Está en la página 1de 76

 

 

 

 

 

ULTIMATE TEST DRIVE:
ADVANCED ENDPOINT
PROTECTION

Workshop Guide
 

 

 

 

 

   

UTD-­AEP  2.0   Proprietary  and  Confidential   Last  Update:  10/24/16  
  Copyright  ©  -­  All  Rights  Reserved  

 

 

Table of Contents
How to Use This Guide 4  

Activity 1.   Initiate the UTD Workshop 5  
1.   Login  to  Your  UTD  Class  Environment   5  
2.   Understand  the  UTD  Environment  Setup   6  
3.   Adjust  Display  as  Necessary   7  

Activity 2.   Conduct a Ransomware Attack 10  
1.   Understand  the  Attack  Sequence   10  
2.   Prepare  the  Drive-­By  Download   11  
3.   Activate  the  Spearphishing  Email   13  
4.   Upload  the  Ransomware  to  Victim  Client   15  
5.   Run  Ransomware  Malware  on  Victim  Client   17  

Activity 3.   Prevent Ransomware Attack 21  
1.   Verify  Traps  is  Running  on  Client  Desktop   21  
2.   Attempt  Ransomware  Attack   22  
3.   Witness  Traps  Preventing  Ransomware  Attack   23  

Activity 4.   Explore the Endpoint Security Manager (ESM) 26  
1.   Access  the  ESM  Console   26  
2.   Review  Traps  Prevention  Event   28  
3.   Review  Multi-­Method  Prevention  Settings   30  

Activity 5.   Prevent Exploit Attack 37  
1.   Attempt  Ransomware  Attack   37  
2.   Disable  Traps  Exploit  Prevention  Modules   40  

Activity 6.   Prevent Malware Attack 49  
1.   Review  Traps  Multi-­Method  Malware  Prevention   49  
2.   Attempt  to  Execute  Ransomware   50  
3.   Create  Unknown  Malware   54  
4.   Attempt  to  Run  Ransomware  Again   55  
5.   Disable  WildFire  and  Static  Analysis   59  
6.   Attempt  Ransomware  Attack  Again   61  

Activity 7.   Next-­Generation Security Platform in Action 65  
1.   Review  the  Next-­Generation  Security  Platform   65  
2.   Review  Ransomware  Attack  Progression   66  
3.   Retrieve  Ransomware  Through  Firewall   68  

UTD-­AEP  2.0   Proprietary  and  Confidential   Page  2  
  Copyright  ©  -­  All  Rights  Reserved  

 

Activity 8.   Complete the UTD Evaluation 70  

Appendix 1.  Enabling the Firewall 71  

Appendix 2.  Alternative Login Methods 75  
 

 

UTD-­AEP  2.0   Proprietary  and  Confidential   Page  3  
  Copyright  ©  -­  All  Rights  Reserved  

      UTD-­AEP  2.    Please  contact  your  partner  or  regional  sales  manager   for  more  information  on  available  training  and  how  to  register  for  one  near   you.     This  guide  is  meant  to  be  used  in  conjunction  with  the  information  and  guidance   provided  by  your  facilitator.   How to Use This Guide The  activities  outlined  in  this  Ultimate  Test  Drive  (UTD)  Workshop  Guide  are  meant  to   contain  all  the  information  necessary  to  navigate  the  workshop  interface.0   Proprietary  and  Confidential   Page  4     Copyright  ©  -­  All  Rights  Reserved   .  and  troubleshoot  any  potential  issues  with  the  UTD  environment.   Note:    This  workshop  covers  only  basic  topics  and  is  not  a  substitute  for   training  classes  conducted  by  Palo  Alto  Networks  Authorized  Training   Centers  (ATC).  complete  the   workshop  activities.

  Navigate to Class URL Open  a  browser  window  and  navigate  to  the  class  URL.  Otherwise.     UTD-­AEP  2.  Chrome  or  Internet  Explorer.  We   recommend  using  the  latest  version  of  Firefox.   Activity 1.   Login to the UTD Environment Complete  the  Registration  form  and  click  “Login”  at  the  bottom.  you  will:   • Login  to  the  Ultimate  Test  Drive  Workshop  from  your  laptop   • Understand  the  layout  of  the  environment  and  its  various  components   • Enable  the  Firewall  to  facilitate  connectivity       1.       Step 3.  your   instructor  will  provide  you  with  the  class  URL  and  Passphrase.  If  you  have  an  invitation  email.   you  can  find  the  Class  URL  and  Passphrase  in  the  invitation  email.   Initiate the UTD Workshop In  this  Activity.0   Proprietary  and  Confidential   Page  5     Copyright  ©  -­  All  Rights  Reserved   .     Step 2.   Confirm System Requirements Verify  that  your  laptop  is  equipped  with  a  modern  browser  that  supports  HTML  5.  Login to Your UTD Class Environment Step 1.0.       Enter  your  email  address  and  the  Passphrase.  We  also   recommend  you  verify  that  the  latest  Java  client  is  installed  in  your  browser.

    Once  the  environment  has  been  created.     2.  Click   “Start  Using  This  Environment”  to  begin  using  the  environment.   Take  note  of  the  “Shortcut  Menu”  at  the  top  of  your  browser  window.   Enter the UTD Environment Once  you  have  successfully  logged  in.0   Proprietary  and  Confidential   Page  6     Copyright  ©  -­  All  Rights  Reserved   .   Step 4.  as  indicated   by  the  green  progress  bar  on  top  of  the  screen.       This  will  display  a  list  of  all  virtual  systems  that  constitute  the  UTD  environment.  a   penetration  testing  tool.  Understand the UTD Environment Setup The  UTD  environment  consists  of  the  following  components:   A.  Please  note  that  this  process  may  take  a  while.  You  will  use  this   Shortcut  Menu  throughout  the  workshop  to  switch  between  the  available  desktops.   Attacker:    This  virtual  machine  is  a  Kali  Linux  system  that  hosts  Metasploit.     UTD-­AEP  2.  the  system  will  display  a  welcome  page.  the  system  will  automatically  create  a  unique   UTD  environment  for  you.  It  is  the  platform  that  you  will  use  to  take  on  the  role  of   the  attacker  in  our  workshop  exercises.

 It  is  the  system  through  which  you  will  modify  the  settings  of   Traps  for  our  workshop  exercises.   E.     Review  the  diagram  below  to  better  understand  the  UTD  environment  setup.     D.   ESM  Server:    The  Endpoint  Security  Manager  (ESM)  is  the  administrative   backend  for  Traps.  Adjust Display as Necessary In  this  Task.     Step 1.  click  the  “Traps  Client”  link  on  the  Shortcut  Menu  that  lists  the  available   desktop  environments  in  the  UTD.0   Proprietary  and  Confidential   Page  7     Copyright  ©  -­  All  Rights  Reserved   .   VM-­Series  Security  Platform:    This  system  is  a  Palo  Alto  Networks  virtual  next-­ generation  firewall.     C.   Victim  Client:    This  virtual  system  is  identical  to  the  Traps  Client  system  with   one  exception:  it  is  not  equipped  with  Traps.  You  will  use  this  system  as  the   victim  of  the  ransomware  attack  in  our  workshop.  you  will  learn  how  to  adjust  the  CloudShare  display  to  suit  your   preferences.   Traps  Client:    This  Windows  7  virtual  system  is  the  main  workstation  through   which  you  will  carry  out  the  exercises  in  our  workshop.         3.  It  is  equipped  with  Traps.   Access the Traps Client Desktop In  your  browser.  This  will  connect  you  to  the  “Traps  Client”  through   your  browser.   B.     UTD-­AEP  2.

 you  can  adjust  the  resolution  in  one  of  two  ways:   1.0   Proprietary  and  Confidential   Page  8     Copyright  ©  -­  All  Rights  Reserved   .   Clicking  the  “Fullscreen  RDP”  icon  to  maximize  the  display     UTD-­AEP  2.   Modify Screen Dimensions If  the  dimensions  of  the  desktop  you’re  viewing  are  too  big  or  too  small  for  your  laptop  to   display.   Using  the  drop-­down  above  the  desktop  display     2.     Step 2.

 please  refer  to  Appendix  2:  Alternative  Login  Methods  to   connect  to  the  student  desktop  using  Java  or  alternate  RDP  clients.  If  your  browser   does  not  support  HTML  5  or  if  the  student  desktop  is  too  small  to  use  in   your  browser.  We  will  return  to  it  in  a  future   Activity.  click  the   “Reconnect”  link  above  the  desktop  display  to  re-­establish  your  connection.  please  inform  the  instructor   for  further  assistance.   NOTE:  By  default.           End  of  Activity  1   UTD-­AEP  2.     Note:    Please  leave  the  Traps  Client  browser  tab  open.0   Proprietary  and  Confidential   Page  9     Copyright  ©  -­  All  Rights  Reserved   .  the  various  desktops  used  in  this  UTD  rely  on  RDP   connections  over  HTML  5  protocol  through  the  browser.     If  you  encounter  connection  issues  with  any  of  the  desktop  interfaces.   If  reconnection  to  the  environment  remains  unsuccessful.

 and  upload  and  run  a   ransomware  malware  on  the  system   • Experience  a  spearphishing  attack  as  the  victim  and  witness  first-­ hand  the  breach  of  your  endpoint  system       1.  you  will:   • Become  the  attacker  and  launch  a  ransomware  attack  on  a  victim  via  a   drive-­by  download.  you  must  understand   how  the  attack  compromises  the  victim  machine  in  this  demonstration.   Once  the  victim’s  system  is  compromised.  Understand the Attack Sequence In  this  Activity.   Activity 2.0   Proprietary  and  Confidential   Page  10     Copyright  ©  -­  All  Rights  Reserved   .  the  Attacker  uploads  the  ransomware   malware  to  the  victim’s  machine  and  executes  it.  control  the  victim  machine.     This  process  is  depicted  in  the  figure  below.  When   the  victim  clicks  a  link  in  a  phishing  email.     This  ransomware  attack  involves  two  main  stages:   1.  where  a  zero-­day  Flash  Player  exploit  (CVE-­2015-­5119)  compromises  the   victim’s  endpoint  system.   Deliver  ransomware  malware   To  complete  the  first  phase  of  the  attack.     UTD-­AEP  2.   Compromise  endpoint  via  exploit   2.  you  will  assume  the  role  of  the  Attacker  and  prepare  and  launch  your   ransomware  attack  against  a  victim  machine.   Conduct a Ransomware Attack In  this  Activity.  As  a  prerequisite.  he  or  she  is  redirected  to  the  Attacker’s   website.  you  will  use  the  Metasploit  tool  hosted  on  the   Attacker  workstation  to  prepare  a  webserver  that  delivers  an  exploit  to  the  victim.

 Since  we  will  return  to  this  desktop  in  a  moment.0   Proprietary  and  Confidential   Page  11     Copyright  ©  -­  All  Rights  Reserved   .   Access the Attacker Desktop At  the  end  of  the  previous  Activity.   Right-­click  the  “Attacker”  link  on  the  Shortcut  Menu  that  lists  the  available  desktop   environments  in  the  UTD.  we  need  to  open   the  “Attacker”  desktop  in  a  separate  browser  tab.  A  terminal   window  is  already  open  on  the  desktop.  then  select  the  option  that  corresponds  to  “Open  link  in  new   tab”  (may  be  a  different  prompt  depending  on  your  browser)  to  access  that  desktop  in  a   new  browser  tab.  you  should  have  left  the  browser  tab  for  the  “Traps   Client”  desktop  open.       This  launches  a  new  browser  tab  and  accesses  the  Attacker  desktop.     UTD-­AEP  2.   Step 1.     2.  Prepare the Drive-­By Download In  this  task.  you  will  configure  the  attacker  system  to  serve  the  Hacking  Team  Flash   zero-­day  exploit  to  the  victim  in  response  to  the  request  for  the  web  page  that  the   phishing  email  sent  to  the  victim  links  to.

    UTD-­AEP  2.  it  should  display  the  following  prompt:     “msf  exploit(adobe_flash_hacking_team_uaf)  >”   The  attacker  system  is  now  ready  and  online.  This  process  may  take  a   while.     Step 2.   Launch the Metasploit Listener In  the  terminal  window.  configure  it  to  listen  for  incoming  connections.  so  please  be  patient.sh This  will  load  Metasploit.  type  the  following  command  at  the  prompt  and  press  the   “enter/return”  key:   .0   Proprietary  and  Confidential   Page  12     Copyright  ©  -­  All  Rights  Reserved   .   When  Metasploit  has  completed  loading.  and  serve  the   Hacking  Team  Flash  zero-­day  exploit  to  the  victim  system./demo.  waiting  for  a  connection  from  the  victim   system.

  3.   Step 1.     This  will  open  up  a  new  browser  tab  and  display  the  Victim  Client  desktop.  then  select  the  option  that  corresponds  to  “Open  link  in  new   tab”  (may  be  a  different  prompt  depending  on  your  browser)  to  access  that  desktop  in  a   new  browser  tab.  if  the  system  does  present  you  with  a  login   screen  on  the  Victim  Client.  This  password  is  “Password1”.  you  take  on  the  role  of  the  victim.   Access the Victim Client Desktop In  order  to  see  the  various  stages  of  the  attack.  you  need  to  open  the  “Victim  Client”   desktop  in  a  new  browser  tab.     Right-­click  the  “Victim  Client”  link  on  the  Shortcut  Menu  that  lists  the  available  desktop   environments  in  the  UTD.  You  happily  click  the  link  and   activate  the  next  stage  of  the  attack.       Note:  You  should  not  need  the  credentials  for  the  user  associated  with   the  Victim  Client.0   Proprietary  and  Confidential   Page  13     Copyright  ©  -­  All  Rights  Reserved   .  However.   UTD-­AEP  2.  We  assume  that  you  (as  the  victim)  have   received  a  spearphishing  email  from  the  attacker.  which  includes  a  link  to  the  attacker’s   listener  service  that  you  configured  in  the  previous  Task.  click  the  icon  associated  with  the  user  “Jen”   and  supply  the  password  associated  with  that  user  (shown  above  the   desktop  display  area).  Activate the Spearphishing Email In  this  task.

  Launch Outlook and Access the Spearphishing Email Microsoft  Outlook  is  already  open  and  running  on  the  desktop.  the  attacker  has  already  compromised  the  endpoint.     At  this  point.     UTD-­AEP  2.0   Proprietary  and  Confidential   Page  14     Copyright  ©  -­  All  Rights  Reserved   .  This  will  open  Internet  Explorer.  display  a  webpage  that   resembles  the  Google  account  login  page.   and  after  a  small  delay  (depending  on  your  network  speed).  An  email  with  the  subject   line:  “Someone  has  your  password”  is  selected  and  displayed  in  the  preview  pane.   Click  the  link  “Review  Your  Devices  Now”  in  the  email.     Step 2.

  Note:  If  your  connection  to  the  Attacker  desktop  has  been  severed.  and  infect  the  machine.  sent  a  SWF  file  in  reply.       Click  inside  the  Terminal  window  that  is  open  on  the  desktop.   Step 1.  If  you  recall.  Upload the Ransomware to Victim Client As  noted  in  Step  2  of  the  previous  Task.  Then.   Access the Attacker Desktop Click  the  browser  tab  that  is  associated  with  the  Attacker  environment.  so  the  Attacker   desktop  should  still  be  visible  in  the  browser  tab  you  used  in  2  above.  press  the   “enter/return”  key  a  few  times  to  get  a  new  Metasploit  prompt.  In  this  Task.   Notice  that  the  Metasploit  listener  service  received  a  request.       UTD-­AEP  2.  you   displayed  the  Victim  Client  in  a  new  browser  tab  in  the  previous  Task.   4.  click   the  “Reconnect”  link  above  the  desktop  display  area  to  re-­establish  your   connection  to  that  environment.0   Proprietary  and  Confidential   Page  15     Copyright  ©  -­  All  Rights  Reserved   .  upload  your  ransomware   onto  the  Victim  Client.   and  opened  a  “Meterpreter”  session  to  the  Victim  Client.  the  Victim  Client  was  already  compromised  as   soon  as  the  website  content  served  from  the  Attacker  systems  began  to  display  in  the   browser.  you  will  return  to  the  role  of  the  Attacker.

 although  that   might  not  be  the  case  if  you  refreshed  the  browser  on  the  Victim  Client  desktop  at  any   point.  direct  connection  to  the   Victim  Client.”  and  change  the  prompt  to  a  Meterpreter  prompt:  “meterpreter  >”   UTD-­AEP  2.;  it  should  be  session  #1.     An  open  session  indicates  that  the  Attacker  has  an  active.  type  the  following  command  to  verify   that  you  have  an  active  Meterpreter  session  to  the  Victim  Client  system:   sessions This  will  display  a  list  of  all  active  sessions  currently  running  within  Metasploit.     Note  the  “ID”  of  the  active  session  connected  to  the  Victim  Client.   Initiate an Interactive Session with the Victim Client Initiate  an  interactive  session  with  the  Victim  Client  by  entering  the  following  command   at  the  Metasploit  prompt  (if  the  “Session  ID”  your  noted  in  the  previous  step  was  not  “1.0   Proprietary  and  Confidential   Page  16     Copyright  ©  -­  All  Rights  Reserved   .  display  the  message  “Starting  interaction  with   1.”   remember  to  substitute  your  “Session  ID”  for  the  number  “1”  in  this  command):   sessions -i 1 This  will  initiate  the  interactive  session.   Step 2.  which  he  or  she  can  use  to  further  compromise  the  system.     Step 3.  This  is  the  “Session   ID”  that  you  will  need  to  enter  in  the  next  step.   Verify Open Session to Victim Client In  the  Terminal  window  on  the  Attacker’s  desktop.

 These  include  commands   such  as:  reboot.   5.  This  malware   UTD-­AEP  2.  Upload  it  to  the  Victim  Client  by  typing  the  following  commands  at  the   Meterpreter  prompt:   cd /Windows upload happy.   Upload the Ransomware to the Victim Client The  Petya  ransomware  that  is  part  of  this  attack  sequence  already  resides  on  the   Attacker  machine.exe  -­>  happy.  you  must  be  prepared  to  quickly  switch  over  to  the  browser  tab  for  the   Victim  Client  as  soon  as  you  have  launched  the  ransomware  malware.  you  have  connected  to  the  Victim  Client  and  can  execute  any  number  of   available  commands  to  exploit  the  system.  among  others.  but  feel  free  to   scroll  up  and  down  the  list  to  see  the  available  commands.  To  see  a  list  of  available  commands.0   Proprietary  and  Confidential   Page  17     Copyright  ©  -­  All  Rights  Reserved   .   At  this  point.  Run Ransomware Malware on Victim Client For  this  Task.  shutdown.  Meterpreter  should  display  a  message  confirming  that  it  successfully   uploaded  “happy.exe At  this  point.  and  keyscan_start  (a  keylogger).exe”  to  the  Victim  Client:  “uploaded    :    happy.exe”       We  are  now  ready  to  launch  our  ransomware  attack  and  infect  the  Victim  Client.     Step 4.   We  will  not  explore  the  available  Meterpreter  commands  in  this  exercise.  simply   type  “?”  and  press  “enter/return”  at  the  Meterpreter  prompt.

  Execute the Ransomware Malware on the Victim Machine Be  prepared  to  switch  to  the  browser  tab  for  the  Victim  Client  as  soon  as  you  enter  the   following  command  at  the  Meterpreter  prompt  (in  the  Attacker  Terminal  window):   execute -f happy.  and  if  you  remain  in  the  Attacker  environment.0   Proprietary  and  Confidential   Page  18     Copyright  ©  -­  All  Rights  Reserved   .  you   will  miss  its  actions.   Step 1.  Once  the  ransomware  malware  begins  executing  on  the  Victim  Machine.   UTD-­AEP  2.  it  will   simulate  a  “blue  screen  of  death”  that  typically  accompanies  a  Windows  system  crash   and  reboot  the  Victim  Client.  the  counter  that  indicates  the  progress  will  never  stop   counting.     The  ransomware  will  simulate  the  process  of  checking  the  disk  on  the  Victim  Client  (the   CHKDSK  process).  However.   acts  very  quickly  to  infect  a  system.exe -H Step 2.  you  should  have  quickly  switched  over  to  the  browser  tab  for  the  Victim   Client.   Witness the Ransomware Infect the Victim Machine At  this  point.     Click  the  “Ctrl-­Alt-­Delete”  button  above  the  Victim  Client  desktop  display  to  send  that   key  sequence  to  the  system.

    This  will  display  a  flashing  red  and  grey  “skull  and  cross  bone”  image  and  prompts  the   user  to  “PRESS  ANY  KEY.”     Click  inside  the  “skull  and  cross  bone”  image  and  press  the  space  bar.  This  should   change  the  image  to  a  ransomware  warning  page.0   Proprietary  and  Confidential   Page  19     Copyright  ©  -­  All  Rights  Reserved   .  with  demands  and  instructions  to   submit  your  payment  in  order  to  unlock  your  system.   UTD-­AEP  2.

0   Proprietary  and  Confidential   Page  20     Copyright  ©  -­  All  Rights  Reserved   .     Step 3.     exit This  will  stop  the  attacker  server  and  return  you  to  the  Terminal  prompt.   We  will  no  longer  be  able  to  use  this  Victim  Client.       Note:  Leave  the  Attacker  browser  tab  open.  We  will  return  to  it  in  the  next  Activity.     End  of  Activity  2     UTD-­AEP  2.  Close  the  browser  tab  associated   with  the  Victim  Client  and  return  to  the  Attacker  desktop.   Close the Attacker Session On  the  Attacker  desktop.     Congratulations!  You  are  simultaneously  and  attacker  and  your  own  victim.  Type  the  following  command  to  shut  down   Metasploit  as  well.  so  type  the  following  command  to  shut  down   Meterpreter:   exit This  will  return  you  to  the  Metasploit  prompt.   We  no  longer  need  this  attacker  session.  click  inside  the  Terminal  window  and  press  the  “enter/return”   key  a  few  times  to  display  a  Metasploit  prompt.

    Click  the  “Traps  Client”  browser  tab  to  display  that  environment.   Display Traps Client Console Click  the  Traps  icon  on  the  Windows  taskbar  at  the  bottom  of  the  desktop.  Verify Traps is Running on Client Desktop In  this  Task.  you  should  have  left  the  browser  tabs  for  the   “Traps  Client”  and  “Attacker”  desktops  open.0   Proprietary  and  Confidential   Page  21     Copyright  ©  -­  All  Rights  Reserved   .   Step 1.  This  should   display  the  Traps  client  console.  you  will  access  the  Traps  Client  environment  and  verify  that  Traps  is   running  and  activated  before  attempting  the  ransomware  attack  you  used  in  the   previous  Activity.   Access the Traps Client Desktop At  the  end  of  the  previous  Activities.   Activity 3.   Prevent Ransomware Attack In  this  Activity.  which  indicates  that  “Advanced  Endpoint  Protection  is   Enabled”     UTD-­AEP  2.  you  will:   • Access  the  Traps-­Client  desktop  and  verify  that  Traps  is  enabled   • Attempt  the  ransomware  attack  from  the  previous  Activity   • Witness  Traps  preventing  the  ransomware  attack     1.     Step 2.

 and  serve  the   Hacking  Team  Flash  zero-­day  exploit  to  the  victim  system.  you  have  verified  that  Traps  is  running  on  the  Client  desktop.     You  will  configure  the  attacker  system  to  serve  the  Hacking  Team  Flash  zero-­day   exploit  to  the  victim  in  response  to  the  request  for  the  web  page  that  the  phishing  email   sent  to  the  victim  links  to.   simply  click  the  “Terminal”  link  on  the  very  top  of  the  desktop  window  and  select  “New   Terminal”  from  the  drop-­down  menu.   Launch the Metasploit Listener In  the  terminal  window.0   Proprietary  and  Confidential   Page  22     Copyright  ©  -­  All  Rights  Reserved   .   The  link  should  change  momentarily  to  “Connecting”  and  once  the  Traps  client  has   completed  the  check-­in  process.     There  should  be  a  terminal  window  already  open  on  the  desktop.  you  will  restart  the  processes  that  facilitate  the  ransomware  attack  we   carried  out  against  the  Victim  Client  systems  in  our  previous  Activity.  configure  it  to  listen  for  incoming  connections.   UTD-­AEP  2.  Attempt Ransomware Attack In  this  Task.  When  Metasploit  has   completed  loading.   2.  it  should  display  the  following  prompt     “msf  exploit(adobe_flash_hacking_team_uaf)  >”   The  attacker  system  is  now  ready  and  online.  you  should  have  left  the  browser  tab  for  the   “Attacker”  desktop  open.  type  the  following  command  at  the  prompt  and  press  the   “enter/return”  key:   .  Click  the  “Attacker”  tab  in  your  browser  to  display  the  Attacker   desktop.   Step 1.  waiting  for  a  connection  from  the  victim   system.”   At  this  point.  If  one  is  not  open.   Step 2.   Note  the  date  and  time  of  the  “Last  Check-­in”  indicated  on  the  bottom  of  the  Traps  client   console.   Click  the  “Check-­in  now”  link  to  reconnect  to  the  Traps  Endpoint  Security  Manager   (ESM)  backend  systems  and  retrieve  any  updated  security  policies.   Access the Attacker Desktop At  the  end  of  the  previous  Activity./demo.sh This  will  load  Metasploit.  it  should  return  to  “Check-­in  now.

 which  you  configured  in  the  previous  Task.  This  returns  you  to   the  Traps  Client  desktop  with  the  Traps  client  console  still  visible  (from  Task  1.  Step  2   above).0   Proprietary  and  Confidential   Page  23     Copyright  ©  -­  All  Rights  Reserved   .  you  now  have  Traps   installed  on  your  system.  Witness Traps Preventing Ransomware Attack In  this  task.   Step 2.     3.   Step 1.   Launch Outlook and Access the Spearphishing Email Microsoft  Outlook  is  already  open  and  running.  and  an  email  with  the  subject  line:   “Someone  has  your  password”  is  displayed  in  the  inbox.     UTD-­AEP  2.  we  once  again  assume  that  you  (as  the  victim)  have  received  a   spearphishing  email  from  the  attacker  that  includes  a  link  to  the  attacker’s  listener   service.   Access the Traps Client Desktop Click  the  “Traps  Client”  tab  in  your  browser  to  display  that  desktop.  However.  You  happily  click  the  link  and  activate  the  next  stage  of  the   attack.

 and  display  a  dialog  box   to  inform  you  that  it  has  prevented  the  security  breach.  but  failed  to  establish  an  active  session  to  the  Trap  Client   machine.   and  after  a  small  delay  (depending  on  your  network  speed).     UTD-­AEP  2.       Traps  freezes  the  Internet  Explorer  processes  running  in  the  browser  tab.  served  the  SWF   file  that  contains  the  exploit.   Click  the  link  “Review  Your  Devices  Now”  in  the  email.   Notice  that  the  Attacker’s  system  has  detected  the  incoming  request.  block  it.   Verify that Traps Has Prevented the Attack Click  the  “Attacker”  tab  in  your  browser.  This  will  open  Internet  Explorer.   At  this  point.  and  then  terminates  the  exploitation  attempt.  collects   forensic  data  about  the  attack.   Step 3.  Recall  from  our  previous  Activity  that  the   Attacker  server  detects  the  incoming  connection  and  serves  the  SWF  file  for  the   Hacking  Team  zero-­day  exploit  in  reply  to  the  request.0   Proprietary  and  Confidential   Page  24     Copyright  ©  -­  All  Rights  Reserved   .  display  a  webpage  that   resembles  the  Google  account  login  website.   Click  “OK”  in  the  Traps  notification  dialog  box  to  dismiss  it.  Traps  will  detect  the  exploitation  attempt.  This  should  display  the  Attacker  desktop.  This  will  close  the  dialog  box   and  terminate  the  Internet  Explorer  process  that  was  targeted  by  the  exploitation   attempt.

”   Enter  the  following  command  at  the  Metasploit  prompt:   sessions This  should  display  a  response  indicating  that  there  are  no  active  sessions.     Note:  Leave  the  Attacker  browser  tab  open.     End  of  Activity  3     UTD-­AEP  2.  We  will  return  to  it  in  a  future  Activity.  despite  the  fact  that  the  SWF   file  containing  the  Hacking  Team  Flash  zero-­day  exploit  was  delivered  to  the  Traps   Client  machine.     Click  inside  the  Terminal  window  on  the  Attacker  desktop  and  press  “enter/return”  a  few   times  to  get  a  new  Metasploit  prompt:  “msf  exploit  (adobe_flash_hacking_team_uaf)  >.     This  verifies  that  the  Attacker’s  exploitation  attempt  failed.0   Proprietary  and  Confidential   Page  25     Copyright  ©  -­  All  Rights  Reserved   .

  Activity 4.   Step 1.  The  Chrome  browser  should  already  be  open   and  displaying  the  login  prompt  for  the  ESM  management  console.  issued  when  it  blocked  the   ransomware  attack  in  the  last  Activity   • Learn  more  about  the  multi-­method  malware  and  exploit  prevention   capabilities  of  Traps  and  where  to  find  their  settings  in  the  ESM     1.  we  need  to  open  the  ESM  desktop  in  a  separate  browser   tab.   Explore the Endpoint Security Manager (ESM) In  this  Activity.     UTD-­AEP  2.  Access the ESM Console In  this  Task.  you  will:   • Access  the  ESM  Console     • Review  the  prevention  notice  from  Traps.   Access the ESM Desktop At  the  end  of  the  previous  Activity..  then  select  the  option  that  corresponds  to  “Open  link  in  new   tab”  (may  be  a  different  prompt  depending  on  your  browser)  to  access  that  desktop  in  a   new  browser  tab.   Right-­click  the  “ESM  Server”  link  on  the  Shortcut  Menu  that  lists  the  available  desktop   environments  in  the  UTD.     This  will  display  the  ESM  Server  desktop.  you  should  have  left  the  browser  tabs  for  the   “Attacker”  and  “Traps  Client”  desktops  open.  Since  we  will  return  to  these  desktop   environments  in  a  moment.0   Proprietary  and  Confidential   Page  26     Copyright  ©  -­  All  Rights  Reserved   .  you  will  access  the  ESM  Server  environment  and  login  to  the  management   console.

 click  the  “ESM  Server-­Login”  shortcut  on   the  Chrome  bookmark  bar  to  access  the  login  prompt.     If  Chrome  is  not  open.0   Proprietary  and  Confidential   Page  27     Copyright  ©  -­  All  Rights  Reserved   .  simply  click  the  Chrome  icon  in  the  Windows  Taskbar  (on  the  left   of  the  display)  to  launch  Chrome.     Step 2.  If  necessary.     UTD-­AEP  2.   Login to the ESM Console Use  the  following  credentials  to  login  to  the  ESM  console:   Name   student Password   utd135   This  should  log  you  in  to  the  console  and  display  the  main  dashboard.

 Review Traps Prevention Event In  this  task.”   Step 2.  you  can  simply  click  the  number  in  the  summary  table  (the  red  number  “1”   in  our  case)  to  navigate  directly  to  the  exploit  prevention  event.   View the Ransomware Prevention Security Event Click  the  “Security  Events”  tab  inside  the  ESM  console.  you  will  review  the  prevention  event  that  Traps  generated  when  it  blocked   the  ransomware  attack  in  its  initial  stages.  This  should  display  a  table  that   summarizes  all  the  threats  reported  to  the  ESM  by  all  endpoint  agents.   View the Exploit Prevention Record At  this  point.  we  should  only  have  one  security  event  reported:   and  exploit  prevention  listed  in  the  row  labeled  “Exploits.   Click  “Exploits”  in  the  left  column  of  the  display.0   Proprietary  and  Confidential   Page  28     Copyright  ©  -­  All  Rights  Reserved   .  under  the  “Preventions”  heading.  Since  the  drive-­by  download  begins  with  an   exploitation  attempt  (Hacking  Team  Flash  zero-­day  exploit).     In  the  case  of  our  UTD  environment.   Step 1.     Notice  that  you  can  learn  a  great  deal  from  the  record  displayed  in  the  table.   2.  even   without  opening  the  event  record  itself:   •   Date  and  time  of  the  event   •   Which  computer  was  affected  (Traps  Client)   •   Who  the  user  was  (user  Jen  on  Traps  Client)   •   What  operating  system  is  running  on  the  system  (Windows  7)   UTD-­AEP  2.  This   will  display  all  the  exploit  prevention  events  recorded  in  the  ESM.  we  expect  to  see  an  exploit   prevention  notice  from  your  Traps  Client  system.

 notice  the   web  address  for  the  “Attacker”  system  displayed  in  this  list   (“http://192.  This  will   display  additional  details  about  the  prevention  event.  should  you  choose  to  conduct  one  after  Traps  prevents  an  attack.exe  -­  Internet  Explorer)   •   What  exploit  prevention  module  in  Traps  prevented  the  exploitation  attempt   Step 3.150:8080”).  Specifically.exe)  was  quarantined   •   Source  Signers:  who  (if  any)  signed  the  executable  file     Note  that  you  can  also  display  additional  details  about  the  prevention  event  by  clicking   the  “Additional  Information”  in  the  prevention  event  record  display.   Scroll  down  in  the  list  of  “Recent  Files  and  URIs”  and  take  note  of  the  files  and  web   addresses  that  were  associated  with  this  ransomware  attack.168.   •   What  version  of  the  Traps  agent  is  running  on  the  system     •   Which  process  was  exploited  (iexplore.  including:   •   Source  Path:  the  path  to  the  application  that  was  exploited   •   Source  Version:  the  version  number  of  the  application   •   File  Quarantine:  whether  the  executable  file  (iexplore.     UTD-­AEP  2.0   Proprietary  and  Confidential   Page  29     Copyright  ©  -­  All  Rights  Reserved   .21.  Click  that  link  now.   Open the Exploit Prevention Record Click  the  record  in  the  table  that  corresponds  to  our  exploit  prevention  event.  This  type  of  information  is  critical  to  forensic   investigations.

 you  will  review  the  settings  for  each  of  the  malware  and  exploit  prevention   capabilities  of  Traps.     3.   purpose-­built  prevention  techniques  that  are   tuned  for  maximum  performance  and   accuracy.   These  malware  prevention  capabilities   include:   •   WildFire  Inspection  &  Analysis   •   Static  Analysis   •   Execution  Restrictions   •   Trusted  Publisher  Identification   •   Admin  Override  Policies   •   Malware  Quarantine   UTD-­AEP  2.  a  proprietary  combination   of  malware  and  exploit  prevention  capabilities  that  preemptively  block  both  known  and   unknown  threats  -­-­  before  they  can  compromise  a  system.   Step 1.     In  this  Task.  each  of  which  includes  multiple.  This  knowledge  will  provide  you  with  the  context  that  is  necessary   for  you  to  understand  the  Tasks  in  the  next  Activity.0   Proprietary  and  Confidential   Page  30     Copyright  ©  -­  All  Rights  Reserved   .  Review Multi-­Method Prevention Settings Traps  replaces  legacy  antivirus  with  Multi-­Method  Prevention.   Review the Multi-­Method Malware Prevention Capabilities of Traps Traps  provides  several  malware  prevention  methods.

  Step 2.   Review WildFire.   Please  refer  to  the  overview  presentation  that  your  workshop  instructor  delivered  for  an   in-­depth  discussion  of  each  malware  prevention  capability.  This  will  display   a  table  containing  the  default  policies  for  WildFire.  This  should  display  a  table  that   summarizes  the  policies  configured  in  the  ESM.   Next.”  “Malware. and Quarantine Settings Click  the  “Policies”  tab  inside  the  ESM  console.  This   will  display  a  summary  of  the  settings  of  the  policy.0   Proprietary  and  Confidential   Page  31     Copyright  ©  -­  All  Rights  Reserved   .       Click  the  “WildFire”  link  under  the  “Malware”  heading  in  the  left  column.     UTD-­AEP  2.  which  is  the  first  policy  in  the  list.  click  the  “WildFire  On”  policy  in  the  table.”  and  “Forensics”  capabilities  by  clicking  on  the  associated  link  in  the   column  on  the  left  of  this  display. Static Analysis.  You  can  display  the  policies  for  each  of   “Exploit.

 static  analysis  engine   •   Quarantine  files  is  enabled:    Traps  will  quarantine  files  that  are  deemed  to  be   malicious   Click  the  “Edit”  button  to  see  how  these  settings  are  specified  (and  modified)  in  the   policy.  click  “Cancel”  to  close  the   window.   UTD-­AEP  2.  This  will  display  the  policy  settings  overlay  window.”  and  “Name”)  to   see  the  additional  conditions  and  settings  that  you  could  specify  for  each  policy  of  this   type.”  “Objects.   Notice  the  policy  settings  that  are  visible  in  this  view:   •   WildFire  activation  is  on:    Traps  will  check  unknown  executables  with  WildFire  for   a  verdict   •   Action  is  prevention:    Traps  will  prevent  unknown  executables  that  are  deemed  to   be  malicious   •   Action  is  applied  on  grayware:    Traps  will  apply  the  prevention  action  to  grayware   as  well   •   User  alert  is  on:    Traps  will  alert  the  user  when  an  unknown  executable  is   prevented  from  running   •   Upload  file  for  WildFire  analysis  is  enabled:    Traps  will  upload  unknown   executables  to  WildFire  for  analysis   •   Local  analysis  is  enabled:    Traps  will  examine  unknown  executables  with  its   local.0   Proprietary  and  Confidential   Page  32     Copyright  ©  -­  All  Rights  Reserved   .   When  you  have  finished  looking  at  the  policy  settings.     Feel  free  to  click  the  other  tabs  in  this  display  (“Conditions.

0   Proprietary  and  Confidential   Page  33     Copyright  ©  -­  All  Rights  Reserved   .  This  will   display  a  table  containing  the  Execution  Restrictions  policies  defined  in  the  ESM.     UTD-­AEP  2.   Step 3.  Click  through  them  to  better  understand  what   restrictions  are  available.  but  you  can  specify  many  other   restrictions.  This  will  display  the   “Restrictions”  edit  window.  Click  the  “Edit”  button  in  the  policy  details  view.   Review Execution Restrictions Settings Click  the  “Restrictions”  link  under  the  “Malware”  heading  in  the  left  column.   Note  the  various  restrictions  that  you  can  specify  with  policies  such  as  this  one.     When  you  have  finished  reviewing  the  policy  settings.  which  is  a  policy  named  “Prevent  Execution  from  Temp   Folders.  click  “Cancel”  to  close  the   window.       This  policy  only  includes  local  folder  restrictions.”  This  will  expand  the  display  and  show  you  additional  details  about  the  specific   restrictions  included  in  this  policy.;  they  are   listed  on  the  left  of  the  edit  window.   Click  the  first  item  in  the  table.

 This  will  expand  the  display  and  show  you  additional   details  about  the  specific  executable  file.   Step 4.  their  hash  values.  associated  WildFire  verdicts.  and  other  relevant   information  that  define  the  Admin  Override  Policies  in  the  ESM.0   Proprietary  and  Confidential   Page  34     Copyright  ©  -­  All  Rights  Reserved   .exe”  and   “taskhost.   Review Admin Override Policy Settings Click  the  “Hash  Control”  link  under  the  “Malware”  heading  in  the  left  column.  This  will   display  a  table  that  lists  all  recent  file  executions  (such  as  “iexplore.  Notice  the  buttons  in  this  expanded  display   that  allow  you  to  override  or  specify  any  of  the  following  actions  for  each  executable   (due  to  limitations  of  the  CloudShare  environment.  you  may  need  to  use  the  right-­arrow   key  on  your  keyboard  to  scroll  the  display  to  the  right  to  see  all  available  options):   •   Treat  as  benign   •   Treat  as  malware   •   Report  as  incorrect   •   WildFire  Report     UTD-­AEP  2.exe”).       Click  the  first  item  in  the  table.

 purpose-­built  prevention  techniques  that  are   tuned  for  maximum  performance  and  accuracy.  each  of  which  includes  multiple.     Click  the  first  policy  in  the  list.  labeled  “Test  Exploit  Protection  Rule.;  they  are  listed  in  a  list  on  the  left  of  this  edit  window.  This   will  display  a  table  containing  the  default  exploit  prevention  policies  included  with  Traps.     Click  the  “Edit”  button  in  the  expanded  display.     This  is  also  where  all  custom  exploit  prevention  policies  will  be  listed  (we  will  return  to   this  table  in  a  future  Activity).0   Proprietary  and  Confidential   Page  35     Copyright  ©  -­  All  Rights  Reserved   .   Review the Multi-­Method Exploit Prevention Capabilities of Traps Similar  to  its  malware  prevention  capabilities.   Step 5.”  This  will  expand   the  display  and  show  additional  details  about  this  particular  policy.  This  will  display  the  “Exploit  Protection   Rule”  edit  window.  Traps  provides  several  exploit  prevention   methods.     Step 6.   These  exploit  prevention  methods  include:   •   Memory  Corruption  Prevention     •   Logic  Flaw  Prevention   •   Code  Execution  Prevention   Please  refer  to  the  overview  presentation  that  your   workshop  instructor  delivered  for  an  in-­depth  discussion   of  each  exploit  prevention  capability.   UTD-­AEP  2.   Review Exploit Prevention Settings Click  the  “Protection  Modules”  link  under  the  “Exploit”  heading  in  the  left  column.     Note  the  various  Exploit  Protection  Modules  (EPMs)  that  correspond  to  the  Traps   exploit  prevention  methods.

    Flip  through  the  remaining  tabs  in  the  edit  window  to  see  the  additional  settings  that  you   can  specify  for  each  exploit  prevention  policy.0   Proprietary  and  Confidential   Page  36     Copyright  ©  -­  All  Rights  Reserved   .  We  will  return  to  it  in  the  next   Activity.     Note:  Please  leave  the  “ESM  Server”  browser  tab  open.     When  you  have  finished  viewing  the  policy  settings.     End  of  Activity  4   UTD-­AEP  2.  click  “Cancel”  to  close  the  window.

 

Activity 5.   Prevent Exploit Attack

In  this  Activity,  you  will:  

• Attempt  the  same  ransomware  attack  from  our  previous  Activity,  but  
this  time  with  Traps  installed  on  the  system  
• Disable  all  Traps  exploit  prevention  mechanisms  in  sequence  to  allow  
the  ransomware  attack  to  eventually  continue  

 

1.  Attempt Ransomware Attack
In  this  Task,  you  will  repeat  the  same  set  of  actions  from  Activity  3  above  to  access  the  
Traps  Client  environment,  verify  that  Traps  is  running  and  enabled,  and  attempt  the  
ransomware  attack  once  again.  Because  Traps  is  installed  on  the  Traps  Client,  it  will  
prevent  the  ransomware  attack  by  blocking  its  initial  stage,  which  is  the  exploitation  of  
Adobe  Flash  Player.  

Step 1.   Access the Traps Client Desktop and Verify Traps is Enabled
At  the  end  of  the  previous  Activities,  you  should  have  left  the  browser  tabs  for  the  
“Attacker,”  “Traps  Client,”  and  “ESM  Server”  desktops  open.  If  these  desktops  are  not  
open  in  separate  browser  tabs,  please  open  them  in  a  separate  browser  tab  at  this  time.  

Click  the  “Traps  Client”  tab  in  your  browser  to  access  that  desktop.    

Next,  click  the  icon  for  Traps  in  the  Windows  Taskbar  (bottom  of  the  display)  to  open  
the  Traps  client  console.  Verify  that  Traps  is  active  and  that  “Advanced  Endpoint  
Protection  is  Enabled.”  

UTD-­AEP  2.0   Proprietary  and  Confidential   Page  37  
  Copyright  ©  -­  All  Rights  Reserved  

 

 
You  have  now  verified  that  Traps  is  running  on  the  Traps  Client  desktop.  

Step 2.   Verify that Attacker Systems Are Ready
Click  the  “Attacker”  tab  in  your  browser.  This  should  display  the  Attacker  Desktop.    

There  should  be  a  terminal  window  already  open  on  the  desktop,  with  Metasploit  loaded  
and  displaying  the  following  prompt    

“msf  exploit(adobe_flash_hacking_team_uaf)  >”  

Click  inside  the  terminal  window  to  activate  it.  Then  press  the  “enter/return”  key  a  few  
times  to  ensure  the  Metasploit  system  is  running.  If  it  is  not,  please  reconnect  to  the  
Attacker  desktop.    

At  this  point,  the  attacker  system  is  ready  and  online,  waiting  for  a  connection  from  the  
victim  system.  

UTD-­AEP  2.0   Proprietary  and  Confidential   Page  38  
  Copyright  ©  -­  All  Rights  Reserved  

 

 

Step 3.   Access the Traps Client Desktop
Click  the  “Traps  Client”  tab  in  your  browser  to  display  that  desktop.  This  should  return  
you  to  the  Traps  Client  desktop  with  the  Traps  client  console  still  visible.  

Step 4.   Access the Spearphishing Email in Outlook
This  Step  repeats  the  same  sequence  of  actions  you  completed  to  trigger  the  
exploitation  of  the  Victim  Client  in  the  previous  Activity.  This  is  necessary  to  observe  
Traps  in  action.    

Click  the  Outlook  application  window  to  activate  it.  The  email  with  the  subject  line:  
“Someone  has  your  password”  is  displayed  in  the  inbox.  

 

UTD-­AEP  2.0   Proprietary  and  Confidential   Page  39  
  Copyright  ©  -­  All  Rights  Reserved  

0   Proprietary  and  Confidential   Page  40     Copyright  ©  -­  All  Rights  Reserved   .   Click  the  link  “Review  Your  Devices  Now”  in  the  email.   Disable the DLL Security EPM Click  the  “ESM  Server”  browser  tab  to  display  that  desktop  environment.   2.  until  the  exploitation  attempt   finally  succeeds.     Click  “OK”  in  the  Traps  notification  dialog  box  to  dismiss  it.  click  the  “Security  Events”  tab  in  the  ESM  console.  in  sequence.  block  it.  followed  by  the  “Exploits”  link   on  the  left  navigation  list  (under  “Preventions”  heading).  Traps  will  detect  the  exploitation  attempt.  Disable Traps Exploit Prevention Modules In  this  Task.  you  will  disable  the  Traps  EPMs.     Next.  This  will  open  Internet  Explorer.   UTD-­AEP  2.  display  a  webpage  that   resembles  the  Google  account  login  website.   and  after  a  small  delay  (depending  on  your  network  speed).     At  this  point.  This  will  display  the  exploit   prevention  event  from  our  ransomware  prevention  in  the  previous  Task.   Step 1.  and  display  a  dialog  box   to  inform  you  that  it  has  prevented  the  security  breach.  This  will  close  the  dialog  box   and  terminate  the  Internet  Explorer  process  that  was  targeted  by  the  exploitation   attempt.

 in  this  case).   UTD-­AEP  2.exe”  process  on  the  “Traps  Client”  system.exe”  process.  This  will  display  the  “Exploitation  Protection  Rule”   edit  window  and  automatically  fill  in  the  necessary  information  from  the  security  event  to   create  a  policy  that  disables  the  EPM  (DLL  Security.     Click  the  “Name”  tab  in  the  “Exploit  Protection  Rule”  edit  window  and  take  note  of  the   name  that  is  automatically  assigned  to  this  new  Policy.  which  should  be  associated  with  “Traps  Client”  system.     Click  the  first  item  in  the  list.  and  “DLL  Security”  module.  This  will  display  an  expanded  view   of  the  security  event.     Next.   “iexplore.  click  “Apply”  to  create  and  activate  this  new  policy  rule.   Now  click  the  “Create  Rule”  button.0   Proprietary  and  Confidential   Page  41     Copyright  ©  -­  All  Rights  Reserved   .  This  disables  the  DLL   Security  EPM  for  the  “iexplorer.

    Finally.  this  will  display  the  Protection  Modules  under  the  “Exploit”  heading  of  the  left   navigation  column.   Access the Traps Client Desktop Click  the  “Traps  Client”  tab  in  your  browser  to  display  that  desktop.exe  is  disabled  where  Traps  Client   included”       Be  sure  to  note  the  ID  of  this  new  policy.  The  ID  associated   with  this  policy  should  match  the  one  you  noted  in  the  previous  Step.  click  the  “Advanced”  link  to  the  right  of  the   “Status”  tab  on  the  top  portion  of  the  Traps  console  window.   By  default.  click  the  “Check-­in  now”  link  on  the  bottom  of  the  Traps  console  window  to   retrieve  the  policy  we  just  created  in  the  previous  step  from  the  ESM  Server.   Verify  this  rule  has  been  created  by  clicking  the  “Policy”  tab  in  the  ESM  console  display.     Once  the  check-­in  process  is  completed.  This  should  return   you  to  the  Traps  Client  desktop.  This  will  display  several   additional  tabs.  click  the  icon  for  Traps  in  the  Windows  Taskbar  (bottom  of  the  display)  to  open   the  Traps  client  console.  Click  the  “Policy”  tab  and  verify  that  the  new  EPM  policy  that  you   created  in  the  previous  Step  has  been  applied  to  the  Traps  client.     Note  that  the  first  policy  in  this  table  has  the  following  specifications:     •   ID:  A  unique  policy  identifier  assigned  to  this  new  policy   •   Name:  “Exploitation  policy  from  Prevention  on  Traps  Client”     •   Description:  “DLL  Security  on  iexplore.   Step 2.   UTD-­AEP  2.0   Proprietary  and  Confidential   Page  42     Copyright  ©  -­  All  Rights  Reserved   .   Next.  You  will  use  this  information  in  the  next  Step.

 This  will  open  up  Internet  Explorer.  click  the  link  “Review  Your  Devices  Now”  in  the  email  that  is  displayed  in  the   inbox.  and  display  a  new  prevention   alert  window.   Next.  block  it.  Then  scroll  down   to  the  bottom  of  the  list  that  appear.  Note  that  the  “Prevention  description”  noted  in  this  window  refers  to  “ROP   chain  utilization.”  We  will  see  this  information  again  in  our  next  Step..     UTD-­AEP  2.”       Click  the  “Show  Details”  button  in  the  Traps  prevention  alert  window..     Step 3.  and  after  a  small  delay  (depending  on  your   network  speed).  You  will  notice  the  “Component”  referenced  here  is   “ROP  Mitigation.0   Proprietary  and  Confidential   Page  43     Copyright  ©  -­  All  Rights  Reserved   .  begin  to  load  the  content  our  Attacker  systems  are  serving   Traps  will  detect  yet  another  exploitation  attempt.   Access the Spearphishing Email in Outlook Click  the  Outlook  application  window  to  activate  it.

  Verify  this  rule  has  been  created  by  clicking  the  “Policy”  tab  in  the  ESM  console  display.0   Proprietary  and  Confidential   Page  44     Copyright  ©  -­  All  Rights  Reserved   .  and  “ROP  Mitigation”  module.  This  will  display  the  exploit   prevention  events  from  our  ransomware  prevention  so  far.   “iexplore.  This  will  display  an  expanded   view  of  the  security  event.  followed  by  the  “Exploits”  link   on  the  left  navigation  list  (under  “Preventions”  heading).  This  disables  the  ROP   Mitigation  EPM  for  the  “iexplorer.exe”  process  on  the  “Traps  Client”  system.  as  expected.  click  the  “Security  Events”  tab  in  the  ESM  console.     Note  that  the  first  policy  in  this  table  has  the  following  specifications:     •   Name:  “Exploitation  policy  from  Prevention  on  Traps  Client”     •   Description:  “ROP  Mitigation  on  iexplore.  which  should  be  associated  with  “Traps  Client”  system.  this  will  display  the  Protection  Modules  under  the  “Exploit”  heading  of  the  left   navigation  column.  This  will  display  the  “Exploitation  Protection  Rule”   edit  window  and  automatically  fill  in  the  necessary  information  from  the  security  event  to   create  a  policy  that  disables  the  EPM  (ROP  Mitigation.     Next.   Simply  click  “Apply”  to  create  and  activate  this  new  policy  rule.exe  is  disabled  where  Traps  Client   included”     UTD-­AEP  2.exe”  process.   By  default.     Step 4.   Now  click  the  “Create  Rule”  button.     Click  the  first  item  in  the  list.   Disable the ROP Mitigation EPM Click  the  “ESM  Server”  browser  tab  to  display  that  desktop  environment.  in  this  case).  This  will  also  terminate  the   Internet  Explorer  process.   Click  “OK”  in  the  Traps  prevention  alert  window  to  dismiss  it.

 click  the  icon  for  Traps  in  the  Windows  Taskbar  (bottom  of  the  display)  to  open   the  Traps  client  console.   Finally.   Next.  click  the  “Check-­in  now”  link  on  the  bottom  of  the  Traps  console  window  to   retrieve  the  policy  we  just  created  in  the  previous  step  from  the  ESM  Server.     Step 6.  The  “Policy”  tab  should  be  visible  (recall  that  we  displayed  this   tab  by  clicking  the  “Advanced”  link  adjacent  to  the  “Status”  tab  in  previous  Steps).   Ideally.   UTD-­AEP  2.     Notice  how  the  policy  name  is  the  same  as  the  one  we  created  in  our  previous  Steps.0   Proprietary  and  Confidential   Page  45     Copyright  ©  -­  All  Rights  Reserved   .     Verify  that  the  new  EPM  policy  that  you  created  in  the  previous  Step  has  been  applied   to  the  Traps  client.  an  administrator  would  provide  a  more  descriptive  name  instead  of  the  default   name  assigned  by  the  system  in  order  to  distinguish  policies  from  one  another.  This  should  return   you  to  the  Traps  Client  desktop.  We  will   do  that  in  the  next  step.   Access the Spearphishing Email in Outlook Click  the  Outlook  application  window  to  activate  it.     Step 5.   Access the Traps Client Desktop Click  the  “Traps  Client”  tab  in  your  browser  to  display  that  desktop.

  Disable the JIT Mitigation EPM Click  the  “ESM  Server”  browser  tab  to  display  that  desktop  environment.     Next.  begin  to  load  the  content  our  Attacker  systems  are  serving.   UTD-­AEP  2.  Then  scroll  down   to  the  bottom  of  the  list  that  appear.  This  will  display  the  exploit   prevention  events  from  our  ransomware  prevention  so  far.   Traps  will  detect  yet  another  exploitation  attempt.  as  expected.   Next.”       Click  the  “Show  Details”  button  in  the  Traps  prevention  alert  window.  click  the  “Security  Events”  tab  in  the  ESM  console.     Step 7.  and  display  a  new  prevention   alert  window.  You  will  notice  the  “Component”  referenced  here  is   “Exception  JIT  Check.”  We  will  see  this  information  again  in  our  next  Step.  Note  that  the  “Prevention  description”  noted  in  this  window  refers  to   “Suspicious  API  call  from  an  unsafe  area  (JIT)..  block  it.     Click  “OK”  in  the  Traps  prevention  alert  window  to  dismiss  it.  followed  by  the  “Exploits”  link   on  the  left  navigation  list  (under  “Preventions”  heading).  This  will  open  up  Internet  Explorer.  and  after  a  small  delay  (depending  on  your   network  speed)..  click  the  link  “Review  Your  Devices  Now”  in  the  email  that  is  displayed  in  the   inbox.  This  will  also  terminate  the   Internet  Explorer  process.0   Proprietary  and  Confidential   Page  46     Copyright  ©  -­  All  Rights  Reserved   .

    Note  that  the  first  policy  in  this  table  has  the  following  specifications:     •   Name:  “Disable  JIT  Mitigation  on  Traps  Client”     •   Description:  “JIT  Mitigation  on  iexplore.   Now  click  the  “Create  Rule”  button.exe”  process  on  the  “Traps  Client”  system.0   Proprietary  and  Confidential   Page  47     Copyright  ©  -­  All  Rights  Reserved   .  in  this  case).   Access the Traps Client Desktop Click  the  “Traps  Client”  tab  in  your  browser  to  display  that  desktop.  This  should  return   you  to  the  Traps  Client  desktop.exe”  process.  This  disables  the  JIT   Mitigation  EPM  for  the  “iexplorer.   Replace  the  name  for  this  rule  with  “Disable  JIT  Mitigation  on  Traps  Client.     Click  the  first  item  in  the  list.   UTD-­AEP  2.   By  default.   Verify  this  rule  has  been  created  by  clicking  the  “Policy”  tab  in  the  ESM  console  display.exe  is  disabled  where  Traps  Client   included”     Step 8.  this  will  display  the  Protection  Modules  under  the  “Exploit”  heading  of  the  left   navigation  column.  This  will  display  the  “Exploitation  Protection  Rule”   edit  window  and  fill  in  the  necessary  information  from  the  security  event  to  disable  the   EPM  (JIT  Mitigation.”       Then  click  “Apply”  to  create  and  activate  this  new  policy  rule.  which  should  be  associated  with  “Traps  Client”  system.   Click  the  “Name”  tab  in  the  edit  window.   “iexplore.  and  “JIT  Mitigation”  module.  This  will  display  the  “Rule  Summary”  area.  This  will  display  an  expanded  view   of  the  security  event.

 click  the  link  “Review  Your  Devices  Now”  in  the  email  that  is  displayed  in  the   inbox.  The  “Policy”  tab  should  be  visible  (recall  that  we  displayed  this   tab  by  clicking  the  “Advanced”  link  adjacent  to  the  “Status”  tab  in  previous  Steps).   Next.     Step 9.0   Proprietary  and  Confidential   Page  48     Copyright  ©  -­  All  Rights  Reserved   .  begin  to  load  the  content  our  Attacker  systems  are  serving.   Access the Spearphishing Email in Outlook Click  the  Outlook  application  window  to  activate  it.     Verify  that  the  new  EPM  policy  that  you  created  in  the  previous  Step  (“Disable  JIT   Mitigation  on  Traps  Client”)  has  been  applied  to  the  Traps  client.   Finally.  Traps  will   not  block  the  exploitation  and  the  ransomware  attack  can  finally  continue  to  its  next   stage.  click  the  “Check-­in  now”  link  on  the  bottom  of  the  Traps  console  window  to   retrieve  the  policy  we  just  created  in  the  previous  step  from  the  ESM  Server.   Now  that  we  have  disabled  all  relevant  EPMs  used  by  this  exploit  in  Traps.  This  will  open  up  Internet  Explorer.   Next.  and  after  a  small  delay  (depending  on  your   network  speed).  click  the  icon  for  Traps  in  the  Windows  Taskbar  (bottom  of  the  display)  to  open   the  Traps  client  console.       End  of  Activity  5     UTD-­AEP  2.

 including  the  ransomware  attack  in  our  workshop  exercise.     UTD-­AEP  2.0   Proprietary  and  Confidential   Page  49     Copyright  ©  -­  All  Rights  Reserved   .  as  depicted  in  the  figure  below.  you  will:   • Understand  the  sequence  by  which  the  multi-­method  malware   prevention  mechanisms  of  Traps  are  invoked   • Attempt  the  ransomware  attack  from  our  previous  Activity   • Explore  the  multi-­method  malware  prevention  mechanisms  of  Traps   as  they  prevent  the  ransomware  attack       1.  depending  on  the  specific  circumstances   and  requirements.   Activity 6.   Traps  invokes  these  methods  in  sequence.  Traps  includes  multiple  malware  prevention  methods  to  block   malicious  executables.  Review Traps Multi-­Method Malware Prevention As  we  discussed  earlier.     Review  this  sequence  with  your  workshop  instructor.   Prevent Malware Attack In  this  Activity.

 upload  the  ransomware  malware   you  have  used  in  previous  activities  to  the  Traps  Client  environment.  with  Metasploit  loaded   and  displaying  several  entries  indicating  that  weaponized  SWF  files  were  transmitted  to   the  Traps  Client  system.  These  prompts  are  the  results  of  your  repeated  attempts  to   activate  the  spearphishing  email  in  the  previous  Activity.  and  attempt  to   execute  the  ransomware.   5.   6.   Static  Analysis:    Static  analysis  identifies  new.   4.  while  you  disabled  the  EPM   protections  of  Traps  in  sequence.  based  on  the  hash  of   an  executable  file.   The  last  entry  in  the  Metasploit  terminal  window  should  indicate  that  a  Meterpreter   session  was  opened  to  the  Traps  Client  system.0   Proprietary  and  Confidential   Page  50     Copyright  ©  -­  All  Rights  Reserved   .   UTD-­AEP  2.  unknown  malware  and  unknown   variants  of  known  malware  and  blocks  their  execution.     There  should  be  a  terminal  window  already  open  on  the  desktop.  you  will  access  the  Attacker  environment.   Verify that Attacker Systems Are Ready Click  the  “Attacker”  tab  in  your  browser  to  display  the  Attacker  Desktop.   Step 1.     2.   WildFire  Check:    Traps  checks  for  a  malicious/benign  verdict  in  WildFire  for   each  unknown  executable  file  (as  identified  by  its  file  hash).  to  allow  or  block  the  execution  of  the  file.  Traps  will  allow  it  to  run.   Quarantine:    Traps  quarantines  any  executable  file  that  it  has  identified  as   malware.   Admin  Override  Policy:    Traps  checks  for  global  policies.   Upload  to  WildFire  for  Analysis:    Traps  uploads  any  unknown  executable  to   WildFire  for  full  analysis.   3.   2.   Trusted  Publisher  Identification:    If  an  executable  is  signed  by  a  reputable   software  developer/publisher.  Attempt to Execute Ransomware In  this  Task.   The  typical  sequence  by  which  the  multi-­method  malware  prevention  mechanisms  of   Traps  are  invoked  include:   1.

0   Proprietary  and  Confidential   Page  51     Copyright  ©  -­  All  Rights  Reserved   .   Note  the  “ID”  of  the  active  session  with  the  Traps  Client.  but  you  should  use  the  number  that  corresponds  to  your  session   ID.     Step 2.  Then  press  the  “enter/return”  key  a  few   times  to  get  a  Metasploit  prompt:     “msf  exploit(adobe_flash_hacking_team_uaf)  >”   At  the  Metasploit  prompt.”  and  change  the  prompt  to  a  Meterpreter  prompt:  “meterpreter  >”   At  this  point.     UTD-­AEP  2.  display  the  message  “Starting  interaction  with   1.  We  will  use  session  ID  #1  for   the  instructions  below.     Click  inside  the  terminal  window  to  activate  it.   Initiate an Interactive Session with the Traps Client Initiate  an  interactive  session  with  the  Traps  Client  by  entering  the  following  command   at  the  Metasploit  prompt  (assuming  your  session  ID  is  1):   sessions -i 1 This  will  initiate  the  interactive  session.  you  have  connected  with  the  Traps  Client  and  can  now  upload  your   ransomware  sample  to  that  system.  type  the  following  command  to  verify  that  you  have  an  active   Meterpreter  session  to  the  Victim  Client  system:   sessions This  will  display  a  list  of  all  active  sessions  currently  running  within  Metasploit.

  Observe Traps Malware Prevention (WildFire Inspection) Click  the  “Traps  Client”  tab  in  your  browser.  Meterpreter  should  display  a  message  confirming  that  it  successfully   uploaded  “happy.     Step 5.0   Proprietary  and  Confidential   Page  52     Copyright  ©  -­  All  Rights  Reserved   .exe”       We  are  now  ready  to  launch  our  ransomware  attack  and  infect  the  Traps  Client.exe -H At  this  point.   Upload the Ransomware to the Traps Client The  Petya  ransomware  that  is  part  of  this  attack  sequence  already  resides  on  the   Attacker  machine.exe  -­>  happy.   Step 4.     UTD-­AEP  2.exe”  to  the  Traps  Client:  “uploaded    :    happy.exe At  this  point.  Upload  it  to  the  Traps  Client  by  typing  the  following  commands  at  the   Meterpreter  prompt:   cd /Windows upload happy.  Meterpreter  should  indicate  that  a  new  process  was  created  and  executed   on  the  target  system.   Execute the Ransomware Malware on Traps Client Enter  the  following  command  at  the  Meterpreter  prompt:   execute -f happy.  This  should  display  the  Traps  Client   desktop.  Traps  Client.   Step 3.

 Then  click   the  “Events”  tab  in  the  Traps  console  window  (recall  that  we  displayed  this  tab  by   clicking  the  “Advanced”  link  adjacent  to  the  “Status”  tab  in  previous  Steps).       4.  This  should  display   additional  details  about  the  security  event.  or  it  will   be  in  the  process  of  doing  so.0   Proprietary  and  Confidential   Page  53     Copyright  ©  -­  All  Rights  Reserved   .   Switch  over  to  the  Traps  console  by  clicking  its  icon  in  the  Windows  Taskbar.  Traps  quarantined   the  file.  It  should  indicate  that  Traps  blocked  “happy.   Now  click  the  record  that  corresponds  to  that  security  event.   WildFire  Check:    This  malware  is  already  known  to  WildFire  (as  identified  by  its   file  hash).  This  will   display  all  recent  security  events  recorded  on  this  system.   Traps  has  already  conducted  the  following  prevention  checks  to  arrive  at  this  point:   1.exe”  (per   WildFire  Module)  and  terminated  the  process.   Trusted  Publisher  Identification:    This  executable  is  not  signed.  Traps  will  either  have  already  identified  and  blocked  this  malware.   3.   Click  “OK”  to  dismiss  the  alert  window.  so  Traps  blocked  it.   At  this  point.  you  should  see  a  Traps  Prevention  Alert   window  open  on  the  Traps  Client  machine.   Note  the  first  line  of  this  list.   UTD-­AEP  2.”       If  you  recall  our  review  of  the  sequence  of  prevention  methods  in  Task  1  of  this  Activity.   Quarantine:    Since  the  executable  file  was  a  known  malware.  so  Traps  proceeded  to  the  next  step.   2.   Admin  Override  Policy:    None  exists.   The  “Prevention  Description”  field  should  indicate  Traps  blocked  an  “Attempted   execution  of  WildFire-­detected  malware.  In  either  case.  so  Traps   proceeded  to  the  next  step.

 Since  we  will  use  this  prompt   once  again  in  a  few  moments.  we  need  to  open  a  new  Terminal  window.  you  will  change  the  file  hash  of  our  ransomware  sample.     Note  that  the  first  line  in  the  “Details”  window  indicates  that  Traps  quarantined  the   malware  (as  indicated  by  the  entry  “Quarantine:    Yes”).  This  will  display  the  Attacker  desktop  with  a   terminal  window  already  open  with  a  Meterpreter  prompt.       Right-­click  the  “Terminal”  link  on  the  very  top  of  the  Attacker  desktop  window.  This  will  display  a  new  Terminal  window.     Since  this  malware  has  a  file  hash  that  is  identified  as  a  known  malware  in  the  WildFire   threat  intelligence  cloud  (and  now  in  the  local  cache  of  this  Traps  agent  and  the  ESM).   Traps  will  block  it  every  time  it  attempts  to  run.sh”  will  be  listed  among  the  files  on  the  root  user’s  home  directory.   Click  the  “Attacker”  tab  in  your  browser.  Create Unknown Malware In  this  Task.  we  need  to  create  a   malware  sample  with  a  file  hash  that  is  unknown  to  both  Traps  and  WildFire.  “happy.  type  the  following  command  to  get  a  listing  of  all  files  in  the   root  directory:   ls The  file  “hashchange.   UTD-­AEP  2.  then   select  “New  Terminal”  from  the  drop-­down  list.  This  will  create  a  file  that  is  essentially  unknown  to  Traps  and   WildFire.     In  order  to  see  the  local  Static  Analysis  prevention  method.exe”  using   a  command  line  tool.0   Proprietary  and  Confidential   Page  54     Copyright  ©  -­  All  Rights  Reserved   .     In  the  new  Terminal  window.     3.

 Note  the  difference  between  the  hash  values  before  and  after  the  change.  type  the  following  command  to  modify  the  file  hash  for  the   “happy.     This  malware  file  is  now  essentially  unknown  to  Traps  and  WildFire  because  it  has  a   new  file  hash.  This  window  should  still  be  visible  under  the   new  Terminal  window  that  you  used  in  the  previous  Task  to  modify  the  ransomware   sample.     Step 1.  and  display  the  new  hash  value  for  the   modified  file.  Attempt to Run Ransomware Again In  this  Task.exe UTD-­AEP  2.exe”  ransomware  sample:   .  click  inside  the  initial  terminal  window  that  still  displays   the  Meterpreter  prompt  (“meterpreter  >”).   Upload Modified Ransomware to the Traps Client In  the  Attacker  desktop  window.”  add  a  small   segment  of  random  data  to  the  end  of  the  file.sh This  will  display  the  64-­character  hash  value  of  the  file  “happy.     4.exe.   Upload  the  modified  ransomware  sample  you  created  in  the  previous  Task  to  the  Traps   Client  by  typing  the  following  commands  at  the  Meterpreter  prompt:   upload happy.0   Proprietary  and  Confidential   Page  55     Copyright  ©  -­  All  Rights  Reserved   .  you  will  upload  the  ransomware  malware  you  created  in  the  previous  Task   to  the  Traps  Client  environment  and  attempt  to  execute  the  ransomware./hashchange.   In  the  new  Terminal  window.

 you  should  see  a  Traps  Prevention  Alert   window  open  on  the  Traps  Client  machine.   The  “Prevention  Description”  field  should  indicate  Traps  blocked  an  “Attempted   execution  of  locally-­detected  malware.  Meterpreter  should  indicate  that  a  new  process  was  created  and  executed   on  the  target  system.  Traps  will  either  have  already  identified  and  blocked  this  malware.exe  -­>  happy.   Execute the Ransomware Malware on Traps Client Enter  the  following  command  at  the  Meterpreter  prompt:   execute -f happy.exe”     We  are  now  ready  to  launch  our  new  ransomware  with  an  unknown  file  hash  to  infect   the  Traps  Client.   Step 2.exe”  to  the  Traps  Client:  “uploaded    :    happy.  Traps  Client.   Trusted  Publisher  Identification:    This  executable  is  not  signed.   Observe Traps Malware Prevention (Static Analysis) Click  the  “Traps  Client”  tab  in  your  browser.  In  either  case.  Meterpreter  should  display  a  message  confirming  that  it  successfully   uploaded  “happy.exe -H At  this  point.   At  this  point.  or  it  will   be  in  the  process  of  doing  so.   2.  so  Traps  proceeded  to  the  next  step.   UTD-­AEP  2.     Step 3.   Admin  Override  Policy:    None  exists.  This  should  display  the  Traps  Client   desktop.     At  this  point.”       If  you  recall  our  review  of  the  sequence  of  prevention  methods  in  Task  1  of  this  Activity.   Traps  has  already  conducted  the  following  prevention  checks  to  arrive  at  this  point:   1.0   Proprietary  and  Confidential   Page  56     Copyright  ©  -­  All  Rights  Reserved   .  so  Traps   proceeded  to  the  next  step.

 This  should  display   additional  details  about  the  security  event.   Static  Analysis:    Static  analysis  correctly  identifies  this  new  malware  sample  as   malicious  and  blocks  its  execution.     Click  “OK”  to  dismiss  the  alert  window.  Traps   quarantined  the  file.0   Proprietary  and  Confidential   Page  57     Copyright  ©  -­  All  Rights  Reserved   .   6.     Note  that  the  first  line  in  the  “Details”  window  indicates  that  Traps  quarantined  the   malware  (as  indicated  by  the  entry  “Quarantine:    Yes”).     UTD-­AEP  2.   WildFire  Check:    This  malware  is  unknown  to  WildFire  (as  identified  by  its  file   hash).  This  should   display  the  ESM  Server  console.   If  the  Traps  console  is  not  visible  on  the  desktop.   4.     Step 4.   Traps  uploaded  it  to  WildFire  for  full  analysis.   Now  click  the  record  that  corresponds  to  that  security  event.  so  Traps  proceeded  to  the  next  step.   This  will  display  all  recent  security  events  recorded  on  this  system.   Observe Upload of Unknown Malware to WildFire for Full Analysis Click  the  “ESM  Server”  browser  tab  to  access  that  desktop  environment.   3.   Note  the  first  line  of  this  list.   5.   Upload  to  WildFire  for  Analysis:    Since  the  executable  is  unknown  to  WildFire.  Then  click  the  “Events”  tab  in  the  Traps  console  window.  bring  it  to  the  forefront  by  clicking  its   icon  in  the  Windows  Taskbar.   Quarantine:    Since  the  executable  file  was  identified  as  malware.exe”  (per  Local   Analysis  Module)  and  terminated  the  process.  It  should  indicate  that  Traps  blocked  “happy.

 along  with  their  respective  verdicts.  render  a  verdict.  click  the  “Hash  Control”  link  under  the  “Malware”  heading.   However.   This  will  display  a  table  of  all  executable  files  that  have  been  run  on  the  endpoints   connected  to  the  ESM  Server.  WildFire  will  analyze  the  unknown  malware   sample.  the  upload  process  may   take  some  time.   Note:  Since  we  have  not  used  this  environment  for  some  time  now.  If   you  realize  that  the  environment  does  not  respond  to  your  mouse  clicks  or   keystrokes  at  this  point.exe”  among  the  first  few  entries  in  this  table.  in  the  bandwidth-­limited  CloudShare  environment.       In  the  ESM  Server  console.   as  indicated  by  the  icon  under  the  “Upload  Status”  column  in  the  table.  That  will  reconnect  you   to  the  ESM  Server  system.  it  is   possible  that  the  CloudShare  system  has  disconnected  your  session.  click  the  “Policies”  tab.  This  will  display  the  Exploit   Protection  Modules  (by  default).  along  with  its  (new)  hash   and  a  verdict  of  malware  (indicated  by  the  red  “X”)  obtained  via  Local  Analysis  (another   name  for  Static  Analysis).   UTD-­AEP  2.    Also  note  that  the  ESM  is  uploading  this  malware  to  WildFire.     Once  the  upload  has  been  completed.     In  the  left  navigation  area.  and  transmit  that  verdict  back  to  the  ESM  Server.   Notice  “happy.  simply  click  the  “Reconnect”  link  above  the  ESM   Server  desktop  display  area  in  your  browser  tab.0   Proprietary  and  Confidential   Page  58     Copyright  ©  -­  All  Rights  Reserved   .       This  upload  process  occurs  without  delay  in  production  environment  deployments.  The  updated   verdict  will  then  be  visible  in  this  table.

  Disable WildFire and Static Analysis Policy In  the  ESM  Server  console.  select   the  “Off”  option.  static  analysis  engine   •   Quarantine  files  is  enabled:    Traps  will  quarantine  files  that  are  deemed  to  be   malicious   Click  the  “Edit”  button  to  modify  this  policy.  followed  by  the  “WildFire”  link  under   the  “Malware”  heading  in  the  left  column  navigation  area.     Notice  the  policy  settings  that  are  visible  in  this  view:   •   WildFire  activation  is  on:    Traps  will  check  unknown  executables  with  WildFire  for   a  verdict   •   Action  is  prevention:    Traps  will  prevent  unknown  executables  that  are  deemed  to   be  malicious   •   Action  is  applied  on  grayware:    Traps  will  apply  the  prevention  action  to  grayware   as  well   •   User  alert  is  on:    Traps  will  alert  the  user  when  an  unknown  executable  is   prevented  from  running   •   Upload  file  for  WildFire  analysis  is  enabled:    Traps  will  upload  unknown   executables  to  WildFire  for  analysis   •   Local  analysis  is  enabled:    Traps  will  examine  unknown  executables  with  its   local.  Disable WildFire and Static Analysis In  this  Task.  click  the  “Policies”  tab.0   Proprietary  and  Confidential   Page  59     Copyright  ©  -­  All  Rights  Reserved   .   5.   UTD-­AEP  2.  you  will  disable  the  WildFire  and  Static  Analysis  malware  prevention   capabilities  of  Traps  allow  the  execution  of  your  malware  on  Traps  Client.  and  Quarantine  features  of   Traps.     Step 1.  Static  Analysis.  This  will  display  the  WildFire  policy  editor   window.  This  will  display  the  list  of   WildFire  policies  currently  configured  on  the  ESM.  with  the  “Settings”  tab  visible.  From  the  “WildFire  Activation”  drop-­down.  This  will  disable  WildFire.   Click  the  first  entry  in  the  table  (the  policy  named  “WildFire  On”)  to  display  its  expanded   information  area.

 click  the  “Name”  tab  in  the  same  editor  window  to  display  the  name  that  is   automatically  assigned  to  this  policy  (“WildFire  On”).   Check-­in on the Traps Client Desktop Click  the  “Traps  Client”  tab  in  your  browser  to  display  that  desktop.   The  Traps  client  console  should  already  be  visible.     Next.     Change  the  name  of  the  policy  to  “WildFire  is  Off”  in  the  text  box  labeled  “Fill  in  the  rule   name”  and  click  the  “Apply”  button  to  save  your  changes.0   Proprietary  and  Confidential   Page  60     Copyright  ©  -­  All  Rights  Reserved   .  This  should  return   you  to  the  Traps  Client  desktop.  Otherwise.     Step 2.   This  will  return  you  to  the  list  of  WildFire  policies  currently  configured  on  the  ESM.  click  the  “Check-­in  now”  link  on  the  bottom  of  the  Traps  console  window  to   retrieve  from  the  ESM  Server  the  changes  in  the  WildFire  policy  that  you  just  enacted  in   the  previous  Step.     UTD-­AEP  2.  click  the  Traps  icon  in   the  Windows  Taskbar  (bottom  of  the  display)  to  open  the  Traps  client  console.     Next.

 hit  the  “enter/return”  key  a  few  times  to  make  sure  your  session   is  still  active.   Create  the  new  directory  “C:\Temp”  on  the  Traps  Client  machine  by  entering  the   following  commands  at  the  Meterpreter  prompt  in  sequence  (and  hitting  the   “enter/return”  key  after  each  command):   cd / mkdir Temp cd Temp Step 2.     6.  Next.0   Proprietary  and  Confidential   Page  61     Copyright  ©  -­  All  Rights  Reserved   .  Verify  that  the  “WildFire  is  OFF”  policy   that  you  created  in  the  previous  Step  is  now  displayed  among  the  policies  in  effect  on   this  Traps  client.     Step 1.     Click  inside  the  initial  terminal  window  that  still  displays  the  Meterpreter  prompt   (“meterpreter  >”).   Create a Temp Directory on the Traps Client Click  the  “Attacker”  browser  tab  to  access  that  desktop  window.  Attempt Ransomware Attack Again In  this  Task.  you  will  upload  the  updated  ransomware  malware  you  created  in  the   previous  Task  (the  malware  with  the  new  file  hash)  to  a  temporary  directory  on  the   Traps  Client  environment  and  attempt  to  execute  the  ransomware.   Upload Modified Ransomware to Traps Client Now  upload  the  modified  ransomware  sample  you  created  in  the  previous  Task  to  the   Traps  Client  by  typing  the  following  commands  at  the  Meterpreter  prompt:   UTD-­AEP  2.   Click  the  “Policy”  tab  in  the  Traps  client  console.

  Observe Traps Malware Prevention (Execution Restrictions) Click  the  “Traps  Client”  tab  in  your  browser.  Traps  Client.”       If  you  recall  our  review  of  the  Execution  Restrictions  policies  through  the  ESM  Server   console  (Activity  4  >  3  >  Step  3  above).  Meterpreter  should  indicate  that  a  new  process  was  created  and  executed   on  the  target  system.     At  this  point.  Traps  will  either  have  already  identified  and  blocked  this  malware.  In  either  case.exe -H At  this  point.   UTD-­AEP  2.  or  it  will   be  in  the  process  of  doing  so.  Meterpreter  should  display  a  message  confirming  that  it  successfully   uploaded  “happy.   The  “Prevention  Description”  field  indicates  that  Traps  blocked  an  “Attempted  execution   from  a  restricted  folder.   upload happy.   Execute the Ransomware Malware on Traps Client Enter  the  following  command  at  the  Meterpreter  prompt:   execute -f happy.exe  -­>  happy.exe At  this  point.exe”  to  the  Traps  Client:  “uploaded    :    happy.exe”     We  are  now  ready  to  launch  our  new  ransomware  with  an  unknown  file  hash  to  infect   the  Traps  Client.  Traps  was  programmed  to  prevent  execution  of   programs  from  the  “C:\Temp”  directory.  This  is  precisely  what  happened  in  this  Step.  This  should  display  the  Traps  Client   desktop.   Step 3.     Step 4.0   Proprietary  and  Confidential   Page  62     Copyright  ©  -­  All  Rights  Reserved   .  you  should  see  a  Traps  Prevention  Alert   window  open  on  the  Traps  Client  machine.

 bring  it  to  the  forefront  by  clicking  its   icon  in  the  Windows  Taskbar.   Upload  to  WildFire  for  Analysis:    Again.   Quarantine:    You  had  disabled  the  previous  checks  that  would  have  identified  the   file  as  malware.   If  the  Traps  console  is  not  visible  on  the  desktop.     UTD-­AEP  2.  Then  click  the  “Events”  tab  in  the  Traps  console  window.   This  will  display  all  recent  security  events  recorded  on  this  system.   2.   WildFire  Check:    You  had  disabled  this  check.  This  should  display   additional  details  about  the  security  event.   Note  the  first  line  of  this  list.  so  Traps  proceeded  to  the  next  step.     Click  “OK”  to  dismiss  the  alert  window.exe”  (per   Execution  Protection  Module)  and  terminated  the  process.  so  Traps   proceeded  to  the  next  step.   4.   Execution  Restrictions:    The  malware  file  was  executed  from  the  “C:\Temp”   directory  that  was  blacklisted  in  the  policy.   Trusted  Publisher  Identification:    This  executable  is  not  signed.   6.   3.  so  Traps  proceeded  to  the  next   step.  It  should  indicate  that  Traps  blocked  “happy.  so  Traps  proceeded  to  the   next  step.   5.   Now  click  the  record  that  corresponds  to  that  security  event.   Static  Analysis:    You  had  disabled  this  check  as  well.  so  Traps  proceeded  to  the  next  step.  you  had  disabled  the  WildFire  check  and   upload.   Admin  Override  Policy:    None  exists.  so  Traps  did  not  upload  the  file  to  WildFire  for  full  analysis.0   Proprietary  and  Confidential   Page  63     Copyright  ©  -­  All  Rights  Reserved   .   7.   Execution  Restrictions  are  the  final  set  of  prevention  methods  in  the  sequence  of   malware  prevention  checks  that  led  us  to  this  point:   1.  so  Traps  prevented  it  from  running.

  Note  that  the  first  line  in  the  “Details”  window  indicates  that  Traps  did  not  quarantine  the   malware  (as  indicated  by  the  entry  “Quarantine:    No”).  hitting  the  “enter/return”  key  after  each:   exit clear   End  of  Activity  6     UTD-­AEP  2.  type  the   following  commands.   Hit  the  “enter/return”  key  a  few  times  to  display  a  new  prompt.     Next.  Internet  Explorer.  click  inside  the  Terminal  window  that  should  still  be  displaying  the  Meterpreter   prompt  (“meterpreter  >”).  and  Outlook  by  clicking  the   “X”  on  the  top-­right  corner  of  each  window.  The  Meterpreter  session   should  have  automatically  terminated  (since  you  shut  down  Internet  Explorer  in  the   Traps  Client  environment).0   Proprietary  and  Confidential   Page  64     Copyright  ©  -­  All  Rights  Reserved   .   At  the  Metasploit  prompt  (“msf  exploit(adobe_flash_hacking_team_uaf)  >”).     Click  the  “Attacker”  browser  tab  to  display  that  desktop  environment.   Clean Up the Environment Close  the  Traps  client  console  window.  because  it  was  not  specifically   identified  as  malware.     Step 5.

 Review the Next-­Generation Security Platform Review  the  Palo  Alto  Networks  Next-­Generation  Security  platform  with  your  workshop   instructor.     UTD-­AEP  2.   Activity 7.  you  will:   • Learn  how  the  Palo  Alto  Networks  Next-­Generation  Security  Platform   automates  prevention   • Validate  the  threat  intelligence  gained  from  Traps  preventions  result  in   new  prevention  capabilities  automatically  programmed  into  the   firewall     1.0   Proprietary  and  Confidential   Page  65     Copyright  ©  -­  All  Rights  Reserved   .   Next-­Generation Security Platform in Action In  this  Activity.

  Verify Ransomware Upload to WildFire In  the  last  set  of  tasks  of  the  previous  Activity.  If   you  realize  that  the  environment  does  not  respond  to  your  mouse  clicks  or   keystrokes  at  this  point.  along  with  its  (new)  hash   and  a  verdict  of  malware  (indicated  by  the  red  “X”)  obtained  via  Local  Analysis  (another   name  for  Static  Analysis).  click  the  “Policies”  tab.   Click  the  “ESM  Server”  browser  tab  to  access  that  desktop  environment.  simply  click  the  “Reconnect”  link  above  the  ESM   Server  desktop  display  area  in  your  browser  tab.  Review Ransomware Attack Progression In  this  Task.     UTD-­AEP  2.       The  ESM  upload  of  this  malware  to  WildFire  should  have  been  completed  at  this  point.  quarantined  the  file.  That  will  reconnect  you   to  the  ESM  Server  system.  it  is   possible  that  the  CloudShare  system  has  disconnected  your  session.     Step 1.  and  transmitted  the  file  to  WildFire  for  full  analysis.   2.       In  the  ESM  Server  console.  you  will  review  the  threat  intelligence  that  Traps  has  gathered  so  far  from   your  actions  in  previous  Activity  tasks.  This  will  display  the  Exploit   Protection  Modules  (by  default).0   Proprietary  and  Confidential   Page  66     Copyright  ©  -­  All  Rights  Reserved   .     The  local  Static  Analysis  check  in  Traps  correctly  blocked  this  newly  modified   ransomware.exe”  to  create  a  new  malware  with  a  file  hash  that   was  unknown  to  both  Traps  and  WildFire.  This  should   display  the  ESM  Server  console.     In  the  left  navigation  area.  you  used  a  command  line  tool  to  modify   the  ransomware  executable  “happy.  click  the  “Hash  Control”  link  under  the  “Malware”  heading.   This  will  display  a  table  of  all  executable  files  that  have  been  run  on  the  endpoints   connected  to  the  ESM  Server.   Notice  “happy.exe”  among  the  first  few  entries  in  this  table.  along  with  their  respective  verdicts.   as  indicated  by  the  icon  under  the  “Upload  Status”  column  in  the  table.     Note:  Since  we  have  not  used  this  environment  for  some  time  now.

  This  will  open  the  PDF  file  in  a  separate  browser  tab.   Retrieve WildFire Report In  the  Hash  Control  table.     Click  the  “WildFire  Report”  button  to  download  the  report.0   Proprietary  and  Confidential   Page  67     Copyright  ©  -­  All  Rights  Reserved   .     Step 2.     Review  the  WildFire  report  to  learn  more  about  the  types  of  information  WildFire  reveals   through  its  full  analysis  of  the  ransomware  file.   Click  the  button  on  the  download  bar  that  corresponds  to  the  file  you  just  download.  click  the  record  that  corresponds  to  the  (modified)   “happy.”  This  will  display  an  expanded  information  area.   Use  the  right-­arrow  key  on  your  keyboard  to  scroll  right  in  the  table  to  display  the   “WildFire  Report”  button  in  this  expanded  information  area.     UTD-­AEP  2.exe.     Internet  Explorer  will  download  the  report  and  display  a  download  bar  on  the  bottom  of   the  browser  window.

 so  the  firewall  will  evaluate  and  secure  any  requests  directed   to  the  web  server  through  this  interface.  and  type  the  following  command  to  transfer  “happy.  launch  Internet  Explorer  by  clicking  its  icon  in  the  Windows  Taskbar.  Retrieve Ransomware Through Firewall In  this  Task.   Transfer Ransomware to Web Server For  this  Step.   UTD-­AEP  2.  you  will  retrieve  the  modified  ransomware  file  through  the  Next-­Generation   Firewall  that  is  deployed  in  the  UTD  environment.     The  threat  intelligence  gained  through  the  WildFire  analysis  will  have  automatically   reprogrammed  the  Next-­Generation  Firewall  in  the  UTD  environment  to  prevent  access   to  the  malware  file.     Step 1.   Click  the  “Attacker”  browser  tab  to  display  that  desktop  environment.   3.  The   Attacker  system  is  equipped  with  a  separate  network  interface  that  is  routed  through  the   Next-­Generation  Firewall.  we  will  use  the  web  server  that  is  located  on  the  Attacker  system.     Next.0   Proprietary  and  Confidential   Page  68     Copyright  ©  -­  All  Rights  Reserved   .   Verify Ransomware Transfer to Web Server Click  the  “Traps  Client”  browser  tab  to  display  that  desktop  environment.  click  inside  either  of  the  terminal  windows  that  are  currently  open  on  the  Attacker   desktop  system.exe /var/www/ngfw Step 2.exe”  to  the  root   directory  of  the  web  server:   cp happy.     Next.

exe.exe.  “happy.  click  the  “Web  Server”  shortcut  on  the  Favorites  bar  of  Internet  Explorer  to   access  the  root  directory  of  the  web  server.”     The  browser  should  now  display  a  message  stating  that  “Virus/Spyware  Download   Blocked”  and  identify  the  file  that  you  attempted  to  download.   Attempt to Retrieve the Ransomware File In  the  list  of  files  from  the  web  server  that  are  displayed  in  the  browser.  click  the  name   of  our  ransomware  file.  This  should  display  the  index  of  the  web   server  files.”       Step 3.  the  threat  intelligence  gained   from  that  analysis  automatically  reprogrammed  the  Next-­Generation  Firewall  in  the  UTD   environment  to  block  the  transfer  of  the  file  through  the  firewall.       End  of  Activity  7     UTD-­AEP  2.  including  “happy.exe.”     This  verifies  that  when  Traps  encountered  an  unknown  malware  (the  modified   ransomware)  and  submitted  it  to  WildFire  for  analysis.  “happy.0   Proprietary  and  Confidential   Page  69     Copyright  ©  -­  All  Rights  Reserved   .   Finally.

    End  of  Activity  8   UTD-­AEP  2.       Follow  the  on-­screen  instructions  to  complete  the  survey  and  submit  your  results.   Complete the UTD Evaluation Thank  you  for  attending  the  Ultimate  Test  Drive  event.   Activity 8.  We  hope  that  you   found  the  presentation  and  lab  activities  enjoyable  and  informative.0   Proprietary  and  Confidential   Page  70     Copyright  ©  -­  All  Rights  Reserved   .  we  ask  that  you  complete  a  short  evaluation/survey  to  share   your  thoughts  about  this  UTD.  click  the  “Survey”  tab  among  the  list  of  the  available  desktop   environments  for  the  UTD.     Step 1.     We  need  and  appreciate  your  guidance  and  advice.   Complete a Brief Survey In  your  browser.     In  this  Activity.

    Click  the  “NGFW”  bookmark  located  on  the  Favorites  bar  directly  below  the  address  bar   of  the  browser.0   Proprietary  and  Confidential   Page  71     Copyright  ©  -­  All  Rights  Reserved   .   Appendix 1.   Use  the  following  credentials  to  login  to  the  Firewall:   Name   student Password   utd135   UTD-­AEP  2.  Enabling the Firewall If  the  firewall  is  not  connected  to  the  Internet.       Step 2.  you  can  enable  the  firewall  to  allow   internet  connectivity.  This  will  connect  you  to  the  “Traps  Client”  through   your  browser.  click  the  “Traps  Client”  link  on  the  Shortcut  Menu  that  lists  the  available   desktop  environments  in  the  UTD.   Step 1.  This  will  display  the  firewall  authentication  prompt.   Login to the Firewall Interface Launch  the  Internet  Explorer  browser  on  the  Traps  Client.   Access the Traps Client Desktop In  your  browser.

;  then  click  “OK”  to  return  to  the  network  interface  listing.           Click  the  interface  “ethernet1/1”  under  the  “Ethernet”  tab.     UTD-­AEP  2.   This  logs  you  in  to  the  firewall  and  displays  the  main  dashboard.   Enable Firewall Interface “ethernet1/1” Click  the  “Network”  tab.  then  click  the  “Interfaces”  node  on  the  left-­hand  side.   Step 3.0   Proprietary  and  Confidential   Page  72     Copyright  ©  -­  All  Rights  Reserved   .  This  will   display  all  the  interfaces  configured  for  the  firewall.  This  will  display  the   configuration  dialog  box.           Click  the  “Advanced”  tab  and  select  “up”  in  the  “Link  State”  drop-­down  to  the  right  of  the   dialog  box.

      Click  “Commit”  in  the  upper  right-­hand  corner  of  the  dashboard.  This  will  display  the  Commit  Status  dialog  box  containing  a  progress  bar.   UTD-­AEP  2.  Click  “Commit”  in  the  pop-­up  window  to  confirm   your  choice.  click  “Close”  in  the  pop-­up  window  to  return  to  the   network  interface  listing.   Once  the  process  has  completed.       This  will  display  a  confirmation  pop-­up.  The  “Link  Status”  of  “ethernet1/1”  has  turned  green  now  that   the  interface  is  up.0   Proprietary  and  Confidential   Page  73     Copyright  ©  -­  All  Rights  Reserved   .

  Verify Internet Connectivity Open  a  new  tab  in  the  browser  window  and  confirm  Internet  connectivity  by  visiting   http://www.google.  close  the  browser  by  clicking  the  “X”  in  the   top-­right  corner  of  the  browser’s  application  window.         UTD-­AEP  2.  other  web  sites   will  be  blocked.     (Note  that  only  google-­base  application  is  enabled  in  the  firewall  policy.     Step 4.0   Proprietary  and  Confidential   Page  74     Copyright  ©  -­  All  Rights  Reserved   .)     Once  you  have  verified  internet  connectivity.com.

      When  prompted.0   Proprietary  and  Confidential   Page  75     Copyright  ©  -­  All  Rights  Reserved   .       After  allowing  the  Java  client  to  run.  Java-­based  connectivity  methods.     Please  complete  the  procedures  outlined  in  Activity  1  >  1  (“Login  to  Your  UTD  Class   Environment”)  to  login  to  the  UTD  before  you  continue.  You  may  need  to  click   “Run”  a  few  times.  This   will  launch  the  Java  client.     UTD-­AEP  2.  Alternative Login Methods This  appendix  provides  instructions  for  logging  into  the  UTD  desktop  environments   using  an  alternative.  allow  Java  to  run  the  “VncViewer”  application.   Switch to Console Mode Click  the  Console  link  above  the  desktop  display  area  to  “switch  to  Console”  mode.  the  system  will  display  the  desired  desktop.   Appendix 2.  click  the  “Don’t  Block”  button  on  the  Java  Security  Warning  message.   Step 3.   Run Java Client When  prompted.   Select the Desired Desktop Click  the  desired  desktop  environment  among  the  list  of  available  desktops  in  the  UTD   (after  logging  in  to  the  UTD  workshop).   Step 2.     Step 1.

 use  the  Username  and  Password  (indicated  above  the  desktop  display  area  in   your  browser)  that  correspond  to  the  desktop  environment  you  have  chosen  to  log  into   the  desktop.0   Proprietary  and  Confidential   Page  76     Copyright  ©  -­  All  Rights  Reserved   .   Step 4.         UTD-­AEP  2.   Login to the Desktop Environment Click  the  “Send  Ctrl-­Alt-­Del”  button  above  the  desktop  display  area  to  open  the  login   prompt.     Next.