Professional Documents
Culture Documents
Version 1.1
R80.20M1 Management,
R80.10 GW with JHF 70 and Web Extraction HF,
E80.85 SandBlast Agent
Change log
Editor date Version Comments
Boaz Barzel 20-Aug-2018 V1.0 Document Creation, combining
SandBlast Network and SandBlast
Agent Scenarios
Boaz Barzel 30-Aug-2018 V1.1 Minor fixes and enhancements
Threat Emulation performs deep CPU-level inspection, stopping even the most dangerous
attacks before malware has an opportunity to deploy and evade detection. SandBlast Threat
Emulation uses OS-level inspection to examine a broad range of file types, including
executables and data files. With its unique inspection capabilities, SandBlast Threat Emulation
delivers the best possible catch rate for threats, and is virtually immune to attackers’ evasion
techniques.
SandBlast Threat Extraction complements this solution by promptly delivering safe content, or
clean and reconstructed versions of potentially malicious files, maintaining uninterrupted
business flow. By eliminating unacceptable delays created by traditional sandboxes, Threat
Extraction makes real-world deployment in prevent mode possible, not just issuing alerts, but
blocking malicious content from reaching users at all.
Check Point SandBlast Zero-Day Protection provides complete detection, inspection and
protection against the most dangerous zero-day and targeted attacks at the network.
2. Threat Emulation and Threat Extraction inspection of a malicious document attached in an email.
Threat Extraction will clean the document and convert it to pdf, providing the user with a safe and
sanitized file within seconds. Threat emulation will inspect the file in parallel and will be able to
detect that the file is malicious. The user will not be able to receive the original file since it was
detected as malicious by Threat Emulation.
4. Web extraction through the GW without any client installation that is seamless to the user.
Threat extraction on the GW will intercept file downloads and convert the document to a flat pdf,
providing the user with a safe and sanitized copy of the file to the user in seconds.
In parallel Threat Emulation will emulate the file, and if the file is malicious the user will not be able
to receive the original file. if the file is not malicious the user will be able to get the original file by
itself. If a file is already known as malicious the file will be prevented before extraction.
Network protection doesn’t cover all attack vectors. There are some solutions that are best utilized
at the endpoint level and can supply additional layers of protections to users and organizations.
Check Point Sandblast is multi layered approach designed to block zero-day and advanced
attacks - on the network and with the SandBlast Agent also on the endpoint.
Dan-PC
192.168.58.144
192.168.58.0/24
192.168.58.10
R80.10 + JHF70 +
Web extraction HF
Attacker/ 10.58.0.254
Unprotected
192.168.58.22
Bob-PC
10.58.0.0/24 192.168.58.133
R80.20_M1
Management + Domain Controller
Smart Event 10.58.0.200
10.58.0.100
Network Protected
10.58.0.50
Important information
Use the Resources tab to review the environment and guide version before you start
Threat Emulation and forensics reports sometime can take about 1-2 minutes to appear, if
you don’t see the link, refresh the logs.
This demo script includes three parts: SandBlast Network and Anti-Bot scenarios, SandBlast
Agent scenarios and IPS scenario
IPS stage must be performed last as the Attacker machine will be encrypted.
You will not be able to perform the other parts after you perform the IPS part unless you
revert only the attacker machine, from the Machine list tab
Environment Exclusions
Module Type Exclusion
SandBlast Agent Anti-Bot Domain www.dropbox-docs.com
www.palpay.com
wentz.pw
c.top4top.net
SandBlast Agent TE Folder C:\Program Files (x86)\r2 Studios\Tonic
C:\Users\administrator.UNKNOWN300\AppData
C:\Users\administrator.UNKNOWN300\Documents
C:\Users\administrator.UNKNOWN300\Downloads
C:\ProgramData
C:\maliciousfiles
SandBlast Anti-Exploit Dan-PC Set to Silent
SandBlast Network TE+TEX Email Pamela@unknwon300.com
Bob@unknwon300.com
From the Machine list tab you can view all of the machines information
You will also be able to perform single machine revert
Please use the Smart Event Views to show the correlation of events at the end of the
scenarios. Emphasize the need for a single correlated view that will allow an
organization to react to critical events as soon as possible and as quickly and
efficiently as possible.
You can also view the event correlation through Web browser at https://<mgmt_ip>/smartview
Link is bookmarked in the Chrome browser of the Domain Controller machine
“https://10.58.0.100:4434/SmartView”
1. open the Attacker Unprotected machine , execute the “First Step – Variant me.bat” shortcut (we
are going to change the MD5 of a malicious file so the file will be uploaded to emulation)
2. Type the file name: resume.doc and click enter.
3. Enter a few random characters and click enter
4. You will see the old MD5 and the new MD5
This will also create new Variants for the files that will be downloaded later in the web extraction
scenarios
5. On the Attacker Unprotected machine browse to www.virustotal.com using Chrome (Once Chrome
is open use the bookmark in the bookmark bar)
6. Upload the resume.doc file, with the new MD5, from the directory c:\maliciousFiles\resume.doc
file acts as our unknown malware, and we will now use Virustotal to test it
This scenario is performed to demonstrate and emphasize how easily can an attacker bypass
traditional and signature based solution with minimal sophistication level.
Even though we will see how Threat Emulation will detect the true file type, and will be able to open
the password protected archive and scan the file. We are only using these simple technics to prove the
point where not all content can be inspected in the network level.
Discussion points:
Discuss about Check Point SandBlast Threat Emulation technologies, and solution.
Discuss about leveraging existing Infrastructure (GWs), adding NGTX licensing and using Check Point
Cloud for Sandboxing.
Discuss about the advantages in our threat emulation solution, such as: CPU Level emulation, push
forward for Flash and CADET.
Discuss about our simple and easy way to deploy SandBlast by using our learning mode to best practice
deployment instructions.
Instructions
1. Navigate to the Domain Controller machine tab and open the SmartConsole to review and verify
the policy (admin/Cpwins1!) IP=10.58.0.100
Access Policy is set to any, any, accept, as this is a Threat Prevention demo
Right click on the “SandBlast” profile and click on view to view the profile and configuration
You can review the profile and note that Anti-Bot, Threat Emulation and Threat Extraction are enabled.
You can browse through the settings to better understand the mode of operation and enforcement.
Threat Emulation is set to Hold and Prevent
Threat Extraction is set to convert doc/docx to pdf and extract everything else
1. Navigate to the Attacker Unprotected machine and from the taskbar, open the Microsoft Live
Mail client.
We have now sent the resume.doc file with a personalized email, to our protected user.
The email will reach the GWs MTA, and will be inspected by Threat Emulation.
In the next step we will review the result and report
5. Navigate to the Network protected machine and open the Windows Live Mail Client from the
task bar.
6. Click the Send/Receive button to receive the email, it might take a few seconds for the email to
arrive
7. Go over the email and show the subject of the email and the content of the attachment (Threat
Extraction has replaced the original file with a new text file after receiving a malicious verdict
from Threat Emulation)
8. Navigate to the Domain Controller machine tab and open the SmartConsole, if not opened.
9. Navigate to the “LOGS&MONITOR” tab
The first tab is already configured to show relevant logs
10. Open (Double click) on the log and review the log details. Pay attention to the file type field.
If the Summery report doesn’t appear, close the log, press refresh logs and open it again.
Show the emulation report details and the video of the emulation.
Discussion points:
Discuss about Check Point SandBlast Threat Extraction solution.
Discuss about Delivering safe and sanitized files to users in seconds, supporting the business continuity.
Discuss about the advantages in our threat emulation solution inspecting the file while Threat
Extraction delivers safe copies of files to the users.
Discuss about practical prevention, consolidated solution and reduced overhead to IT.
Instructions
1. Navigate to the Attacker Unprotected machine and open the mail client.
2. Navigate to the “SandBlast” folder under the drafts folder
3. Choose the “stage 2 – Threat Extraction” email draft and open it
4. Attach the Threat_Extraction_Demo.doc file from C:/MaliciousFiles
5. Send the email to SandBlast@unknown300.com
We have now sent the Threat_Extraction_Demo.doc file with a personalized email to the user.
The email will reach the GWs MTA, and will be inspected by Threat Extraction and Threat
Emulation.
The .doc file will be converted to a safe flat pdf and delivered to the user. In parallel, Threat
Emulation will inspect the file
6. Navigate to the Network protected machine, and in the mail client press the send/receive button.
It will take a few seconds for the mail to arrive with the safe converted file.
7. Notice that Threat Extraction appends “.cleaned” before the original file extension and the new .pdf
as the converted file current file extension
a. The user received in the mail the sanitized, converted to pdf, copy of the file after it passed
our Threat Extraction module.
c. Notice that the email includes a notification to the user with the details and with a link to
receive the original file by him/her self.
d. Click the link in the notification, and it will open a user check portal.
e. Approve by checking the check box and add a short justification. (justification is an optional
field that doesn’t need to appear in the user check, but will appear in the log if exist)
f. Notice that the Threat_Extraction_Demo.doc file is malicious and cannot be downloaded by
the user.
8. Navigate to the Domain Controller machine tab and navigate to the “LOGS&MONITOR” tab
9. Demonstrate the administrator experience by reviewing the event logs of what has happened.
Focus on the Threat Extraction event logs, converting the file and showing the user request to
receive the original file.
10. Open the Threat Emulation event log, and open the summery report generated.
*You might not see the Vulnerability summary report immediately, as it sometimes takes about one
minute until the report is generated and show on the Log Details.
Discussion points:
Discuss about Detection vs. prevention
Discuss about the cost of remediating events vs. the much lower cost of preventing them from
happening
Discuss about infection time being very short, and in case of Ransomware attacks, full encryption in
manner of minutes
Instructions
1. Navigate to the Attacker Unprotected machine and open the chrome browser
2. click the bookmark ‘John Smith Dropbox’ on the favorite bar
3. Click on the first link, John Smith CV, and save the file.
This file contains a code that will open a CryptoLocker app. Once the file is opened, the document
will also run the integrated CryptoLocker application.
This is only a sample and it will not harm the machine
This shows the actionable potential of malicious code that can be embedded in a seemingly
innocent word document.
4. Open the John smith Advance CV.doc and demonstrate what will happen once a malicious file is
opened in an unprotected environment.
Unprotected can also mean that the security solution only detects, and not prevents.
You can show that in this case the CryptoLocker was able to infect the computer.
Discussion points:
Discuss about practical prevention with reduced cost to the operation team.
Discuss about increasing the security level without creating an overhead to the operation team.
Discuss about minimal impact to user experience when you use extract method
Instructions
1. Navigate to the Attacker Unprotected machine and open the mail client
2. Navigate to the sent items, right click the ‘Stage 2 – Threat Extraction’ email and choose reply to all
3. Attach a picture from the picture library and click send (you can use the penguins.jpg)
4. Navigate to the Network protected machine, open the mail client and click send/receive
©2018 Check Point Software Technologies Ltd. All rights reserved | P. 16
5. Open the email with the file, and notice that the file name now include .cleaned
6. Open the picture and show that it is the same picture for human eyes, but the image was modified
to disable any embedded code.
7. Notice that the email includes a notification to the user with the details and with a link to receive
the original file by him/her self.
8. Click the link in the notification, and it will open a user check portal.
9. Approve by checking the check box and add a short justification. (justification is an optional field
that doesn’t need to appear in the user check, but will appear in the log if exist)
10. Show that, since the picture is not malicious, the user is able to download it or resend the original
email with the original attachment.
Discussion points:
Discuss about practical prevention when files are not attached but linked in the mail. A link by itself
might not be malicious, but the file is.
Discuss about multi-vector attacks and protection for both email and web in a single solution,
preventing malware before users receive them.
Instructions
1. Navigate to the Attacker Unprotected machine and open the email client to the SandBlast folder
under the drafts folder
2. Choose the “stage 3 – Links to files inside emails” mail.
3. Hover with the mouse on top of the link and see that the link is directly to a malicious file
http://www.dropbox-docs.com/mssecsvc.exe (this is an actual wannacry ransomware sample)
4. Send the email to SandBlast@unknown300.com
5. Navigate to the Network Protected machine, open the email client and click on the Send/Receive
button.
Notice that the email will not arrive to the user. This is the current designed behavior.
6. Navigate to the Domain Controller machine, open the Smart Console and Browse to
“LOGS&MONITOR” tab to demonstrate the administrator experience and the event logs.
Discussion points:
Discuss about Practical Prevention on the web vector where users download files from the web and
will not wait for even 1 minute to receive these files.
Discuss about the cost of remediating events vs. the much lower cost of preventing them from
happening. This usually happens where web protection is deployed in background mode to not
disturb business continuity
Discuss about the SandBlast Network solution protecting both email and web vectors, inspecting
files in real time while maintaining the user continuity and reducing the operational cost.
Instructions
** TEX for Web is currently EA, in this demo it being demonstrated on top of R80.10 JHF70
This feature will be GA during 2018 over R80.20 GA
3. Click the first link inside the webpage, ‘John smith CV’.
This is the same malicious document we have demonstrated before that includes a cryptolocker
popup. The file will be blocked with a user check without being extracted.
In very rare cases where the file will be extracted, the file will be converted to pdf and the
watermark will be displayed on the top. Original file is malicious so the user will be blocked from
receiving it.
6. Click the third link ‘John Smith white paper’. This is a benign document that includes active content.
The document will be converted to PDF and the watermark will be displayed on the top of the PDF.
7. Use the “Get Original” link to receive the original file. Once Threat Emulation inspection is finished
and the verdict of the original file is received, users will be able to download the original file by
themselves.
8. Navigate to the Domain Controller machine and open the Smart Console in the “LOGS&MONITOR”
tab and review the relevant event logs.
Discussion points:
Discuss about Multi Layered threat prevention approach with Post infection technology that will
prevent C&C communication and exfiltration of data.
Discuss about containment of an infection on the network level, and the added advantage and
value on the endpoint level.
Instructions
1. Navigate to the Domain controller machine and run the create_variant.bat shortcut
2. Type BOT.exe in the cmd window and press enter
3. Type some random characters to modify the hash of the malware and turn it into unknown
malware, and press enter
4. Open the Tonic instant messaging application by clicking on the green icon on the notification bar at
the bottom right corner
5. Now we will simulate a lateral movement attack through the organization instant messaging
application. The attacker was able to access an internal machine and lunch the attack by sending the
BOT.exe malware to all users in that messaging application.
We will demonstrate this by sending the BOT.exe to Vic (our Network protected machine)
6. Right click on Vic and choose the ‘file’ option to send the BOT.exe file to Vic.
7. An optional step is to write a short message and click send
9. Click Accept and click the BOT.exe link inside that window to execute it
You can also show that the malware download was detected by TE (stage2.exe), and remember
that for the demo we didn’t prevent it so the Anti-Bot scenario will detect the C&C traffic.
You can show the exclusion rule for that file in the general exceptions of the threat prevention
policy
You can show the Anti-Bot forensics Report that was generated by SandBlast Agent on a different
machine that was running the same BOT.exe file.
It is the report created from the Forensics analysis triggered by Anti-Bot scenario in the SandBlast
Agent Scenarios.
Open the “SBA AB report” shortcut from the desktop of the Network protected machine.
Discussion points:
Discuss about Phishing attacks and credential theft as a mean of taking over accounts an silently
infiltrating to an organization.
Discuss about Check Point Zero-Phish solution and the ability to perform real-time dynamic
inspection to prevent phishing attacks.
Discuss about multi-layered threat prevention scanning phishing attacks during different levels of
inspection, and how Zero-phish solution is used as the last line of defense. Zero-phish technology
will scan the site just before the user submit their credentials and the technology can also alert
users from reusing and exposing their web corporate credentials
Instructions
1. Navigate to Pamela-PC and openthe Outlook2013 application by clicking the Icon on the bottom
panel.
**Notice that the action should be changing of the corporate password and that we are only
alerting and not preventing the user
Discussion points:
Discuss about Threat Emulation and Threat Extraction technologies as the core technologies
through all SandBlast Solutions.
Discuss about having the same level of protection for users that leave the network protection and
work remotely.
Discuss about Practical prevention where users receive a safe and sanitized copy of files in seconds
while original file is emulated. Original files are self-catered by the users if they are not malicious.
Before you start, it is important to mention that this is the same scenario as the Network inline
web extraction to demonstrate that users leaving the network protection or working remotely
have the same level of protection and practical prevention.
Instructions
1. Navigate to Pamela-PC and open the chrome browser
A web page will automatically be opened: to John Smith Dropbox “http://www.dropbox-docs.com/”
2. Click on the first file “John smith CV” to download it
The file is sent to the cloud for emualtion and extraction. As the file is already known as malicious
by ThreatCloud and TE it will be blocked. In cases where the file is not known it will be extracted
and the access to the original file will be blocked after emulation is finished since the file is
malicious.
3. The following 2 files are benign files that will demonstrate Threat Extraction ability to proactivly
clean a file and provide a user with a safe copy of the file in seconds.
We will demonstrate 2 scenarios:
7. Press the browser extension icon (in the upper right corner of the extension bar) and download the
original files to show that the cleaned files content are the same, but without the active content.
*In the excel file you have links and macro that will not be active in the clean version, but will be
active in the original version
*Show the Ransom massage that represents a ransomware attack by opening the document in an
unprotected station.
You might encounter a run time error message after closing the CryptoLocker notification window.
This is the desired behavior that also appears in the Threat Emulation prevent log, from Stage 1 of
the network scenarios, as a CPU level detection of an unexpected process crush.
Discussion points:
Discuss about Post infection scenarios and lateral movement scenarios where the Anti-Bot
technology will perform automatic containment of infections and the Forensics technology will
automatically analyze and remediate that infection
Discuss about extending the network level Anti-Bot technology tom the endpoint and enhancing it
to provide per endpoint containment as part of our multi-layered threat prevention approach.
Discuss about the forensics module that constantly monitors the system and automatically analyzes
detections to create a full, understandable and actionable report with automatic remediation
capabilities.
Instructions
1. Navigate to the Attacker Unprotected machine and click on the “ShellCode_Variant.bat” shortcut
on the desktop.
2. Type BOT.exe in the cmd window and press enter
3. Type some random characters to modify the hash of the malware and turn it into unknown
malware, and press enter
4. Open the Tonic instant messaging application by clicking on the green icon on the notification bar at
the bottom right corner
5. Right click on Pamela contact and click on “File” chose the file BOT.exe from
C:\Maliciousfiles\Shellcode
6. An optional step is to write a short message and click send
8. Click on the accept button to accept the file and then click on the BOT.exe link to execute it.
9. From the User point of view you will see a powershell window briefly opens and closes, but that is it.
Usually the users will not see anything, but for the demo we are showing that something is running.
There will be no indication from the user perspective, and this is why we will move to the
administrator perspective to review the C&C communication block and prevention of exfiltration of
data.
10. Wait a few seconds and you will see SandBlast Agent Anti-Bot pop up “Infection Detected”
Malicious communication was blocked.
We will review the attack thorough the automatic forensics report that was created.
13. Let’s analyze the event from the log, click on the Anti-Bot event and open the log
14. Review the log details and click the Open the forensics report, to view the endpoint forensics report
Discussion points:
Discuss about Crypto Mining attacks and how they impact users and businesses. Computers CPU
will run very high and will cause severe impact to users and will also cause financial losses.
Discuss about SandBlast Agent capabilities to prevent malware attacks according to their behavior
during runtime.
Discuss about multi-layered threat prevention approach with a security strategy that can perform
real-time behavioral inspection with automatic analysis and remediation.
Instructions
1. Navigate to the Attacker Unprotected machine and open the email client from the taskbar
2. Navigate to the ‘SBA’ folder under the ‘Drafts’ folder and open the “Booking Confirmation” email
3. Attach ‘Flight_Booking_Confirmation.docm’ from “C:\Maliciousfiles\BG” folder and press send
The email will be send to Bob-PC and to Pamela-PC
*Please note that those email addresses are excluded from the network protection to allow the
email to arrive
4. Navigate to Bob-PC and open the email client from the taskbar
5. Open the “Booking Confirmation” email and open the attached document (double click it)
Scenario walkthrough
6. Open process explorer from the desktop and we see wuapp.exe taking more than 25% CPU, as an
indicator it is running.
If you launch Task Manager, wuapp.exe disappears and the CPU comes back normal, when you close
it, it will come back and restart mining.
If you try to kill the wuapp.exe process, it will restart, try it.
11. Open process explorer and notice that the attack was remediated and that the forensics report was
automatically created
12. Open the forensics report from the Agent UI and investigate.
Review the forensics report, starting from the status of the attack which is “cleaned”. Continue with
the entry point which is very clear to see and end in the incident details which show the path of the
attack in a very simple and easy to understand way.
Important to show is that there is no Business impact
You can get all of the relevant information from the forensics report, use it.
Discussion points:
Discuss about Ransomware attacks and how they impact users and businesses. Even more than just
paying the ransom for a single remediation, the loss of resources, data and work time can cause
huge financial losses.
Discuss about SandBlast Agent capabilities to detect exploit attacks and Ransomware attacks
according to their behavior, and in case files were encrypted it will restore all of the user data
automatically.
Discuss about multi-layered threat prevention approach with a security strategy that can perform
real-time behavioral inspection with automatic analysis and remediation.
This demonstration includes a real exploit and a real wannacry ransomware sample. We
will show the same scenario as described below.
Drive-by exploit attack based on VB Script god mode exploit that will automatically
download and launch a wannacry ransomware attack on the machine.
This scenario will be executed on the 3 different PCs to show what will happen to:
Unprotected user (Bob-PC)
User protected with SandBlast Agent but the Anti-Exploit is in silent mode (Dan-PC)
User protected with SandBlast Agent and Anti-Exploit set to prevent (Pamela-PC)
Optional – Show Ransomware prevention by executing “First Sample – Dan CV.pdf”
(Petya Goldeneye Sample)
**Bob-PC will be encrypted and other scenarios on Bob-PC will not work
3. Browse to the mystore site through the bookmark on the favorites tab
4. Move the My files folder to the front with the IE on the background
A few minutes later you will see the ransom note (you might need to minimize the folder and
browser)
8. Browse to the mystore site through the bookmark on the favorites tab
9. Move the My files folder to the front with the IE on the background
10. After about 10-15 seconds the exploit will start running and the ransomware will follow and encrypt
the files
11. Since the Anti-Exploit is set to silent, Anti-Ransomware will pop up a few seconds after encryption
starts. Anti-Ransomware is set to automatically restore and remediate.
You will also notice that Threat Emulation will pop up as well
The browser will not terminate but the page loading will be stopped
14. Browse to the mystore site through the bookmark on the favorites tab
15. Move the My files folder to the front with the IE on the background
16. After about 10-15 seconds the exploit will start running and Anti-Exploit will prevent it and block it
Notice the Anti-Exploit pop up and the termination of the browser
17. open the Smart Event from the Domain controller machine and review the logs and events
*Note that this scenario is best demonstrated from the user experience point of view.
WOW!!!
©2018 Check Point Software Technologies Ltd. All rights reserved | P. 43
IPS Protections Demo Scenario
The goal of this demonstration is to simulate prevention of ransomware and phishing
attacks by using IPS blade.
Change the default browser to Internet explorer on the Network Protected machine and
on the Attacker Unprotected machine
The IPS scenario will not work with Chrome as the default browser.
1. Navigate to the Domain Controller machine and open the Smart Console (admin/Cpwins1!)
IP=10.58.0.100
3. Drag rule number 3 above rule number 2, and replace the profile for Rule number 1 to IPS only
profile. Make sure the policy looks like what you see below.
4. Install Policy
Don’t forget to install the Threat Prevention Policy after the change.
The protection profile in rule number 2 includes only the IPS blade and Anti-Bot blades.
Change the default browser to Internet explorer on the Network Protected machine
and on the Attacker Unprotected machine.
The IPS scenario will not work with Chrome as the default browser.
Discussion points:
Discuss about multi-layered threat prevention preventing known attacks
Instructions
1. Navigate to the Attacker Unprotected machine and open the Microsoft Live Mail client
2. Navigate to the “IPS Protection Folder” under the drafts folder
3. Open the email “PayPal account Limitations”, review it and send it to ips@unknown300.com
4. Navigate to the Domain Controller machine and open the Smart Console in “LOGS&MONITOR” tab
5. You will see 3 logs that were generated by the IPS module.
Since we wanted to show in this demo that 3 different ips protections could have prevent the
phishing attack, we configure two of the attacks to Detect Mode and the last one to Prevent.
The logs are not always show in the right order since it’s a matter of milliseconds.
6. Open each log and review the Log Details.
Discussion points:
Discuss about multi-layered threat prevention preventing known attacks on a multi vector
approch
Instructions
1. Navigate to the Attacker Unprotected machine and open Wireshark from the task bar
2. Click on the start button to start capture traffic
3. Start the Task Manager (right click on the taskbar and choose Start task manager)
4. Open the email client and click on the ‘Inbox’ folder.
Inside the code of this legitimate website an malicious iframe was injected by hackers that redirect
the Internet explorer in the background to a malicious website that hosting RIG exploit kit (Malicious
toolkits contain various exploits bundled into a single package) that take advantage of a vulnerability
in Internet Explorer browser and download a ransomware code to the client and execute it.
Let’s see what just happened in the background when you were browsing the myshoppingsite.com
web site.
9. Here is the iframe with the redirection to http://guacamole.MALICIOUS.COM/.. To RIG Exploit Kit.
When the user arrives on the landing page, the Rig Exploit Kit attempts to check if the user’s computer has
a driver file associated with a particular antivirus software product. To avoid detection, the kit avoids
dropping the exploits if the driver a familiar AV files like “kl1.sys” is present.
If the kit managed to successfully exploit any of these vulnerabilities, then malware is downloaded onto
the victim’s computer. The Rig Exploit Kit dropped Cryptodefense ransomware (Trojan.Cryptodefense).
If 2-3 min has already passed since you visited the shopping website, files on the Attacker Unprotected
machine have already been encrypted and the background was changed.
10. Navigate to the Network Protected machine and open the Email Client
Internet Explorer will be opened on a myshoppingsite.com web site, wait about 10 seconds
12. Navigate to the Domain Controller machine to view the logs and investigate the IPS logs.
You will see 5 logs that were generated by the IPS blade.
Since we wanted to show in this demo that 5 different IPS protections could have prevented this
attack, we manually configured 4 of the protections to Detect Mode and the last one to Prevent.
The logs are not always show in the same order since it’s a matter of milliseconds.
Make sure to emphasize the need for a multi-layered threat prevention approach that starts
with preventing of known attacks.
THANK YOU