Sandblast Unified, Network and Agent, Demo Guide

SandBlast Unified,
Network and Agent,

Demo Guide
Version 1.1
R80.20M1 Management,
R80.10 GW with JHF 70 and Web Extraction HF,
E80.85 SandBlast Agent
©2018 Check Point Software Technologies Ltd. All rights reserved | P. 1

Table of Contents
SandBlast Unified, Network and Agent, Demo Guide ........................................................... 1
Change log ........................................................................................................................... 2
Introduction ........................................................................................................................... 3
Environment Details .............................................................................................................. 5
SandBlast Network Demo Scenarios .................................................................................... 7
Stage 0 – Test Traditional AV solutions using VirusTotal ...................................................... 7
Stage 1 – Demonstrating Threat Emulation .......................................................................... 9
Stage 2 – Demonstrating Threat Extraction and Practical Prevention ................................. 13
Stage 2.1 – Demonstrate the impact of opening malicious files on an unprotected machine15
Stage 2.2 – Demonstrate Image extraction and self-catered original file by the user .......... 16
Stage 3 – Demonstrating TE scanning files from links inside emails ................................... 18
Stage 4 – Inline Web Extraction with Threat Extraction ....................................................... 20
SandBlast Network Summary Pitch .................................................................................... 22
Network Anti-Bot Demo Scenario ....................................................................................... 23
SandBlast Agent Scenarios ................................................................................................ 26
Stage 1 – Zero-Phishing Scenario ...................................................................................... 26
Stage 1.1 - Corporate credentials reuse protection scenario ............................................... 28
Stage 2 – Web download protection scenario ..................................................................... 29
Stage 2.1 – Demonstrating the imapct of downloading malicious file and opening it on an unprotected
machine .............................................................................................................................. 31
Stage 3 – Forensics analysis triggered by Anti-Bot lateral movement scenario ................... 32
Stage 4 – Behavioral Guard scenario prevention of a Crypto miner attack.......................... 36
Stage 5 - Anti-Ransomware and Anti Exploit scenarios using drive-by exploit on IE11 ....... 39
Stage 5.1 – Drive-by exploit with Wannacry (Ransomware) execution on an unprotected machine 39
Stage 5.2 – Drive-by exploit with Wannacry (Ransomware) execution on a protected machine with Anti-
Ransomware ...................................................................................................................... 41
Stage 5.3 – Drive-by exploit with Wannacry (Ransomware) execution on a protected machine with Anti-
Exploit ................................................................................................................................. 43
WOW!!! ............................................................................................................................... 43
IPS Protections Demo Scenario .......................................................................................... 44
Step 1 - Demo IPS blade protection against phishing attack ............................................... 45
Step 2 - Demo IPS blade protection against Ransomware. ................................................. 46
THANK YOU....................................................................................................................... 49
Change log
Editor date Version Comments
Boaz Barzel 20-Aug-2018 V1.0 Document Creation, combining
SandBlast Network and SandBlast
Agent Scenarios
Boaz Barzel 30-Aug-2018 V1.1 Minor fixes and enhancements

Introduction
Check Point SandBlast Zero-Day Protection employs Threat Emulation and Threat Extraction
capabilities to elevate network security to the next level with evasion resistant malware
detection, and comprehensive protection from the most dangerous attacks – and at the same
time ensures quick delivery of safe content to your users.
Threat Emulation performs deep CPU-level inspection, stopping even the most dangerous
attacks before malware has an opportunity to deploy and evade detection. SandBlast Threat
Emulation uses OS-level inspection to examine a broad range of file types, including
executables and data files. With its unique inspection capabilities, SandBlast Threat Emulation
delivers the best possible catch rate for threats, and is virtually immune to attackers’ evasion
techniques.
SandBlast Threat Extraction complements this solution by promptly delivering safe content, or
clean and reconstructed versions of potentially malicious files, maintaining uninterrupted
business flow. By eliminating unacceptable delays created by traditional sandboxes, Threat
Extraction makes real-world deployment in prevent mode possible, not just issuing alerts, but
blocking malicious content from reaching users at all.
Check Point SandBlast Zero-Day Protection provides complete detection, inspection and
protection against the most dangerous zero-day and targeted attacks at the network.
The SandBlast demonstration part will include the following scenarios:

1. Threat Emulation inspection of a mail attachment. The attachment is a malicious document inside
a password protected archive that its extension was manually change to .doc
Threat Emulation will be able to calculate the true file type, open the password protected file and
prevent the malicious document.
The scenario starts with a show of how easy it is to change a known malware into an unknown
variant. Then to upload it to virus total to show that traditional signature based solutions cannot
detect it.
2. Threat Emulation and Threat Extraction inspection of a malicious document attached in an email.
Threat Extraction will clean the document and convert it to pdf, providing the user with a safe and
sanitized file within seconds. Threat emulation will inspect the file in parallel and will be able to
detect that the file is malicious. The user will not be able to receive the original file since it was
detected as malicious by Threat Emulation.
3. Threat Emulation inspection of a direct link to a file inside an email

Threat Emulation engine will be able to detect the link, download and emulate the file before the
mail reaches the user. Since the file is malicious the mail will be blocked from arriving to the user.
4. Web extraction through the GW without any client installation that is seamless to the user.
Threat extraction on the GW will intercept file downloads and convert the document to a flat pdf,
providing the user with a safe and sanitized copy of the file to the user in seconds.
In parallel Threat Emulation will emulate the file, and if the file is malicious the user will not be able
to receive the original file. if the file is not malicious the user will be able to get the original file by
itself. If a file is already known as malicious the file will be prevented before extraction.
Network protection doesn’t cover all attack vectors. There are some solutions that are best utilized
at the endpoint level and can supply additional layers of protections to users and organizations.
Check Point Sandblast is multi layered approach designed to block zero-day and advanced
attacks - on the network and with the SandBlast Agent also on the endpoint.

Check Point SandBlast Agent extends industry-leading zero-day protections to prevent advanced
attacks against endpoints and web browsers. SandBlast Agent includes Threat Emulation, Anti-
Bot, Forensics, Anti-Ransomware, Behavioral Guard and Anti-Exploit modules. The Web Browser
extension includes Threat Emulation and Threat Extraction with Anti-Phishing technology and
corporate credential reuse protection.
Anti-Ransomware technology stops ransomware in its tracks and reverses the damage
automatically. Anti-Bot technology identifies and blocks command & control activities. At the same
time, SandBlast Agent forensics enables complete attack remediation and automated incident
analysis, uncovering the entire attack scope and business impact. SandBlast Agent Browser
extension provides users with real-time protection from malware in web-downloaded files, and its
Zero Phishing™ technology safeguards corporate credentials from attacks being exposed via
phishing sites or password reuse. Anti-Exploit will block exploit attempts that will stop attacks at
the exploit stage before the malware is executed. Behavioral Guard module identifies malware
attacks according to their runtime behavior, even unknown and sophisticated malware.
The demonstration will include the following scenarios:

1. Anti-Phishing scenario using SandBlast Browser extension zero-phishing technology
Our Scenario will demonstrate how SandBlast Agent for Browsers protects users from identity theft by
phishing sites. We will show a phishing email with a link to a phishing site. Zero-Phish technology
prevents phishing attacks from both known and unknown sites. Scanning is performed in real time
when the user tries to access a site.
2. Web download protection scenario using SandBlast Browser extension

Our scenario will focus on downloading different types of files both malicious and benign. The
proactive protection uses Threat Extraction to deliver sanitized files to users in real-time, while the
original files are scanned in parallel by the Threat Emulation advanced sandbox technology to detect if
they are malicious. SandBlast Agent for browsers brings practical zero day protection to users
downloading files from the internet.
3. Forensics analysis scenario using Anti-Bot triggered by lateral movement

Our Scenario involved lateral movement of a malware through the organization IM program.
SandBlast Agent Anti-Bot will block the exfiltration of data and the C&C communication.
SandBlast Agent forensic will automatically analyze and quarantine all of the attack elements and will
create a full, actionable and understandable incident report. It will accelerate the work of SOC and
incident response teams. It will provide them with instant in-depth understanding of the attack and
allowing them to focus on effective triage and response.
4. Behavioral Guard scenario Preventing Crypto mining attack during runtime

SandBlast Agent Behavioral Guard module, prevents malware attacks according to their behavior in
real-time. Our scenario involves a crypto miner attack as another source of revenue for attackers, the
longer the attack is running hidden, the more money attackers make. We will show what happens to an
unprotected machine and how the behavioral guard technology prevents it.
5. Anti-Ransomware and Anti Exploit scenario using drive-by exploit on IE11

SandBlast Agent’s Anti Ransomware detects and blocks unknown and evasive ransomware. If data is
encrypted before the ransomware is quarantined, then it will automatically restore the encrypted user
data as part of the automated remediation process. Anti-Exploit detects and prevents attacks at the
exploit stage, before the malware is deployed. Our scenario will show what happens to an unprotected
user, to a user with Anti-Exploit on detect and to a user with Anti-Exploit in prevent mode. The
scenario involves a drive-by exploit that will download and execute a ransomware attack on the user’s
computer without any user involvement besides browsing to the attack site.

Environment Details
Environment Default GW= 192.168.58.1
Malicious Web CLOUD SANDBOXING Pamela-PC

Server Shop Server 192.168.58.155
192.168.58.222 192.168.58.111
Internet
Dan-PC
192.168.58.144
192.168.58.0/24
192.168.58.10
R80.10 + JHF70 +
Web extraction HF
Attacker/ 10.58.0.254
Unprotected
192.168.58.22
Bob-PC
10.58.0.0/24 192.168.58.133
R80.20_M1
Management + Domain Controller
Smart Event 10.58.0.200
10.58.0.100
Network Protected
10.58.0.50
Important information
Use the Resources tab to review the environment and guide version before you start
Threat Emulation and forensics reports sometime can take about 1-2 minutes to appear, if
you don’t see the link, refresh the logs.
 This demo script includes three parts: SandBlast Network and Anti-Bot scenarios, SandBlast
Agent scenarios and IPS scenario
 IPS stage must be performed last as the Attacker machine will be encrypted.
You will not be able to perform the other parts after you perform the IPS part unless you
revert only the attacker machine, from the Machine list tab
Environment Exclusions
Module Type Exclusion
SandBlast Agent Anti-Bot Domain www.dropbox-docs.com
www.palpay.com
wentz.pw
c.top4top.net
SandBlast Agent TE Folder C:\Program Files (x86)\r2 Studios\Tonic
C:\Users\administrator.UNKNOWN300\AppData
C:\Users\administrator.UNKNOWN300\Documents
C:\Users\administrator.UNKNOWN300\Downloads
C:\ProgramData
C:\maliciousfiles
SandBlast Anti-Exploit Dan-PC Set to Silent
SandBlast Network TE+TEX Email Pamela@unknwon300.com
Bob@unknwon300.com

Machine Description Comments
R80.20 M1 Management R80.20_M1 management server. admin/Cpwins1!
Unified Network, Endpoint and
Event management.
R80.10 GW R80.10 GW with JHF 70 and with admin/Cpwins1!
Web extraction HF installed
Attacker Unprotected Attacker machine hosting all admin/Cpwins1!
attacks. Also used to demonstrate
unprotected machine SandBlast
Network scenarios
Network Protected Protected machine with SandBlast admin/Cpwins1!
Network
Bob-PC Unprotected remote employee Administrator/Cpwins1!
machine. Use for demonstration
of unprotected machine SBA
scenarios
Dan-PC SandBlast Agent protected Administrator/Cpwins1!
machine. Anti-Exploit is set on
Silent
Pamela-PC SandBlast Agent protected Administrator/Cpwins1!
machine. Anti-Exploit is set on
Prevent
Domain Controller Active Directory domain = Administrator/Cpwins1!
unknown300.com. Mail server
and DNS server for the
environment. Also used for Smart
Console and Smart Endpoint login
Shop server Used for the IPS scenario admin/zubur1
Malicious Web server Used for the IPS scenario admin/zubur1
From the Machine list tab you can view all of the machines information
You will also be able to perform single machine revert
Please use the Smart Event Views to show the correlation of events at the end of the
scenarios. Emphasize the need for a single correlated view that will allow an
organization to react to critical events as soon as possible and as quickly and
efficiently as possible.
You can also view the event correlation through Web browser at https://<mgmt_ip>/smartview
Link is bookmarked in the Chrome browser of the Domain Controller machine
“https://10.58.0.100:4434/SmartView”

SandBlast Network Demo Scenarios
The Goal of this demonstration is to simulate, in real time, the capabilities of Check
Point SandBlast Network Solution with Threat Emulation and Threat Extraction Modules
Stage 0 – Test Traditional AV solutions using VirusTotal

Goal: - Demonstrate that Traditional signature based solutions are no longer sufficient
to prevent today’s sophisticated attacks. We need a more advanced threat prevention
solution, we need SandBlast.
1. open the Attacker Unprotected machine , execute the “First Step – Variant me.bat” shortcut (we
are going to change the MD5 of a malicious file so the file will be uploaded to emulation)
2. Type the file name: resume.doc and click enter.
3. Enter a few random characters and click enter
4. You will see the old MD5 and the new MD5
This will also create new Variants for the files that will be downloaded later in the web extraction
scenarios
5. On the Attacker Unprotected machine browse to www.virustotal.com using Chrome (Once Chrome
is open use the bookmark in the bookmark bar)
6. Upload the resume.doc file, with the new MD5, from the directory c:\maliciousFiles\resume.doc
file acts as our unknown malware, and we will now use Virustotal to test it
This scenario is performed to demonstrate and emphasize how easily can an attacker bypass
traditional and signature based solution with minimal sophistication level.

Additional Information
We have seen that it is very easy to create a variant of known malware and turning it to unknown. It
can even be a simple change to file’s MD5 hash
While Traditional signature based solutions, such as: AV, can help with known malware. They cannot
provide adequate protection against modern attacks and unknown malware.
We now see that there is no detection for our new malware variant, and we are ready to test it with
SandBlast Threat Emulation
*Notice that the malware we are using, resume.doc, is actually a password protected archive, with a
real malicious document inside. The .zip file extension was manually changed to .doc extension. This
technic is used to bypass traditional detections by manipulating the file extension.
Even though we will see how Threat Emulation will detect the true file type, and will be able to open
the password protected archive and scan the file. We are only using these simple technics to prove the
point where not all content can be inspected in the network level.

Stage 1 – Demonstrating Threat Emulation
Goal:
Demonstrate prevention with a range of capabilities using SandBlast Threat Emulation module. Previously
created unknown malware and potentially unsafe document will be used for the demonstration
Discussion points:
 Discuss about Check Point SandBlast Threat Emulation technologies, and solution.
 Discuss about leveraging existing Infrastructure (GWs), adding NGTX licensing and using Check Point
Cloud for Sandboxing.
 Discuss about the advantages in our threat emulation solution, such as: CPU Level emulation, push
forward for Flash and CADET.
 Discuss about our simple and easy way to deploy SandBlast by using our learning mode to best practice
deployment instructions.
Instructions
1. Navigate to the Domain Controller machine tab and open the SmartConsole to review and verify
the policy (admin/Cpwins1!) IP=10.58.0.100
 Access Policy is set to any, any, accept, as this is a Threat Prevention demo
 Threat Prevention Policy

We will use SandBlast as the Threat Prevention profile. It is set to use TE, TEX and Anti-Bot modules
The IPS scenario will use the IPS Only profile
Right click on the “SandBlast” profile and click on view to view the profile and configuration
You can review the profile and note that Anti-Bot, Threat Emulation and Threat Extraction are enabled.
You can browse through the settings to better understand the mode of operation and enforcement.
Threat Emulation is set to Hold and Prevent
Threat Extraction is set to convert doc/docx to pdf and extract everything else

Sending an email with a sophisticated malicious attack with user experience
1. Navigate to the Attacker Unprotected machine and from the taskbar, open the Microsoft Live
Mail client.
 Navigate to the “SandBlast” Folder under the drafts folder.
2. Open the “stage 1 – password protected archive file” mail.

3. Attach resume.doc file from C:/MaliciousFiles
4. send the email to SandBlast@unknown300.com
Using the resume.doc file we will show the following capabilities:

a. Threat Emulation file re-classifier based on a file magic (the original file type is resume.zip)
b. The original file resume.zip is password protected archive, so you will not be able to open it.
Threat Emulation will be able to extract and test the password protected archive by using a
dictionary of the most common used passwords.
i. the malicious document inside the password protected archive is the same as the
Threat_extraction_demo.doc (we will show it later)
We have now sent the resume.doc file with a personalized email, to our protected user.
The email will reach the GWs MTA, and will be inspected by Threat Emulation.
In the next step we will review the result and report
5. Navigate to the Network protected machine and open the Windows Live Mail Client from the
task bar.
6. Click the Send/Receive button to receive the email, it might take a few seconds for the email to
arrive
7. Go over the email and show the subject of the email and the content of the attachment (Threat
Extraction has replaced the original file with a new text file after receiving a malicious verdict
from Threat Emulation)
See below example of the email and attachment received.

*Note that Threat Extraction intercepted the email after it was received by the MTA. Since the file
is not actually .doc, threat extraction wasn’t able to handle it and waited for a verdict by Threat
Emulation. This is why you see in the message that Threat Extraction removed the original
attachment.

Demonstrating Threat Emulation event log and report with the administrator experience
8. Navigate to the Domain Controller machine tab and open the SmartConsole, if not opened.
9. Navigate to the “LOGS&MONITOR” tab
The first tab is already configured to show relevant logs
10. Open (Double click) on the log and review the log details. Pay attention to the file type field.
If the Summery report doesn’t appear, close the log, press refresh logs and open it again.

You can see that there is only 1 file inside the archive with the name resume.doc (the actual
malicious document). By clicking the resume.doc file you can view the emulation report for it.
With archives you will be able to see all the files inside the archive and their verdict, for malicious
verdict you will also have an emulation report.
Show the emulation report details and the video of the emulation.

Stage 2 – Demonstrating Threat Extraction and Practical
Prevention
Goal:
Demonstrate practical prevention with a range of capabilities using SandBlast Threat Extraction and Threat
Emulation modules. Demonstration will be done by converting a malicious document to flat pdf, and a
request to receive the original file will be denied due to Threat Emulation malicious verdict.
Discussion points:
 Discuss about Check Point SandBlast Threat Extraction solution.
 Discuss about Delivering safe and sanitized files to users in seconds, supporting the business continuity.
 Discuss about the advantages in our threat emulation solution inspecting the file while Threat
Extraction delivers safe copies of files to the users.
 Discuss about practical prevention, consolidated solution and reduced overhead to IT.
Instructions
1. Navigate to the Attacker Unprotected machine and open the mail client.
2. Navigate to the “SandBlast” folder under the drafts folder
3. Choose the “stage 2 – Threat Extraction” email draft and open it
4. Attach the Threat_Extraction_Demo.doc file from C:/MaliciousFiles
5. Send the email to SandBlast@unknown300.com
We have now sent the Threat_Extraction_Demo.doc file with a personalized email to the user.
The email will reach the GWs MTA, and will be inspected by Threat Extraction and Threat
Emulation.
The .doc file will be converted to a safe flat pdf and delivered to the user. In parallel, Threat
Emulation will inspect the file
6. Navigate to the Network protected machine, and in the mail client press the send/receive button.
It will take a few seconds for the mail to arrive with the safe converted file.
7. Notice that Threat Extraction appends “.cleaned” before the original file extension and the new .pdf
as the converted file current file extension
a. The user received in the mail the sanitized, converted to pdf, copy of the file after it passed
our Threat Extraction module.

b. Open the pdf file attached to the email to show the user experience and that the file is no
longer malicious
c. Notice that the email includes a notification to the user with the details and with a link to
receive the original file by him/her self.
d. Click the link in the notification, and it will open a user check portal.
e. Approve by checking the check box and add a short justification. (justification is an optional
field that doesn’t need to appear in the user check, but will appear in the log if exist)
f. Notice that the Threat_Extraction_Demo.doc file is malicious and cannot be downloaded by
the user.
8. Navigate to the Domain Controller machine tab and navigate to the “LOGS&MONITOR” tab
9. Demonstrate the administrator experience by reviewing the event logs of what has happened.
Focus on the Threat Extraction event logs, converting the file and showing the user request to
receive the original file.
10. Open the Threat Emulation event log, and open the summery report generated.

Explain the flow of the attack, user experience and show the administrator experience
*You might not see the Vulnerability summary report immediately, as it sometimes takes about one
minute until the report is generated and show on the Log Details.
Stage 2.1 – Demonstrate the impact of opening malicious

files on an unprotected machine
Goal:
Demonstrate the need for advanced threat prevention solution that will be able to prevent, in real-time, an
unknown malware seen for the first time.
Discussion points:
 Discuss about Detection vs. prevention
 Discuss about the cost of remediating events vs. the much lower cost of preventing them from
happening
 Discuss about infection time being very short, and in case of Ransomware attacks, full encryption in
manner of minutes
Instructions
1. Navigate to the Attacker Unprotected machine and open the chrome browser
2. click the bookmark ‘John Smith Dropbox’ on the favorite bar
3. Click on the first link, John Smith CV, and save the file.
This file contains a code that will open a CryptoLocker app. Once the file is opened, the document
will also run the integrated CryptoLocker application.
This is only a sample and it will not harm the machine
This shows the actionable potential of malicious code that can be embedded in a seemingly
innocent word document.
4. Open the John smith Advance CV.doc and demonstrate what will happen once a malicious file is
opened in an unprotected environment.
Unprotected can also mean that the security solution only detects, and not prevents.
You can show that in this case the CryptoLocker was able to infect the computer.

Stage 2.2 – Demonstrate Image extraction and self-catered
original file by the user
Goal:
Demonstrate Threat Extraction and Threat Emulation collaboration using the ability to extract images and
providing users with a self-catered capability of receiving the original file by them-selves, if the file is not
found to be malicious by Threat Emulation.
Discussion points:
 Discuss about practical prevention with reduced cost to the operation team.
 Discuss about increasing the security level without creating an overhead to the operation team.
 Discuss about minimal impact to user experience when you use extract method
Instructions
1. Navigate to the Attacker Unprotected machine and open the mail client
2. Navigate to the sent items, right click the ‘Stage 2 – Threat Extraction’ email and choose reply to all
3. Attach a picture from the picture library and click send (you can use the penguins.jpg)
4. Navigate to the Network protected machine, open the mail client and click send/receive
5. Open the email with the file, and notice that the file name now include .cleaned
6. Open the picture and show that it is the same picture for human eyes, but the image was modified
to disable any embedded code.
7. Notice that the email includes a notification to the user with the details and with a link to receive
the original file by him/her self.
8. Click the link in the notification, and it will open a user check portal.
9. Approve by checking the check box and add a short justification. (justification is an optional field
that doesn’t need to appear in the user check, but will appear in the log if exist)
10. Show that, since the picture is not malicious, the user is able to download it or resend the original
email with the original attachment.

Stage 3 – Demonstrating TE scanning files from links inside
emails
Goal:
Demonstrate Threat Emulation capability to download and inspect files when they are sent as links inside
emails, and prevent the email if the file is malicious.
Discussion points:
 Discuss about practical prevention when files are not attached but linked in the mail. A link by itself
might not be malicious, but the file is.
 Discuss about multi-vector attacks and protection for both email and web in a single solution,
preventing malware before users receive them.
Instructions
1. Navigate to the Attacker Unprotected machine and open the email client to the SandBlast folder
under the drafts folder
2. Choose the “stage 3 – Links to files inside emails” mail.
3. Hover with the mouse on top of the link and see that the link is directly to a malicious file
http://www.dropbox-docs.com/mssecsvc.exe (this is an actual wannacry ransomware sample)
4. Send the email to SandBlast@unknown300.com
5. Navigate to the Network Protected machine, open the email client and click on the Send/Receive
button.
Notice that the email will not arrive to the user. This is the current designed behavior.
6. Navigate to the Domain Controller machine, open the Smart Console and Browse to
“LOGS&MONITOR” tab to demonstrate the administrator experience and the event logs.

7. You can open the Threat Emulation Summary report to show the forensics information as part of the
operation experience, as well as the emulation video
*Please note that it might take 1-2 minutes for the links to the report will be shown in the log. Click
on refresh logs to reload the log and open it again.

Stage 4 – Inline Web Extraction with Threat Extraction
Goal:
Demonstrate Practical prevention for web downloads with an inline solution that doesn’t need any agent
or extension on the endpoint. The solution is seamless to users, providing the highest level of security with
minimal impact to users and business continuity.
Discussion points:
 Discuss about Practical Prevention on the web vector where users download files from the web and
will not wait for even 1 minute to receive these files.
 Discuss about the cost of remediating events vs. the much lower cost of preventing them from
happening. This usually happens where web protection is deployed in background mode to not
disturb business continuity
 Discuss about the SandBlast Network solution protecting both email and web vectors, inspecting
files in real time while maintaining the user continuity and reducing the operational cost.
Instructions
** TEX for Web is currently EA, in this demo it being demonstrated on top of R80.10 JHF70
This feature will be GA during 2018 over R80.20 GA
1. Navigate to the Network Protected machine and open Chrome browser

2. Click the ‘John Smith Dropbox’ bookmark on the favorite bar
3. Click the first link inside the webpage, ‘John smith CV’.
This is the same malicious document we have demonstrated before that includes a cryptolocker
popup. The file will be blocked with a user check without being extracted.
In very rare cases where the file will be extracted, the file will be converted to pdf and the
watermark will be displayed on the top. Original file is malicious so the user will be blocked from
receiving it.

4. The second link is a benign excel file that include both macro and links.
Threat Extraction is set to clean excel, meaning that the file will be cleaned and the user will receive
a clean file in the same file format.
This shows the user experience with Threat Extraction set to clean, which is the recommended
method as it has minimal impact to the users.
5. Show that the macro is not working by clicking the ‘view chart’ button. You can also show that the
links are not clickable and were removed.
The watermark is in the first sheet created by Threat Extraction to notify the user and to get the
original file.
*view chart is the macro you should click to show that it was removed and with the original file that
it is working
6. Click the third link ‘John Smith white paper’. This is a benign document that includes active content.
The document will be converted to PDF and the watermark will be displayed on the top of the PDF.
7. Use the “Get Original” link to receive the original file. Once Threat Emulation inspection is finished
and the verdict of the original file is received, users will be able to download the original file by
themselves.

Show how the user can download the original file by him/her self and not create an overhead for IT
requesting the original file.
Note that the user is able to download the original file only if the file verdict is not malicious by TE.
8. Navigate to the Domain Controller machine and open the Smart Console in the “LOGS&MONITOR”
tab and review the relevant event logs.
SandBlast Network Summary Pitch

• Check Point offers a holistic end-to-end protection against Zero-Day attacks on networks, endpoint,
mobile devices and cloud infrastructure and service. Signature-based solutions like AV and IPS
protect against known attacks – while many of the malware samples are unknown and have never
been seen before. Threat emulation family of technologies will detect even the most sophisticated
malwares.
• While many attacks leverage evasion techniques used to bypass 1st generation sandbox solutions,
most vendors, check point included, use an anti-evasion technics, but it is not enough as there are
evasion technics that cannot be detected.
• Only Check Point offers a revolutionary 2nd generation CPU-level sandboxing technology that
detects the exploits BEFORE the evasion code can execute.
• Other solutions are deployed in a “first time detection” mode. Only SandBlast provides practical
prevention with the highest accuracy, low false positive and fastest emulation time.
• Utilizing Threat Extraction technology, users will receive a safe and sanitized copy of the file while
the original file is being emulated. If file is not detected as malicious, users can self-cater the
original file and not overhead the IT team.

Network Anti-Bot Demo Scenario
Goal:
Demonstrate in real-time a lateral movement scenario where Check Point Anti-Bot prevents a malware
from communicating with a C&C and exfiltration of data.
Discussion points:
 Discuss about Multi Layered threat prevention approach with Post infection technology that will
prevent C&C communication and exfiltration of data.
 Discuss about containment of an infection on the network level, and the added advantage and
value on the endpoint level.
Instructions
1. Navigate to the Domain controller machine and run the create_variant.bat shortcut
2. Type BOT.exe in the cmd window and press enter
3. Type some random characters to modify the hash of the malware and turn it into unknown
malware, and press enter
4. Open the Tonic instant messaging application by clicking on the green icon on the notification bar at
the bottom right corner
5. Now we will simulate a lateral movement attack through the organization instant messaging
application. The attacker was able to access an internal machine and lunch the attack by sending the
BOT.exe malware to all users in that messaging application.
We will demonstrate this by sending the BOT.exe to Vic (our Network protected machine)
6. Right click on Vic and choose the ‘file’ option to send the BOT.exe file to Vic.
7. An optional step is to write a short message and click send

8. Navigate to the Network Protected machine and open the message received from Dom.
You will see a flickering envelope at the bottom right corner on the notification bar
9. Click Accept and click the BOT.exe link inside that window to execute it

10. From the User point of view you will see a powershell window briefly opens and closes, but that is it.
Usually the users will not see anything, but for the demo we are showing that something is running.
There will be no indication from the user perspective, and this is why we will move to the
administrator perspective to review the C&C communication block and prevention of exfiltration of
data.
11. The attack starts from BOT.exe which is actually a shellcode that downloads the malware and
executes it. You will see a TE detect log for stage2.exe file which is the actual malware. The Threat
Prevention policy includes an exception for that file, for demo purposes. In real life this file will be
blocked.
The execution of Stage2.exe creates a few scheduled processes that search for new files in My
Document folder and once the CompanySecret.doc is found it will try to exfiltrate it to an external
Command and Control Server.
We will demonstrate the same scenario for SandBlast Agent to better understand the additional
value we will have with SandBlast Agent deployed, even in network protected environments.
12. Navigate to the Domain Controller machine and open the Smart Console in “LOGS&MONITOR” tab.
13. Search for the Anti-Bot log and review the Log Details.
This is the administrator experience, where an Anti-Bot log is very important to notice as it indicates
that the network is already infected.
You can also show that the malware download was detected by TE (stage2.exe), and remember
that for the demo we didn’t prevent it so the Anti-Bot scenario will detect the C&C traffic.
You can show the exclusion rule for that file in the general exceptions of the threat prevention
policy
You can show the Anti-Bot forensics Report that was generated by SandBlast Agent on a different
machine that was running the same BOT.exe file.
It is the report created from the Forensics analysis triggered by Anti-Bot scenario in the SandBlast
Agent Scenarios.
Open the “SBA AB report” shortcut from the desktop of the Network protected machine.

SandBlast Agent Scenarios
The Goal of this demonstration is to simulate, in real time, the capabilities of Check
Point SandBlast Agent.
Stage 1 – Zero-Phishing Scenario

Goal:
Demonstrate SandBlast Agent Browser Extension, Zero-Phish solution, to perform real-time dynamic
inspection of phishing sites and prevent users from credential theft attacks.
Discussion points:
 Discuss about Phishing attacks and credential theft as a mean of taking over accounts an silently
infiltrating to an organization.
 Discuss about Check Point Zero-Phish solution and the ability to perform real-time dynamic
inspection to prevent phishing attacks.
 Discuss about multi-layered threat prevention scanning phishing attacks during different levels of
inspection, and how Zero-phish solution is used as the last line of defense. Zero-phish technology
will scan the site just before the user submit their credentials and the technology can also alert
users from reusing and exposing their web corporate credentials
Instructions
1. Navigate to Pamela-PC and openthe Outlook2013 application by clicking the Icon on the bottom
panel.
2. In the inbox you will see 2 emails.

Notice the difference between the emails, where only the paypal email will show prevention.
The AWS email is crafted so the AWS site will only show you a warning behavior where the site is
asking for credentials but it is not an https site
3. In the body of each email there is a link to a phishing web site.

Click on the on each of the phishing links, “here”, then click the username/email field as if you want
to enter you username in the site, the browser extension will scan the site for the first time
See a few example screenshots below.

Notice that the username box will be blocked and cannot be accessed

*Notice that you are not blocked but only warned.
**Once done you can close the browser
Stage 1.1 - Corporate credentials reuse protection

scenario
1. Open the chrome browser and browser to any familiar site (paypal, outlook, bank etc.) That has a
login screen (user name and password)
2. Enter a user name (can be fake one)
3. Enter “theft123” as the password to trigger the corporate credentials reuse protection
*this is for demonstrating purposes only, and can also be used with your own browser extension.
**Notice that the action should be changing of the corporate password and that we are only
alerting and not preventing the user

Stage 2 – Web download protection scenario
Goal:
Demonstrate SandBlast Agent Browser extension web download protection with SandBlast Threat
Emulation and Threat Extraction technologies.
Additionally, this scenario is the same scenario as Inline Web extraction and the Goal is to demonstrate
having the same level of protection when outside the organizational network.
Discussion points:
 Discuss about Threat Emulation and Threat Extraction technologies as the core technologies
through all SandBlast Solutions.
 Discuss about having the same level of protection for users that leave the network protection and
work remotely.
 Discuss about Practical prevention where users receive a safe and sanitized copy of files in seconds
while original file is emulated. Original files are self-catered by the users if they are not malicious.
Before you start, it is important to mention that this is the same scenario as the Network inline
web extraction to demonstrate that users leaving the network protection or working remotely
have the same level of protection and practical prevention.
Instructions
1. Navigate to Pamela-PC and open the chrome browser
A web page will automatically be opened: to John Smith Dropbox “http://www.dropbox-docs.com/”
2. Click on the first file “John smith CV” to download it
The file is sent to the cloud for emualtion and extraction. As the file is already known as malicious
by ThreatCloud and TE it will be blocked. In cases where the file is not known it will be extracted
and the access to the original file will be blocked after emulation is finished since the file is
malicious.
3. The following 2 files are benign files that will demonstrate Threat Extraction ability to proactivly
clean a file and provide a user with a safe copy of the file in seconds.
We will demonstrate 2 scenarios:

a. Clean (extract) for better user experience and minimal impact by retaining the original file
format.
b. Convert to flat pdf for an additional security layer by changing the viewer, but with an additional
imapct on users where files are converted to pdf.
c. The configuration for the demo is the best practice configuration where clean is used for all files
except for .doc/x/m that are converted to pdf.
4. Download the “John Smith finance report”

The policy is set to clean, which means that the file will be cleaned and reconstracted using the
same file format (the user will reacive a safe copy in excel format)
5. Click the “view chart” button to show that the macro is not working. After reciveing the original file
click “view chart” (after enabling content) to show that it is.
6. Download the “John Smith white paper”

The policy is set to convert documents, which means that the file will be converted to a flat pdf and
active content will not run.
7. Press the browser extension icon (in the upper right corner of the extension bar) and download the
original files to show that the cleaned files content are the same, but without the active content.
*In the excel file you have links and macro that will not be active in the clean version, but will be
active in the original version

Stage 2.1 – Demonstrating the imapct of downloading
malicious file and opening it on an unprotected machine
Instructions
1. Now lets see what happens when we try to download the same file with Bob-PC which is not
protected by Sandblast Agent and will get infected.
2. Naviagate to Bob-PC and open the chrome browser
3. Download “John Smith CV” and open the file
* This file execeutes an unkwon malware with a cryptolocker popup to simulate a cryptolocker
attack. The machine will not be infected since this is just a sample for demonstration purposes.
*Show the Ransom massage that represents a ransomware attack by opening the document in an
unprotected station.
**Close the Ransom massage to close the document.
You might encounter a run time error message after closing the CryptoLocker notification window.
This is the desired behavior that also appears in the Threat Emulation prevent log, from Stage 1 of
the network scenarios, as a CPU level detection of an unexpected process crush.

Stage 3 – Forensics analysis triggered by Anti-Bot lateral
movement scenario
Goal:
Demonstrate the 2nd line of defense, containment, and the 3rd line of defense, Forensics analysis and
remediation, as part of SandBlast Security strategy.
Discussion points:
 Discuss about Post infection scenarios and lateral movement scenarios where the Anti-Bot
technology will perform automatic containment of infections and the Forensics technology will
automatically analyze and remediate that infection
 Discuss about extending the network level Anti-Bot technology tom the endpoint and enhancing it
to provide per endpoint containment as part of our multi-layered threat prevention approach.
 Discuss about the forensics module that constantly monitors the system and automatically analyzes
detections to create a full, understandable and actionable report with automatic remediation
capabilities.
Instructions
1. Navigate to the Attacker Unprotected machine and click on the “ShellCode_Variant.bat” shortcut
on the desktop.
2. Type BOT.exe in the cmd window and press enter
3. Type some random characters to modify the hash of the malware and turn it into unknown
malware, and press enter
4. Open the Tonic instant messaging application by clicking on the green icon on the notification bar at
the bottom right corner
5. Right click on Pamela contact and click on “File” chose the file BOT.exe from
C:\Maliciousfiles\Shellcode
6. An optional step is to write a short message and click send

7. Navigate to Pamela-PC and open the Tonic Chat program on the bottom right corner in the
notification bar (you will see an envelope icon flashing)
8. Click on the accept button to accept the file and then click on the BOT.exe link to execute it.
9. From the User point of view you will see a powershell window briefly opens and closes, but that is it.
Usually the users will not see anything, but for the demo we are showing that something is running.
There will be no indication from the user perspective, and this is why we will move to the
administrator perspective to review the C&C communication block and prevention of exfiltration of
data.
10. Wait a few seconds and you will see SandBlast Agent Anti-Bot pop up “Infection Detected”
Malicious communication was blocked.
We will review the attack thorough the automatic forensics report that was created.

11. Navigate to the Domain Controller machine and open the Smart Console in “LOGS&MONITOR” tab.
12. Search for the Anti-Bot log and review the Log Details.
This is the administrator experience, where an Anti-Bot log is very important to notice as it indicates
that the endpoint was already infected.
13. Let’s analyze the event from the log, click on the Anti-Bot event and open the log
14. Review the log details and click the Open the forensics report, to view the endpoint forensics report
Review the Forensics report and focus on the following:

How Pamela-PC got infected? Tonic IM program was used to spread the malware through lateral
movement inside the organization
What was the trigger? The exfiltration activity was detected by the Sandblast Agent Anti-Bot.

Explain the Overview screen and how the report answer the 4 main questions every incident and
response team looks for. Show that the report is easy to understand and can be actionable.
Show The Business Impact - the malware tried to send the companysecret.doc, to the attacker’s
Command&Control.
The infection started from the shellcode (BOT.exe) moving laterally though the Tonic IM program.
Once executed, BOT.exe downloaded the malware (oemxxxx.exe) searched for the
CompanySecret.doc and tried to exfiltrate it to the attacker’s C&C.
Show that the report is dynamic and every section can be expended for a more in depth view.
Focus on the Incident details and show the additional information for every process. Focus on the
network information from the BOT.exe and the oemxxxx.exe trigger
The automatic forensics report is generated in seconds while for incident and response teams it can
take days and even weeks to create.
For more details on Forensics reports and report reading, use checkpoint blog articles
Just google “check point forensics blog” and use the articles you find.

Stage 4 – Behavioral Guard scenario prevention of a
Crypto miner attack
Goal:
Demonstrate SandBlast Agent Behavioral Guard technology preventing a crypto miner attack according to
the runtime behavior. Attack analysis and explanation will be done through the forensics report.
Discussion points:
 Discuss about Crypto Mining attacks and how they impact users and businesses. Computers CPU
will run very high and will cause severe impact to users and will also cause financial losses.
 Discuss about SandBlast Agent capabilities to prevent malware attacks according to their behavior
during runtime.
 Discuss about multi-layered threat prevention approach with a security strategy that can perform
real-time behavioral inspection with automatic analysis and remediation.
Instructions
1. Navigate to the Attacker Unprotected machine and open the email client from the taskbar
2. Navigate to the ‘SBA’ folder under the ‘Drafts’ folder and open the “Booking Confirmation” email
3. Attach ‘Flight_Booking_Confirmation.docm’ from “C:\Maliciousfiles\BG” folder and press send
The email will be send to Bob-PC and to Pamela-PC
*Please note that those email addresses are excluded from the network protection to allow the
email to arrive
4. Navigate to Bob-PC and open the email client from the taskbar
5. Open the “Booking Confirmation” email and open the attached document (double click it)
Scenario walkthrough

The Flight Confirmation Word document is delivered through the email vector
Once opened, Word launches a PowerShell to download the malicious executable and saves it to a
hidden temp folder of the Victim machine as “scvhost.exe”. It also registers it as persistent to run at
every boot. This “scvhost.exe” launches itself and notepad, and then injects into notepad a crypto
miner module.
Camouflage and other used techniques in Crypto Mining attacks:

o The Name of your malicious executable closely resembles a well-known windows service
name: In our case the malicious executable is called scvhost.exe;
o Injection of the miner module into a well-known and used process: In our case notepad and
windows update processes
o Hide the mining process when the user is checking why the computer is running slow: In our
case when Task Manager is launched, the mining operation is suspended
o Create Persistence so the mining will resume at reboot
o Watchdog in case the mining process is killed
6. Open process explorer from the desktop and we see wuapp.exe taking more than 25% CPU, as an
indicator it is running.
If you launch Task Manager, wuapp.exe disappears and the CPU comes back normal, when you close
it, it will come back and restart mining.
If you try to kill the wuapp.exe process, it will restart, try it.

7. To stop the mining you will need to kill “scvhost.exe”. Notice the different name!
We have demonstrated an unprotected machine scenario, and experienced a crypto mining attack
and it’s almost unnoticeable symptoms with no visible or easy way to stop and remediate it (unless
we already know what to do)
8. Navigate to Pamela-PC and open the email client
9. Open the “Booking Confirmation” email and open the attached document (double click it)
10. The Crypto mining attack will start and will be detected according to the crypto mining behavior
In this scenario, the Behavioral Guard technology detects the behavior starting from winword.exe
creating a PowerShell that lunches the scvhost.exe that launches the notepad.exe miner.
You can click on View Details to review the incident details from the forensics report to understand
more.
11. Open process explorer and notice that the attack was remediated and that the forensics report was
automatically created
12. Open the forensics report from the Agent UI and investigate.
Review the forensics report, starting from the status of the attack which is “cleaned”. Continue with
the entry point which is very clear to see and end in the incident details which show the path of the
attack in a very simple and easy to understand way.
Important to show is that there is no Business impact
You can get all of the relevant information from the forensics report, use it.

Stage 5 - Anti-Ransomware and Anti Exploit scenarios using
drive-by exploit on IE11
Goal:
Demonstrate SandBlast Agent Anti-Exploit technology preventing the attack during the exploit stage before
the malware is executed.
Demonstrate SandBlast Agent Anti-Ransomware behavioral protection, remediation and restoration of
user data.
Discussion points:
 Discuss about Ransomware attacks and how they impact users and businesses. Even more than just
paying the ransom for a single remediation, the loss of resources, data and work time can cause
huge financial losses.
 Discuss about SandBlast Agent capabilities to detect exploit attacks and Ransomware attacks
according to their behavior, and in case files were encrypted it will restore all of the user data
automatically.
 Discuss about multi-layered threat prevention approach with a security strategy that can perform
real-time behavioral inspection with automatic analysis and remediation.
This demonstration includes a real exploit and a real wannacry ransomware sample. We
will show the same scenario as described below.
Drive-by exploit attack based on VB Script god mode exploit that will automatically
download and launch a wannacry ransomware attack on the machine.
This scenario will be executed on the 3 different PCs to show what will happen to:
 Unprotected user (Bob-PC)
 User protected with SandBlast Agent but the Anti-Exploit is in silent mode (Dan-PC)
 User protected with SandBlast Agent and Anti-Exploit set to prevent (Pamela-PC)
 Optional – Show Ransomware prevention by executing “First Sample – Dan CV.pdf”
(Petya Goldeneye Sample)
**Bob-PC will be encrypted and other scenarios on Bob-PC will not work
Stage 5.1 – Drive-by exploit with Wannacry (Ransomware)

execution on an unprotected machine
1. Navigate to Bob-PC and open the My files folder on the desktop
2. Open Internet Explorer from the taskbar
3. Browse to the mystore site through the bookmark on the favorites tab
4. Move the My files folder to the front with the IE on the background

5. After about 10-15 seconds the exploit will start running and the ransomware will follow and encrypt
the files
A few minutes later you will see the ransom note (you might need to minimize the folder and
browser)

execution on a protected machine with Anti-Ransomware
6. Navigate to Dan-PC and open the My files folder on the desktop
10. After about 10-15 seconds the exploit will start running and the ransomware will follow and encrypt
the files
11. Since the Anti-Exploit is set to silent, Anti-Ransomware will pop up a few seconds after encryption
starts. Anti-Ransomware is set to automatically restore and remediate.

It will take between a few seconds to 30 seconds for the entire remediation and restoration to
complete
*Tip – Move the pop up to the side to show the encryption and restoration
You will also notice that Threat Emulation will pop up as well
The browser will not terminate but the page loading will be stopped

execution on a protected machine with Anti-Exploit
12. Navigate to Pamela-Pc and open the My files folder on the desktop
16. After about 10-15 seconds the exploit will start running and Anti-Exploit will prevent it and block it
Notice the Anti-Exploit pop up and the termination of the browser
17. open the Smart Event from the Domain controller machine and review the logs and events
*Note that this scenario is best demonstrated from the user experience point of view.
WOW!!!
IPS Protections Demo Scenario
The goal of this demonstration is to simulate prevention of ransomware and phishing
attacks by using IPS blade.
Change the default browser to Internet explorer on the Network Protected machine and
on the Attacker Unprotected machine
The IPS scenario will not work with Chrome as the default browser.
1. Navigate to the Domain Controller machine and open the Smart Console (admin/Cpwins1!)
IP=10.58.0.100
2. Navigate to Threat Prevention Policy
3. Drag rule number 3 above rule number 2, and replace the profile for Rule number 1 to IPS only
profile. Make sure the policy looks like what you see below.
4. Install Policy
Don’t forget to install the Threat Prevention Policy after the change.
The protection profile in rule number 2 includes only the IPS blade and Anti-Bot blades.
Before you start the scenario
Change the default browser to Internet explorer on the Network Protected machine
and on the Attacker Unprotected machine.
The IPS scenario will not work with Chrome as the default browser.

Step 1 - Demo IPS blade protection against phishing attack
Goal:
Demonstrate IPS prevention of Phishing email
Discussion points:
 Discuss about multi-layered threat prevention preventing known attacks
Instructions
1. Navigate to the Attacker Unprotected machine and open the Microsoft Live Mail client
2. Navigate to the “IPS Protection Folder” under the drafts folder
3. Open the email “PayPal account Limitations”, review it and send it to ips@unknown300.com
4. Navigate to the Domain Controller machine and open the Smart Console in “LOGS&MONITOR” tab
5. You will see 3 logs that were generated by the IPS module.
Since we wanted to show in this demo that 3 different ips protections could have prevent the
phishing attack, we configure two of the attacks to Detect Mode and the last one to Prevent.
The logs are not always show in the right order since it’s a matter of milliseconds.
6. Open each log and review the Log Details.

Step 2 - Demo IPS blade protection against Ransomware.
Goal:
Demonstrate IPS prevention of a ransomware attack delivered through the email vector and
downloaded through the web vector from a legitimate shopping site.
Discussion points:
 Discuss about multi-layered threat prevention preventing known attacks on a multi vector
approch
Instructions
1. Navigate to the Attacker Unprotected machine and open Wireshark from the task bar
2. Click on the start button to start capture traffic
3. Start the Task Manager (right click on the taskbar and choose Start task manager)
4. Open the email client and click on the ‘Inbox’ folder.
5. Click on the advertisement inside the email.
Internet Explorer will be opened on a myshoppingsite.com web site.

Wait a few seconds till you will see cmd.exe process running in the Task manager.
6. Switch back to the Wireshark application and stop capture
Inside the code of this legitimate website an malicious iframe was injected by hackers that redirect
the Internet explorer in the background to a malicious website that hosting RIG exploit kit (Malicious
toolkits contain various exploits bundled into a single package) that take advantage of a vulnerability
in Internet Explorer browser and download a ransomware code to the client and execute it.
Let’s see what just happened in the background when you were browsing the myshoppingsite.com
web site.

7. Right click on the first row where you see the host name, www.myshoppingsite.com, in the capture
screen and select ‘Follow TCP Stream’
You will see a ‘GET’ request with ‘element.js.download’

8. Once the stream is open click on the ‘Find’ button and search for the word ‘MALICIOUS’
9. Here is the iframe with the redirection to http://guacamole.MALICIOUS.COM/.. To RIG Exploit Kit.
When the user arrives on the landing page, the Rig Exploit Kit attempts to check if the user’s computer has
a driver file associated with a particular antivirus software product. To avoid detection, the kit avoids
dropping the exploits if the driver a familiar AV files like “kl1.sys” is present.

The kit then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent
compromise, the Rig Exploit Kit took advantage of the following vulnerabilities:
 Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-

2551)
 Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-
0322)
 Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0497)
 Microsoft Silverlight Double Deference Remote Code Execution Vulnerability (CVE-2013-
0074)
 Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
 Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-
0507)
If the kit managed to successfully exploit any of these vulnerabilities, then malware is downloaded onto
the victim’s computer. The Rig Exploit Kit dropped Cryptodefense ransomware (Trojan.Cryptodefense).
If 2-3 min has already passed since you visited the shopping website, files on the Attacker Unprotected
machine have already been encrypted and the background was changed.
10. Navigate to the Network Protected machine and open the Email Client

11. Navigate to the Inbox and click on the Advertisement
Internet Explorer will be opened on a myshoppingsite.com web site, wait about 10 seconds
12. Navigate to the Domain Controller machine to view the logs and investigate the IPS logs.
You will see 5 logs that were generated by the IPS blade.
Since we wanted to show in this demo that 5 different IPS protections could have prevented this
attack, we manually configured 4 of the protections to Detect Mode and the last one to Prevent.
The logs are not always show in the same order since it’s a matter of milliseconds.
Make sure to emphasize the need for a multi-layered threat prevention approach that starts
with preventing of known attacks.
THANK YOU

Sandblast Unified, Network and Agent, Demo Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sandblast Unified, Network and Agent, Demo Guide

Uploaded by

Copyright:

Available Formats

SandBlast Unified,

Network and Agent,

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 1

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 2

The SandBlast demonstration part will include the following scenarios:

3. Threat Emulation inspection of a direct link to a file inside an email

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 3

The demonstration will include the following scenarios:

2. Web download protection scenario using SandBlast Browser extension

3. Forensics analysis scenario using Anti-Bot triggered by lateral movement

4. Behavioral Guard scenario Preventing Crypto mining attack during runtime

5. Anti-Ransomware and Anti Exploit scenario using drive-by exploit on IE11

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 4

Malicious Web CLOUD SANDBOXING Pamela-PC

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 5

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 6

Stage 0 – Test Traditional AV solutions using VirusTotal

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 7

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 8

 Threat Prevention Policy

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 9

 Navigate to the “SandBlast” Folder under the drafts folder.

2. Open the “stage 1 – password protected archive file” mail.

Using the resume.doc file we will show the following capabilities:

See below example of the email and attachment received.

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 10

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 11

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 12

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 13

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 14

Stage 2.1 – Demonstrate the impact of opening malicious

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 15

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 17

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 18

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 19

1. Navigate to the Network Protected machine and open Chrome browser

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 20

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 21

SandBlast Network Summary Pitch

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 22

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 23

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 24

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 25

Stage 1 – Zero-Phishing Scenario

2. In the inbox you will see 2 emails.

3. In the body of each email there is a link to a phishing web site.

See a few example screenshots below.

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 26

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 27

Stage 1.1 - Corporate credentials reuse protection

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 28

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 29

4. Download the “John Smith finance report”

6. Download the “John Smith white paper”

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 30

**Close the Ransom massage to close the document.

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 31

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 32

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 33

Review the Forensics report and focus on the following:

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 34

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 35

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 36