Advanced Endpoint Protection
When prompted, confirm that “Open with” is set to “SumatraPDF” and then click “OK”.
The browser will download the report and then open it in the PDF viewer.
Review the WildFire report to learn more about the types of information WildFire reveals through its full
analysis of the ransomware file.
UTD-AEP 3.1 63
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 64
Ultimate Test Drive - Advanced Endpoint Protection
This verifies that when Traps encountered an unknown malware (the modified ransomware) and submitted it
to WildFire for analysis, the threat intelligence gained from that analysis automatically reprogrammed the
Next-Generation Firewall in the UTD environment to block the transfer of the file through the firewall.
Close Internet Explorer by clicking the “X” on the top-right corner of that window. If Outlook is still open, close
it as well.
End of Activity 7
UTD-AEP 3.1 65
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 66
Ultimate Test Drive - Advanced Endpoint Protection
Notice that even the folder on the desktop has been encrypted. All files encrypted will have the extension
“[chines34@protonmail.ch].gryphon”.
UTD-AEP 3.1 67
Ultimate Test Drive - Advanced Endpoint Protection
Note that “Ransomware Protection” is set for the “Action mode” of “Default (Block)”. Also, “Examine Portable
Executables and DLLs” is “Disabled”. This has been done so WildFire does not block the ransomware and
allows the Ransomware Protection Module to execute.
UTD-AEP 3.1 68
Ultimate Test Drive - Advanced Endpoint Protection
Click “Show Details” to see that the “Anti-Ransomware Protection” module was activated.
UTD-AEP 3.1 69
Ultimate Test Drive - Advanced Endpoint Protection
Note the most recent event is “Suspicious File Modification”. You may click that event to get further details.
Notice that a WildFire report is already available. As this file is already known to WildFire and would have
been stopped immediately as known malware. We had previously disabled WildFire so you could see the
multi-layer capabilities that can detect and prevent ransomware launched using malicious executable files.
End of Activity 8
UTD-AEP 3.1 70
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 71
Ultimate Test Drive - Advanced Endpoint Protection
The attacker system is now ready and online, waiting for a connection from the victim system.
UTD-AEP 3.1 72
Ultimate Test Drive - Advanced Endpoint Protection
Note that “Examine Office Files with Macros” is set for the “Action mode” of “Default (Block)”.
Click “Show Details” to see that this previously known macro was stopped by WildFire.
UTD-AEP 3.1 73
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 74
Ultimate Test Drive - Advanced Endpoint Protection
Note the most recent event is “WildFire Malware” for the file “FinancialReport.xls”. You may click that event to
get further details.
Notice that a WildFire report is already available. This file is already known to WildFire.
WildFire uses the hash of the Office file to identify the malicious macro, not the hash of the macro itself. Traps
tracks the hash of the macro as well as the Office files that have been seen with that macro embedded within
them. This is how the Traps can render an immediate verdict for any Office file that embeds a known macro,
even if the contents of the Office file are changed or if the macro appears in Office files that are completely
different.
UTD-AEP 3.1 75
Ultimate Test Drive - Advanced Endpoint Protection
Next, right click the icon and select Run with PowerShell.
Enter a document name of your choosing.
Enter “1” for Meterpreter Shell with Logon Persistence.
Enter “2” for Meterpreter Reverse HTTP.
A new Excel will appear on your desktop with the document name you provided.
Note that it was Local Analysis that prevented the rest of the file from even being generated.
Click “OK” to dismiss the Traps dialog box.
UTD-AEP 3.1 76
Ultimate Test Drive - Advanced Endpoint Protection
Note the most recent event is “Local Analysis Malware” for the file “badfile.xls” (this will be whatever you
named your file). You may click that event to get further details.
The file was sent to WildFire for further analysis. A verdict will be available when it has completed.
Notice that no active connections have been established. Traps has prevented both known and unknown
malicious macros from compromising our endpoints.
End of Activity 9
UTD-AEP 3.1 77
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 78
Ultimate Test Drive - Advanced Endpoint Protection
Traps will stop the script-based attack from running due to a “Behavioral threat detected”
Click “Show details” and scroll down to see that the file attempted to launch the process “wscript.exe.” The
Behavioral Threat Protection component of Traps stopped its execution.
UTD-AEP 3.1 79
Ultimate Test Drive - Advanced Endpoint Protection
Note the most recent event is “Behavioral Threat”. Click that event to get further details.
Note that the prevention module was Behavioral Threat Prevention and the causality group owner (CGO) is
wscript.exe.
Additional data will come in via Cortex Data Lake (previously known as Logging Service). This may take a little
time, but the event will be populated with additional data. Once this done, you may scroll down to see this
information. In order to save time, you may find a previously executed Behavioral Threat event to see this
additional data.
UTD-AEP 3.1 80
Ultimate Test Drive - Advanced Endpoint Protection
Note that four processes are being executed in this script-based attack – wscript.exe, powershell.exe,
mshta.exe and reg.exe. All are known system utilities.
Click the “Analysis” tab (this will also populate after the additional data is pulled in). You will see a timeline of
the behaviors observed with the execution of the script.
End of Activity 10
UTD-AEP 3.1 81
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 82
Ultimate Test Drive - Advanced Endpoint Protection
UTD-AEP 3.1 83
Ultimate Test Drive - Advanced Endpoint Protection
Once the install script completes, you will see the shell prompt again.
UTD-AEP 3.1 84
Ultimate Test Drive - Advanced Endpoint Protection
You are still the user “ubuntu”, confirming that the privilege escalation did not succeed.
Note the most recent event is “Kernel Privilege Escalation”. You may click that event to get further details.
UTD-AEP 3.1 85
Ultimate Test Drive - Advanced Endpoint Protection
End of Activity 11
UTD-AEP 3.1 86
Ultimate Test Drive - Advanced Endpoint Protection
Thank you for attending the Ultimate Test Drive event. We hope that you found the presentation and lab
activities enjoyable and informative.
In this Activity, we ask that you complete a short evaluation/survey to share your thoughts about this UTD.
We need and appreciate your guidance and advice.
In your browser, click the “Survey” tab among the list of the available desktop environments for the UTD.
Follow the on-screen instructions to complete the survey and submit your results.
End of Activity 12
UTD-AEP 3.1 87