Hands-On Investigation & Threat Hunting Workshop - 1.1

Workshop
Guide
Hands-on
Investigation & Threat
Hunting Workshop
http://www.paloaltonetworks.com
© 2019 Palo Alto Networks. Proprietary and Confidential
Last Update: 20190315

Workshop Guide
Table of Contents
Activity 0 – Log in to the Cortex Hub ................................................................................. 5
Activity 1 – Investigate High Severity Security Event ......................................................... 5
Task 1 – Open Cortex XDR – Investigation & Response app .........................................................................5
Task 2 – Investigate the Security Event using Cortex XDR - Investigation & Response ...............................7
Task 3 – View Root Cause in Cortex XDR – Investigation & Response ........................................................14
Task 4 – Review Evidence and Read About Response Actions ...................................................................15
Activity 2 – Investigate Suspicious User Behavior ............................................................ 16
Task 1 – Find and Open the Analytics Alert for PC2 ....................................................................................16
Task 2 – View Details for the Failed Connections Alert ..............................................................................17
Task 3 – View the High Connection Rate (MYSQL) Alert .............................................................................19
Task 4 – Investigate the High Connection Rate (MYSQL) Alert ...................................................................21
Task 5 – View the Logs that Triggered the Large Upload Alert ...................................................................23
Task 6 – Investigate the Large Upload Alert using Detailed Endpoint Information ....................................25
Activity 3 – Investigate Stealthy Attack ........................................................................... 31
Task 1 – Find and Open the Analytics Alert for WS-FIN-29345 ...................................................................31
Task 2 – View the Alerts and Information for WS-FIN-29345 .....................................................................32
Task 3 – View the Alerts and Information for WS-IT-15674 .......................................................................37
Task 4 – View Endpoint Information for WS-IT-15674 ...............................................................................42
Task 5 – Review Evidence and Read about Response Actions ....................................................................44
Activity 4 – Investigate Using the Incident Manager ........................................................ 45
Task 1 – Find and Read about the Alerts for PC3 and PC4 ..........................................................................45
Task 2 – View Options to Manage the Incident ..........................................................................................46
Task 3 – View The Common Attributes in the Incident ..............................................................................48
Task 4 – Analyze the Incident using PC3 .....................................................................................................49
Task 5 – Analyze the Incident using PC4 .....................................................................................................50
Activity 5 – Hunt for Phishing Threats and Create Custom Detection Rules ..................... 53
HOW: Investigation & Threat Hunting 2

Workshop Guide
Task 1 – Review the file name in the Behavioral Threat Event ...................................................................54
Task 2 – Create and Execute a Query .........................................................................................................54
Task 3 – Analyze the Query Results ............................................................................................................57
Task 5 – Create a Custom Detection using BIOC rule .................................................................................60

Workshop Guide
How to use this Guide:

The activities outlined in this guide are meant to contain all the information necessary to
navigate the User Interfaces for the different applications available in Cortex Hub, which
includes Traps Management Service (also referred to as TMS), Cortex XDR – Analytics, and
Cortex XDR – Investigation & Response. This guide is meant to be used in conjunction with
the information and guidance provided by your facilitator.
The screenshots in this guide may not completely match what you see in your browser.
This is because some of the alerts may have different usernames, PC names, timestamps,
or dates. But the basic steps will still apply
This workshop covers only basic topics and is not a substitute for training classes conducted
at a Palo Alto Networks Authorized Training Center (ATC). Please contact your partner or
regional sales manager for more training information.
Terminology:
Tab: refers to the different tabs along the top of each screen in the GUI.
Sub-Tab refers to the options associated with each “Tab” found in the left-hand column on each screen.
Node or Icon: refers to the different images that can be selected in the visualizations that appear in the
User Interface.
Navigation in the Cortex Hub: any of the apps can be opened by left clicking on it. As an alternative, some
users prefer to right-click and open the app in a new tab, keeping the main Cortex Hub page open.
Cortex XDR Tenant: Refers to a specific Cortex XDR instance. For this workshop you may be assigned to
one in the US and another EU. Screenshots will reference data in the EU instance so might be slightly
different in the US instance.
Data in screenshots: The data in the US and EU tenants were generated with virtual firewalls and virtual
machines with Traps agents. Because the traffic from the virtual machines is live, the underlying data such
as times, dates, and IP addresses might be slightly off.

Workshop Guide
Activity 0 – Log in to the Cortex Hub

Follow instructions from your instructor.
Activity 1 – Investigate High Severity Security

Event
Traps version 6.0 includes a new prevention model, named Behavioral Threat Prevention or BTP. This new engine is
designed to block malware based on a series of behaviors instead of signatures.
This activity focuses on an alert triggered by the BTP module. Once BTP blocks the execution, an alert is triggered and
appears in the TMS console. It also automatically appears in the Cortex XDR - Investigation and Response console too, under
the Alerts page.
In this activity, you will:

● Determine whether the alert is a True-Positive or False-Positive
● Understand where in the attack chain it was blocked
● Understand the root cause
● Understand if any follow up actions are required
Task 1 – Open Cortex XDR – Investigation & Response app

Step 1: In the Cortex Hub, right click on the Cortex XDR app and choose Open Link in New Tab. If you see
“No Active Instance” use this URL: https://5eeabc8e-95cf-4449-831e-
774fd8a672e0.xdr.eu.paloaltonetworks.com/alerts.
Step 2: This opens a new tab to the Cortex XDR – Investigation & Response console and takes you to the
Alerts page. Delete the Last 7D filter by clicking on the X.

Workshop Guide
Step 3: Look at the alerts and the Alert Source column – they include alerts from NGFW, Traps, Analytics,
Behavioral Indicators of Compromise (BIOCs), and Indicators of Compromise (IOCs). IOCs might not be
visible. In this activity we will focus on the Traps alert– it is the same high severity alert from Traps about
malware called Behavioral Threat.
Step 4: On the top left of the browser, click on the icon to create a new filter. In the dropdown, select
Alert Source.
In the options that appear, select Traps as the only source.

Workshop Guide
Then click somewhere else on the screen. This will clear the alerts and only show the Traps alerts.
Task 2 – Investigate the Security Event using Cortex XDR -

Investigation & Response
Step 1: Find the Traps alert with a SEVERITY of High for the user named LC-Dynamic\user1 with the ALERT
NAME of Behavioral Threat. Right click anywhere on the line and select Analyze.
Step 2: The following screen will open up in a new tab. Check your browse settings and enable pop-ups if
you do not see it.

Workshop Guide
Note about the 4 sections on this screen – colors represent the boxes in the screenshot above:
● Endpoint and Actions section [wrapped in the orange/yellow box on the top left and top right] -
this section contains the hostname and IP address of the machine, the process responsible for the alert,
and PID (process ID). The right side of this section allows response actions such as isolation of the host
machine from the network using the Traps agent (do not do this in the HOW).
● Causality diagram [wrapped in the green box] - this diagram shows the chain of execution related
to the alert, including all involved processes. It’s possible to right click on the process nodes in the chain to
perform actions like add child processes or parent process, Blacklist a process etc. Causality continuously
and automatically analyzes data to identify the chains of events associated with any process, host, user,
connection or file to reveal the attack-chain behind every threat. It visualizes the causality (cause and
effect) of events - automating the dot-connection process that an investigator would otherwise have to do
manually. The result will be a full root-cause analysis of why an alert was raised (both detection and
prevention alerts), what the potential damage might be and many notable items that require attention.
● Information section [wrapped in the blue box and shown in the UI with a dark gray background] –
when clicking on one of the nodes in the chain of Causality section, the data in this section refreshes to
show information about it like the path, hash values, command line argument, WildFire verdict, and more.
Different node types will show different types.

Workshop Guide
● Raw data for processes [wrapped in the purple box, near the bottom of current view] - when
clicking on one of the nodes in the chain of Causality section, the data in this section refreshes to show all
the raw data related to the process by their type, for example files that were access, connections made,
and more
Step 5: Click on the wscript.exe round node in the Causality view, which is the right-most node near the
top of the screen. The number in each node represents the number of child processes that were started
by that node.
Looking at the information section (highlighted in the left red box), we can see the time of execution was a
little over a minute, and the command line argument (lower right red box) points to loading a vbs script
from the windows temp folder.
Step 6: Scroll down to see the raw data, and click on the Alert tab (in blue below, with red box around it).
Look at the ALERT NAME column (red box on the right). This column shows BIOCs that were triggered
related to this event. BIOCs (Behavioral Indication of Compromise) are rules that look at patterns that are
often used during various attack/breach scenarios. Cortex XDR - Investigation and Response will have
hundreds of BIOCs provided out of the box, but it’s also possible to create custom rules.
In this case we can see that a few BIOCs triggered on wscript.exe, for example:
● Executable or script created in the startup folder

Workshop Guide
● Commonly abused process creates a new autostart registry key

● New entry added to startup related registry keys by signed process
● Scripting engine loads a script file from the Windows temporary folder
Three are Informational – meaning they are used to provide context and enrichment, while the one shown
as Low is more notable and an alert was triggered on it in the Alerts screen.
Three alerts are categorized as Persistence and relate to ways attacker maintain control on machines.
Step 7: Click on the File tab to see all the files that were accessed by wscript.exe, including the creation of
a system.vbs file in c:\programdata, and another system.vbs file in a startup folder – meaning that script
will start again when the user logs in next time [the reason for one of the BIOCs on persistency]. Scroll
down to see the full list (not shown in the screenshot below).
Step 8: Click on the Registry tab to view the list of changes to the Registry. Scroll right and down as
needed.
Step 9: Scroll back up and click on the powershell.exe node.

Workshop Guide
Then look toward the bottom of the browser to view the information section. Look for the CMD text
(shown below with the red arrow) and hover over it so see the full command.
SIDE NOTE
base64 command can be decoded back to the original string. Click on the copy icon next to the
command line to copy to clipboard.
Open a new tab and navigate to https://www.base64decode.org/ for decoding. Remove the
start of the command [“powershell -executionPolicy bypass -enc”] leaving only the base64
string and decode it.
Step 10: Scroll down to see the raw data, and click on the Alert tab.
Two Low severity BIOCs are shown:
● Powershell runs base64 encoded commands, marked with category of Evasion

● Powershell process makes network connections to the internet, marked as Exfiltration

Workshop Guide
Step 11: Click on the Network tab
It seems that powershell.exe reached out to bit.ly domain and to box.com instances [this is the reason for
the BIOC about powershell making internet connections].
Step 12: Click on the File tab and scroll down.
‘powershell.exe’ created a zip file, and then created the 1.vbs file which was later used by ‘wscript.exe’.
This is a common method of delivering payload.
Step 13: Scroll back up and click on the ‘cmd.exe’ node.

Workshop Guide
The command-line argument for cmd.exe shows that its executed a file with an odd extension – “.pdf.bat”.
If your browser doesn’t show the full command line, use your mouse to hover over it.
Since the default Windows policy is to hide known file extensions, attackers often masquerade their
payload by using double extensions and changing the file’s icon. To the user, this file probably looked like a
PDF document and not a batch script. The name of the file itself, “RSU Grant Update”, seems like
something an unsuspecting user would open.
Step 14: Scroll back up and click on the ‘7zFM.exe’ node.
7zFM.exe is a part of 7zip – a popular archiving software. The command line argument for it shows the zip
file that was accessed ‘C:\Users\user1\Downloads\RSU Grant Update.zip’.
The location of the file suggests it was probably downloaded knowingly by the user [the ‘Downloads’
folder of the user]. Just like the cmd.exe, “RSU Grant Update.zip”, seems like something an unsuspecting
user would open.

Workshop Guide

Task 3 – View Root Cause in Cortex XDR – Investigation &
Response
Step 1: Click on the chrome.exe node.
The command-line argument for it shows a URL, which is the location from which the zip file was
downloaded.
Chrome doesn’t typically start with a URL in the command line, so it suggests that Chrome was started by
another program with the URL in its command line.
SIDE NOTE
Clicking on the File and Network tabs in the raw data for Chrome will show all the domains and IP
accessed by the browser, as well as the files that were accessed [including the zip file creation to disk]. This
is a useful tool when trying to analyze user browsing activities.
Step 2: Right click on the chrome.exe node and select Show Parent.
Within about two seconds, another node will show up before chrome.exe – outlook.exe.

Workshop Guide
Seeing outlook.exe, an email client, opening chrome.exe with a URL and the rest of the Causality chain is a
strong evidence that this alert started from a phishing email with a link to a zip file.
Task 4 – Review Evidence and Read About Response Actions
Step 1: Review evidence collected
● Traps alerted and ultimately blocked a behavioral pattern.

● The investigation revealed that the attack incorporated scripts, but no binary malware.
● The attack used several methods of persistency and evasion until it was blocked.
● The names of files, alongside the way it was executed is often linked to phishing
Step 2: Think about the response actions that should be performed.
Response action – DO NOT CLICK ANY BUTTONS IN THE SYSTEM

At this point, the machine should be isolated from the network. People using the system
would now click on the Isolate Host button on the top right corner of the screen to make
sure that machine won’t be able to communicate with hosts in the network or on the
internet.
After isolating the machine [containing the attack] the analysts at the organization can now
decide on next steps with less urgency. Next steps will typically be either formatting the
machine or deleting all changes done during the attacks [files, registry keys, etc.]
Now that we understand what happened, we need to respond to the incident.
Step 3: Do you agree with the below statements and the answers in green?
● Decide whether the alert is True-Positive or False-Positive: It is a True-Positive alert.

● Understand where in the attack chain it was blocked: Just after it gained persistency.
● Understand the root cause: Phishing email.
● Understand if any follow up actions are required: Isolating the machine, and either format to clean
the relevant artifacts or delete them and remove all persistency methods.

Workshop Guide
End of Activity 1
Activity 2 – Investigate Suspicious User

Behavior
In this activity the investigation focuses on a few alerts generated by the Cortex XDR - Analytics application using network
data, specifically Traffic logs and Enhanced application logs from the NGFW. Cortex XDR detected suspicious activity from
one user and device in the network, as logged by NGFW. You’ll see that this activity is suspicious because it is new activity
from this specific source device and as logged by the NGFW. The alerts are shown in the Cortex XDR - Investigation and
Response console but more details can be seen in the Cortex XDR – Analytics user interface.
● Decide whether the alert is True-Positive or False-Positive
● Understand the events that caused the alert, the context behind the alert, and what was uploaded
● If this is a True-Positive, understand if this is malware related or possible insider threat
● Understand if there's any business damage
Task 1 – Find and Open the Analytics Alert for PC2

Step 1: In the Cortex XDR – Investigation & Response app, click back on the Alerts tab across the top.
Change the Alert Source to Analytics. Then click anywhere on the screen. The list of alerts will refresh.
Step 2: Find the row where the HOST value is PC2. Right click on one of them then choose Show rows
with PC2.
This will update the table and you will now see three rows.
Workshop Guide
Step 3: Read the descriptions of the Analytics alerts for PC2. Scroll right if needed. There will be three:
Sept 4: Find the alert for PC2 named Failed Connections. Right click on it and select Open in Analytics.
This will open a new browser tab to the Cortex XDR - Analytics User Interface.
Task 2 – View Details for the Failed Connections Alert

Step 1: Read the information in the Alert Description and the overview. Click on the graduation cap
near the top of the screen to read about the Alert. The Peer group baseline in the Alert Description
is the learned behavior of this device. The high number of failed connections is new behavior of this
device.
Step 2: View the diagram and notice the two overlapping network segments in the red box below. The
gray arrow represents the baseline or the learned behavior of this device

Workshop Guide
The name of the network segments can be manually configured based on your network topology. The
Data center network is a small 172.16.30.0/24 network, while the Corporate network is 172.16.0.0/16.
Click on Network then Destinations to view the NGFW logs involved with the alert.
Step 3: In the context of the table, scroll down and scroll right review the information in the table. Notice
the Destination IP addresses used, the port numbers, and the App-ID – these are all information that was
logged by NGFW. Based on this information, the machine is doing a horizontal scan of the network, check
each IP address and seeing if the normally used for MYSQL (port 3306) is open.

Workshop Guide
Task 3 – View the High Connection Rate (MYSQL) Alert

Step 1: On the top left, click on the High Connection Rate alert. Read the Alert Description and look at the
diagram. The baseline (bottom arrow in gray) is the learned behavior and shows that this machine never
connected to the MYSQL server.
Step 2: Click Process and select Process Connections.
Step 3: In your lab the table will be empty since the data is more than 3 days ago. But read the
description of the table anyway. The screenshot below is an example of what it would look like if you saw
the alert within 3 days after it happened. The column in the red box is data collected by the Traps agents
and the data in the blue box is data collected by NGFW. All other columns are from both sources.
Analytics has automatically stitched data from Traps agents and the NGFW logs to speed up investigation.

Workshop Guide
Step 4: Back in the Cortex XDR – Analytics application, click Process and select Process Executions.
Step 5: View the table that appears, It’s obvious from the command line column show in a purple box that
user2 is running commands to attempt to login to the MYSQL server, using the -p flag with different
passwords.

Workshop Guide
Task 4 – Investigate the High Connection Rate (MYSQL) Alert

Step 1: On the top right, click on Investigate and choose the third option named View outgoing traffic
from PC2 to target devices. This will open up the Cortex XDR – Investigation & Response app in a new
browser tab.
Step 2: The new browser tab will show a table as the query results for all the Endpoint activity logs that
were collected by Traps, to and from the hosts in the alert during the alert timeframe. Scroll down and
right as needed to view more information about what is collected from the Endpoint, especially the
INITATOR CMD column.
SIDE NOTE
In this example, if you notice in the TIMESTAMP column, each command was run a few
seconds apart. But what happens if the user runs the commands with a 5 second, 10 second,
or 60 second delay?
The Analytics detection algorithms would still detect the connection rate as it changed from 0
sessions/hour to something else, such as 60 sessions/hour. This is one example where
Analytics using learned behavior and new behavior is able to detect low and slow attacks.

Workshop Guide
Step 3: Choose any line and right click to select Investigate in Timeline. This will open up new browser tab
– if nothing happens check your browser popup settings.
Step 4: In the new tab, you will see a visualization of the various logs from the endpoint, including when
the commands were run as well as a table showing the different commands that were run. Hover over
some of the items in the table and scroll down and right as needed. You should now have a feel for the
different investigation options available, whether it is within the Analytics application or within the
Investigation & Response application.

Workshop Guide

Task 5 – View the Logs that Triggered the Large Upload Alert
Step 0: Find some of the Investigation & Response browser tabs and close them out to clean up your
browser. Do not close the browser tab with Cortex XDR – Analytics.
Step 1: Find the most recent browser tab with the Cortex XDR – Analytics UI. It should be on PC2, so click
on the Large Upload (FTP) alert.
Step 2: View the high level information in the Alert. According to the data from App-ID [taken from FW
logs], this is an FTP session during which nearly 3 GB or more than 2,900 MB of data was uploaded to an
FTP server on the internet. The application responsible is winscp.exe [taken from Traps data] which is
Benign in WildFire and is also validly signed.

Workshop Guide
Step 3: Click on Network and then FTP Connections. It will show all the FTP connections that triggered this
alert from the Firewall perspective, along with the source process causing it on the endpoint. Note again
the stitched logs from the endpoint and from the Firewall. The red box highlights the information from the
endpoint, and the blue box highlights the information from the Firewall. Also, view the values in the App-
ID column as well as the values in the Sent Data column (you might need to scroll right).

Workshop Guide
Step 4: Click on Investigate in the upper right corner, and then select ‘View outgoing traffic from PC2 to
90.130.70.73’. A new tab to the Investigation & Response application will open with the query already
pre-populated. Proceed to the next Task.
SIDE NOTE
It’s recommended to also check VirusTotal and DomainTools information available via link in the
alert, but for the sake of this lab we’ll skip it.
Task 6 – Investigate the Large Upload Alert using Detailed

Endpoint Information
Step 1: The Cortex XDR – Investigation & response app will open in a new tab with the query results. This
displays all the raw connections as seen from the endpoints point of view.

Workshop Guide
Step 2: Right click on one of the lines and choose Analyze. A new browser tab will open, and you can see
WinSCP.exe, as reported by Cortex XDR - Analytics with its parent process Explorer++.exe, which is a file
explorer tool often used by admins due to its flexibility.
Step 3: Scroll down and click on the File tab. Click on Timestamp to change the sort order or scroll through
the list of files. While several files were accessed by WinSCP.exe, There are a few that show
C:\Users\user2\Documents. What files in this directory were accessed?
Step 4: Scroll back up, and note the number 2 in the Explorer++.exe node, which means that process has
two children. right click on Explorer++.exe and select View children.
Step 5: Another child of Explorer++.exe will appear named 7zFM.exe. Depending on your tenant, the
7zFM.exe node will have either the number 1 or 2 for the child process(es). Right click on 7zFM.exe and
select View children.

Workshop Guide
Step 6: Depending on the data in your tenant, one or two processes for 7zFM.exe will appear, both named
7zG.exe. If there are two, click on the top 7zG.exe. View the entire command including the command-line
argument and notice it is directing towards a remote share.
Step 8: Scroll down and click on the File tab. Sort the Timestamp column so the earliest date and time is
on top. Then scroll down till you see the File Create and File Write action type. 31 zip files were created
with the name data.zip.001 through data.zip.031, all in the C:\Users\user2\Documents folder.

Workshop Guide
Step 9: Scroll down to review the files that are read. Filter by File Read if needed. Note the directory
names on the File Share and some of the file names.
Step 10: Go back up to the nodes, and right click on Explorer++.exe, then Investigate in timeline. This
opens another tab.

Workshop Guide
Step 11: View the visualization of the upload to see when it occurred and the connections that were made.
Move your mouse over some of the dots and graphs toward the top and look at the Description column.
Optionally, the timeline also supports a zoom functionality by using your mouse to select a time range.

● The host performed a network scan to look for MYSQL servers and then identified a MYSQL server
● The host used the username of root and thousands of different passwords and attempted to login to
the MYSQL sever.

Workshop Guide
● The user had access to a file share with sensitive data. 7zip was used to create over 30 zip files named
data.zip.001 – data.zip.031, using files and folders from a Shared directory. The files were written to
the Documents folder, and the smaller zip files made it easier to send.
● WinSCP.exe was used to send 2TB – 3TB of data in the Documents folder outside of the network
● The zip file contained sensitive files copied from a shared location, including:
o Board meeting summaries and announcements
o Marketing plans
o Product roadmap and limitations
o Competitive information
o Entire databases
● 7zip and WinSCP are UI based applications, meaning this was probably done by the user. It seems to
be a case of insider threat leaking out data. Potential business damage to the company could be
significant.
Step 2: Now that we understand what happened, we need to respond to the incident.

At this point, the machine should be isolated from the network. People using the
system would now click on the Isolate Host button on the top right corner of the
screen to make sure that machine won’t be able to communicate with hosts in
the network or on the internet.

After isolating the machine [containing the attack] the analysts at the
organization can now decide on next steps with less urgency. Next steps will
typically be either formatting the machine or deleting all changes done during
the attacks [files, registry keys, etc.]
Step 3: Do you agree with the below statements and answers in green?
1. Decide whether the alert is True-Positive or False-Positive: It is a True-Positive alert.

2. Understand the events that caused the alert and the context behind the alert: FTP upload to a
server online of a large amount of data done using applications that have UIs in the user context.
3. Understand what was uploaded: Sensitive data including documents, databases, presentations, etc.
4. If this is a True-Positive, understand if this is malware related or possible insider threat: Seems to
be insider threat since UI based applications were used and the access and upload seemed to be specific.
5. Understand if there’s any business damage: Yes.
End of Activity 2

Workshop Guide
Activity 3 – Investigate Stealthy Attack

Some attacks are malware based while other attacks are more stealthy in nature. These stealthy attacks cannot be detected
with signatures since malware is not used. Instead, these attacks comprise multiple steps where the attacker performs
reconnaissance to learn about the network, and lateral movement to move closer to their goals. To perform these steps,
attackers sometimes live off the land – meaning they do not use malware and use only the tools available on various devices
on the network.
● Investigate several alerts from two different sources, using different data sources
● Pivot to and from different hosts and different users are part of the investigation process
● Understand how the different data sources add context to the alert details
Task 1 – Find and Open the Analytics Alert for WS-FIN-29345

Step 1: In one of the browser tabs for Cortex XDR – Investigation and Response, navigate back to the
Alerts page. Filter by Analytics alerts again, then find the host named WS-FIN-29345 and use right-click to
select Show rows with WS-FIN-29345.
Step 2: There will now be four alerts. Read the description of the alerts to get an idea of what is
happening. These alerts will be investigated in more detail later.
Step 3: Find the alert named Failed Connections. Then right click on the Alert and choose Open in
Analytics.

Workshop Guide
Task 2 – View the Alerts and Information for WS-FIN-29345

Step 1: Read the Alert Description and click on the Graduation cap toward the top of the screen if more
information is needed. View the visualization and notice the baseline as well as the names of the network
segments. These IP address ranges can be modified based on your network. For this lab we see that the
WS-FIN-29345 machine has used ping to identify hosts in one network segment named Clients-employees
and another named Corporate network segments. The numbers you see might be a little different from
the screenshot below.
Step 2: In the middle of the screen, click Network > Destinations to view details about the Failed
Connections.
The source of information in this table is NGFW logs. Based on the App-ID of Ping and the different
Destination IP addresses of 172.16.1.1, 172.16.2.1, 172.16.3.1, etc. the device is performing a ping to look
for possible routers and network. And based on the IP addresses in the 172.16.20.0/24 subnet the device
continued to look for other devices on that specific network segment.

Workshop Guide
Step 2: Click on the WS-FIN-29345 device on the top left to view information about that device.
Step 3: View the Device Description and Properties. The MAC Address of the device is a strong identifier
for this device, and is used by Cortex XDR – Analytics to group these alerts and behaviors into a single
source called Entity. The OS of Windows is determined through passive profiling using FW logs. (For
customers with Directory Sync enabled, the OS is taken from Active Directory and this information is sent
to Cortex Hub via a separate Directory Sync Agent.)

Workshop Guide
Note that this Device in this scenario is Unmanaged so Traps is not installed. If Traps was installed, you
would see a row that says the Data Source is Traps. There will be an example in the next Task.
Step 4: Click on the next alert based on the time and dates. That alert is Port Scan. If needed, click on the
graduation cap to read more about the Alert. Read the Alert Description and view the visualization. Then
click on Network and Destination. Sort by the Destination Port column and click through various pages to
view the Destination IP addresses and Destination Ports used.

Workshop Guide
After identifying a router of 172.16.20.1, the device performed additional reconnaissance to find more
machines on that network. The Destination hostname of WS-IT-15674 was identified.
Step 6: The two alerts named Remote Command Execution and New Administrative Behavior overlap in
terms of the time they occurred. Click on the New Administrative Behavior alert since that was detected
first. Follow the same steps to investigate: read the Alert Description, view the visualization, and look
through the tables. Both alerts show ms-wmi as an App-ID and Accessed Resource. Based on the New
behaviors description and the red text in the table, this is the first time this device has attempted any SSH
connections or any Remote Commands.

Workshop Guide
Step 7: Click on the Remote Command Execution alert and follow the same steps to investigate: read the
Alert Description, view the visualization, and look through the tables. The Network > Command
Executions table shows the Firewall identified ms-wmi and ms-service-controller as the App-ID from WS-
FIN-29345 to WS-IT-15674.
Step 8: Click on the Overview tab to go back to the visualization. Based on these two alerts, there may be
lateral movement happening and targeting WS-IT-15674. Double click on the icon for WS-IT-15674.

Workshop Guide
Task 3 – View the Alerts and Information for WS-IT-15674

Step 1: You will now see the Device Description for WS-IT-15674. You will see that the icon is yellow
because it has at least one yellow or suspicious alert. Notice that in the Properties tab the Data Source is
Traps – that means that Analytics is also processing data from the Traps agent installed on this device.
Step 2: View alerts on the left and notice the dates and times of the alert. This represents when the
activity started to happen and the timeframe.
Step 3: Click on the Failed Connections (None) alert. Read the Alert Description and the Related
Processes on the right. This information is only possible because the Traps agents are continuously
collecting activity logs and sending it to Cortex Data Lake for processing by Cortex XDR.

Workshop Guide
Also view the diagram and note the best1_user and the destinations in the diagram. We will explore the
best1_user a little later.
Step 4: To see details about the Firewall logs, click on Network > Destinations. Then click on the Process >
Process Executions table to show the exact commands that were ran on the endpoint that triggered this
alert. One example is shown below:

Workshop Guide
Step 4: View the Failed DNS Alert. This alert shows the device has been making a large amount of DNS
requests to non-existing domains. This is a common attempt for compromised devices to phone home to
their command and control server. View the Network > DNS Queries table to view a sample of the DNS
requests and whether they were successful resolved.
Step 5: Click on the Port Scan Alert. Read the description and view the visualization again. Click on the
Process then Process Connections table and read the description. The table only has associated
executables for the last 3 days, so might be empty in your lab. Pay attention to the columns named
PROCESS, DESTINATION IP, DESTINATION PORT, and APP-ID. You will need to scroll down and use the
arrows to see the other pages. They are sequential which means enumeration was happening.

Workshop Guide
Step 6: Click the New Administrative Behavior alert and read the description, the graduation cap, and
view the visualization. Best1_user is a service account in this scenario, and Analytics detected that this
Administrative behavior is new for this user. Click on Process > Process Executions to see the data that
was stitched from the NGFW and Traps logs. Look for the command line that starts with wmic and note
the destination. The Screenshot below only shows a few of them.

Workshop Guide
Step 7: Click on the Overview tab to return to the visualization, then click on the best1_user icon. The
information in this screen would be filled in if there was more Activate Directory information for this user,
through the Directory Sync service.
Step 8: Click on the Remote Command Execution alert. Read the description and view the visualization,
and note that wmic.exe is in both as well as the user named best1_user. This means that the logs from
the NGFW and Traps agents were automatically stitched together to provide this view. This alert shows
that this machine is using the best1_user account to execute commands on other machines.
Step 9: Expand the SMB Traffic from Non-Standard Process alert and click on the second alert. Read the
Alert description and click on the graduation cap on the top to get more information. The
description shows that nmap is generating SMB traffic that was identified by the Firewall, which is not how
Windows devices normally generate SMB traffic. This is another example of an Alert that can detect
stealthy behavior from non-standard processes that simulate normal network traffic, like SMB or Kerberos.

Workshop Guide
Step 10: Click on Network > Destinations and view the table. You will see the nmap.exe process from the
endpoint stitched with the App-ID from the Firewall.
Step 11: On the top right, click on Investigate and select View file system activity on WS-IT-15674. This
will open a new tab to the Investigation & Response app.
Task 4 – View Endpoint Information for WS-IT-15674

Step 1: Since the Traps agent is installed on WS-IT-15674, a more detailed investigation can now be
performed using endpoint logs and Cortex XDR – Investigation & Response. Find a row where the
username is best1_user and the file name is hosts. Right click on it and select Analyze.

Workshop Guide
Step 2: This will show a new screen – use the zoom button on the top right to see the CGO (Causality
Group Owner) if needed. Based on this, best1_user is using the command line to run nmap commands
scan the network, and WMIC to run commands on remote machines.
Step 3: Click on the WMIC node and note the command line – this machine is attempting to connect to a
different machine and attempting to run the regedit program.
Step 4: Scroll down and click on Alert. Scroll right and view the BIOC and alert name. This is another
method that Cortex XDR can detect lateral movement. We will explore this BIOC in a following
Activity.

Workshop Guide
Task 5 – Review Evidence and Read about Response Actions

● The first host performed a network scan to look for managed devices
● The host somehow ran remote commands on the managed devices
● The host logged in as best1_user on the managed devices and continued other malicious activities
targeting machines in the data center
● The host was able to run malicious commands on 5 machines in the data center.
● The host attempted some sort of phone home algorithm to gain remote control of the machine
from the internet

At this point, the machine should be isolated from the network. People using the system
would now click on the Isolate Host button on the top right corner of the screen to make
sure that machine won’t be able to communicate with hosts in the network or on the
internet.
Step 2: Now that we understand what happened, we need to respond to the incident. Think about the

After isolating the machine [containing the attack] the analysts at the organization can
now decide on next steps with less urgency. Other options include creating an EDL to
various sources or updating security policies to block SMB from/to one of the networks.
response actions that should be performed.
Step 3: Do you agree with the below statements and answers in green?
1. Decide whether the alert is True-Positive or False-Positive: It is a True-Positive alert.

2. Understand the events that caused the alert and the context behind the alert: This appeared to be
a multi-stage attack from an unmanaged device to a managed device. The attacker was looking to plant a
long-term foothold within the organization.
3. If this is a True-Positive, understand if this is malware related or possible insider threat: Malware
was not related to the attack – instead the attacker was living off the land and using tools installed on the
windows machines
4. Understand if there’s any business damage: At the moment this is unknown. More investigation
should be performed on all machines affected to see if any sensitive files were read or written.
End of Activity 3

Workshop Guide
Activity 4 – Investigate Using the Incident

Manager
When customers see alerts from different sources, whether it is from the Firewall, from endpoint agents, or from other third
part tools, they are investigated in isolation. This makes investigation and response a time consuming process and puts the
organization at risk of further attacks and additional damage. Cortex XDR – Investigation and Response is able to stitch or
correlate alerts from NGFW, Traps, and Analytics into a consolidated incident view, making it easier to respond when one or
more device is attacked.
The goals of this activity are:
● Understand how alerts from different sources can be related
● Understand if the threat was blocked across your organization
● Understand how to adapt
Task 1 – Find and Read about the Alerts for PC3 and PC4
Step 1: In Cortex XDR – Investigation & Response navigate to the alerts page and remove the time range
if needed.
Step 2: Find and view the alerts that belong to the host PC3 and PC4. Click on the icon to create a
filter and choose Host in the dropdown. Type PC3 in the value field, press enter, then type PC4 in the
value field (screenshot below shows these steps already done), then press enter again.
Step 3: View the Alert Sources, the Action, and the Category. Notice there are alerts from NGFW, Traps,
IOCs, BIOCS, and Analytics and that the Categories and Alert Names are very

Workshop Guide
similar.
For this activity we will be using the new Incidents view to see how all these alerts are related.
Task 2 – View Options to Manage the Incident

Step 1: Across the top, click on Incidents across the top navigation bar. This will open a new view within
Cortex XDR – Investigation and Response.
Step 2: Find the row that shows BabyShark Command and Control. Expand the value in the Host column
and notice that the alerts were automatically combined into this single incident because of various
attributes. Then right click on that row and select View Incident.
This opens up a new screen and will show in detail how the Investigation & Response app grouped the
alerts into this single incident, making it easier to perform investigation.
Step 3: View the name and the status. Click on New and view the options to change the status. Do not
make any changes to the incident.

Workshop Guide
Step 4: Click on the Unassigned text and view how to assign the incident to another member of the team
for purposes of investigation. Again, please do not make any changes.
Step 4: Click on the note icon and the dialog icon that are on the top right of the screen.
Customers can use these options to type in notes about the incident as well as collaborate and discuss the
incident with teammates.

Workshop Guide
You can also use the Actions button to change the status and to assign the incident.
Task 3 – View The Common Attributes in the Incident

Step 1: Under the Key Assets, view the PC names and the usernames.
Step 2: Under the Key Artifacts, view them and notice you can use the download button to download the
WildFire report to your local machine.

Workshop Guide
Step 3: Under Domains/IP Addresses view the IP address and domains associated with the incident. If
you right click on them, you can look up the IP address or Domain in Virus total or change the view to only
show alerts related to those values.
Task 4 – Analyze the Incident using PC3

Step 1: View the alerts on the bottom of the screen and notice the view is similar to the Alerts table.
Notice there are two machines and two different users, which means there are two very similar
Causalities.
Step 2: Find a line with PC3. Then right click and choose Analyze. You will see the causality visualization
below. Briefly look at it – we will not be investigating this one in detail since it is similar to the alert from
PC4. The incidents view makes it easy to investigate multiple hosts that have related security events.

Workshop Guide
Task 5 – Analyze the Incident using PC4

Step 1: Find the browser tab with the Investigation & Response app open to the Incidents view from the
previous Task.
Step 2: Find a line with PC4. Then right click and choose Analyze. You will now see what happened.
Step 3: Right click on the winrar.exe icon and choose Show parent. You will now see the opera.exe (for
the Opera web browser) process that spawned winrar.exe.
Step 4: View the Command line and notice that winrar.exe opened a zip file.

Workshop Guide
Step 5: Look at the visualization again and notice that cmd.exe spawned a few different processes.
Step 6: Click on the Powershell icon, then scroll down and click on the File tab to view all files that were
delivered by Powershell. Notice some of the .py files as well as some different zip files.
Step 7: Click on the Traps icon towards the top right of the visualization. Now look at the
information bar to confirm that Traps prevented and blocked the executable from running.

Workshop Guide
Step 8: In the visualization, click on the Firewall icon and then look on the right of the
information panel to see that the Firewall alert was not blocked – Detected (Raised an alert).
Then click on the curl.exe icon on the bottom of the visualization – the one with the firewall icon
above it. Then scroll down and click on the Network tab to view the information from the endpoint that
matches the Firewall logs. This information was automatically stitched to enable faster investigation.
Step 9: Click on your browser tab with the Incidents view or open the Incident again manually. Then
right-click on an alert and select Investigate in Timeline.
Step 10: Review the information on the left panel and hover your mouse over all the icons to see a
graphically view of how the events and alerts were triggered over time. Note that you can zoom in by
clicking down and selecting a specific time range.

Workshop Guide

In this example, there are indications that the user actively browsed for information, and downloaded a
file, which happened to contain risky files instead of the information the user actually wanted.
● Risky files were dropped to the machines but did not execute.
● It seems like the user downloaded them while looking for something else.
● This is not the same case as the one before, meaning not a phishing email.
Ste
Response action – DO NOT CLICK ANY BUTTONS IN THE SYSTEM p 3:
At this point, should the machine should be isolated from the network? People using the Do
system could potentially click on the Isolate Host button on the top right corner of the
screen to make sure that machine won’t be able to communicate with hosts in the
you
network or on the internet. But the risky files did not execute so this may not be needed. agr
ee
with the below statements and the answers in green?
1. Understand how the alerts are all related: The incidents view allowed us to see how two users, on two
different machines, performed similar actions that lead to two different security events.
2. Understand if the threat was blocked: We see that NGFW detected spyware coming into the network
and to the endpoint, and Traps prevented the execution of the spyware.
3. Understand how to adapt: Firewall rules could be added or modified to prevent the download of these
files. Furthermore, additional user training might be needed so that users are more aware of these
risky activities.
Activity 5 – Hunt for Phishing Threats and

Create Custom Detection Rules
This activity is built on top of the first alert generated by Traps and is focused on taking information from the incident and
leveraging it to threat hunt across the organization. In this activity, you will:
● Understand if a pattern that was noticed during an investigation can be found elsewhere in the organization
● Understand if this pattern is benign, suspicious or malicious
● If the pattern is either suspicious or malicious, create a new BIOC that will alert if this pattern is ever seen again.

Workshop Guide
Task 1 – Review the file name in the Behavioral Threat Event

Step 1: Find the browser tab that has the Cortex XDR – Investigation & Response app opened to the
Alerts page, or use any browser tab navigate to the alerts page. Remove all filtering criteria if needed.
Step 2: Again, view the alerts that show up from multiple sources including NGFW, Traps, Magnifier, and
Behavioral Indicators of Compromise (BIOCs). In this case we will again focus on the line with a high
severity alert from Traps about malware called Behavioral Threat, the user name is user1.
Step 3: Right click on the alert and select Analyze. In the next screen, click on the cmd.exe node.
There are many things in this use case that can be the basis for pivoting, but for this demonstration we’ll
go with the notable file name RSU Grant Update.pdf.bat that can be seen if you click on the 7zFM.exe
node. The pattern that we’ll look for is the creation of files with a double extension ending with .bat.
Task 2 – Create and Execute a Query

Step 1: In the top bar navigate menu, click on Investigation and Query Builder.
Step 2: Navigation will take you to the Query Builder. Select the FILE option.

Workshop Guide
Step 3: Remove all checked boxes next to actions options except for Create, and in Name write or copy
and paste the bolded text below, without whitespaces between any of the characters.
*.p
df.
Note about the syntax: Using this string will find cases where a file was created to disk looking like bat
a document / presentation / spreadsheet but is really a batch file. The asterisk or “*” is used as |*.
wildcard and the pipe character or “|” is used as an OR statement. doc
x.b
at|*.xlsx.bat|*.pptx.bat
In the TIME selection option – choose a Custom date range of May 1, 2019 – May 31, 2019.

Workshop Guide
Step 4: Once all data is in place, click on Run in the lower right corner. The query will take a few moments,
and once it’s done, you’ll a few results will come back (screenshot below), as well as the query logic.

Workshop Guide
SIDE NOTE
In the example above we are executing a query to click run. While not part of this Hands on
Workshop, there is also an option to create a scheduled query as shown by the red box below:
Scheduled queries can serve multiple purposes, such as running compliance reports on
specific Windows configurations.
Task 3 – Analyze the Query Results
Step 1: View the query results, scrolling down as needed. We know about the lines that show - RSU Grant
Update.pdf.bat and game of thrones LEAKED last episode script.docx.bat on the other PCs, but some of
the lines are not known. Find the two that have the username LC-DYNAMIC\Administrator with the same
timestamp. If you scroll right you’ll also see that they are in the Temp folder.
Step 2: Right click on one of the two files on top and click Analyze.
Step 3: The following screen will open up. The process that created the file is 7zFM.exe which is a part of
7zip – a popular archiving software. The command-line argument shows the zip file that it opened is Some
Band - New Album.zip.

Workshop Guide
Step 4: Scroll down to see the raw data, and click on the File tab.
Scroll right to look at the filenames, and expand the description if needed. Find the line with the zip file,
and look for the next lines that show the files created by the zip Note that while we were looking for a
different pattern, we also found another one – .mp3.vbs, which shows up in most of the lines.

Workshop Guide
Scroll up to view the diagram again. There are no child processes from 7zFM.exe, so it looks like the files
SIDE NOTE
This new pattern also calls for pivoting which we strongly recommend in real-world use cases, but for
the sake of this lab we will not perform that step.
were never opened – only dropped to disk.

There are indications that the user actively browsed and downloaded a file, which happened to contain
risky files instead of the album the user wanted to download.
● Risky files were dropped to the machines but did not execute.
● It seems like the user downloaded them while looking for something else.
● This is not the same case as the one before, meaning not a phishing email.

At this point, should the machine should be isolated from the network? People using the
system could potentially click on the Isolate Host button on the top right corner of the
screen to make sure that machine won’t be able to communicate with hosts in the
network or on the internet. But the risky files did not execute so this may not be needed.

Workshop Guide
Step 3: Do you agree with the below statements and the answers in green?
1. Understand the events that caused the files to be downloaded: The user did not have any malicious
intent.
2. Understand if this pattern is benign, suspicious or malicious: The pattern looks suspicious, but the files
were never executed.
3. Understand how to adapt: Firewall rules could be added to prevent the download of these files.
Furthermore, additional user training might be needed so that users are more aware of these risky
activities.
Task 5 – Create a Custom Detection using BIOC rule

Step 1: In the top bar navigate menu, click on Rules and then BIOC.
Step 2: The BIOC management screen will open up. Click on add Add BIOC in the upper right corner.
Step 3: Just like before, click on the File option.

Workshop Guide
Step 4: Remove all checked boxes next to actions options except for Create, and in Name write or
copy/paste the text below, without whitespaces:
*.m
p3.v
Note: your name is used to make the rule unique from other student’s rules. bs|
*.p
df.bat|*.docx.bat|*.xlsx.bat|*.pptx.bat|*your name*

Workshop Guide
When complete, on the bottom of the screen, click on the Test button
to view the results of the BIOC rule.
Step 5: After a few seconds, you should see around 30 results and if you scroll right you will see any files
that match the extensions above. This shows that any BIOC rules that are created work on historical data,
and alerts will be generated all the historical data when the BIOC is saved.
Step 6: Click Save to save the BIOC rule. Type in something original in the NAME and COMMENT field.
Click on SEVERITY to see the different options and choose what you think is best. Then click on TYPE to
see the options and choose File Type Obfuscation as the TYPE.

Workshop Guide
Step 7: Once done, hit the OK button.
Step 8: Review the results of your BIOC Rule in the Alerts page.
End of Activity 5
End of Cortex XDR - Hands on Workshop

Hands-On Investigation & Threat Hunting Workshop - 1.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hands-On Investigation & Threat Hunting Workshop - 1.1

Uploaded by

Copyright:

Available Formats

Workshop

© 2019 Palo Alto Networks. Proprietary and Confidential

Last Update: 20190315

HOW: Investigation & Threat Hunting 2

HOW: Investigation & Threat Hunting 3

How to use this Guide:

HOW: Investigation & Threat Hunting 4

Activity 0 – Log in to the Cortex Hub

Activity 1 – Investigate High Severity Security

In this activity, you will:

Task 1 – Open Cortex XDR – Investigation & Response app

HOW: Investigation & Threat Hunting 5

In the options that appear, select Traps as the only source.

HOW: Investigation & Threat Hunting 6

Task 2 – Investigate the Security Event using Cortex XDR -

HOW: Investigation & Threat Hunting 7

HOW: Investigation & Threat Hunting 8

HOW: Investigation & Threat Hunting 9

● Commonly abused process creates a new autostart registry key

Step 9: Scroll back up and click on the powershell.exe node.

HOW: Investigation & Threat Hunting 10

Two Low severity BIOCs are shown:

● Powershell runs base64 encoded commands, marked with category of Evasion

HOW: Investigation & Threat Hunting 11

Step 11: Click on the Network tab

Step 12: Click on the File tab and scroll down.

Step 13: Scroll back up and click on the ‘cmd.exe’ node.

HOW: Investigation & Threat Hunting 12

Step 14: Scroll back up and click on the ‘7zFM.exe’ node.

HOW: Investigation & Threat Hunting 13

HOW: Investigation & Threat Hunting 14

Task 4 – Review Evidence and Read About Response Actions

Step 1: Review evidence collected

● Traps alerted and ultimately blocked a behavioral pattern.

Response action – DO NOT CLICK ANY BUTTONS IN THE SYSTEM

Now that we understand what happened, we need to respond to the incident.

● Decide whether the alert is True-Positive or False-Positive: It is a True-Positive alert.

HOW: Investigation & Threat Hunting 15

Activity 2 – Investigate Suspicious User

Task 1 – Find and Open the Analytics Alert for PC2

Task 2 – View Details for the Failed Connections Alert

HOW: Investigation & Threat Hunting 17

HOW: Investigation & Threat Hunting 18

Task 3 – View the High Connection Rate (MYSQL) Alert

Step 2: Click Process and select Process Connections.

HOW: Investigation & Threat Hunting 19

HOW: Investigation & Threat Hunting 20

Task 4 – Investigate the High Connection Rate (MYSQL) Alert

HOW: Investigation & Threat Hunting 21

HOW: Investigation & Threat Hunting 22

HOW: Investigation & Threat Hunting 23

HOW: Investigation & Threat Hunting 24

Task 6 – Investigate the Large Upload Alert using Detailed

HOW: Investigation & Threat Hunting 25

HOW: Investigation & Threat Hunting 26

HOW: Investigation & Threat Hunting 27

HOW: Investigation & Threat Hunting 28

Task 7 – Review Evidence and Read About Response Actions

HOW: Investigation & Threat Hunting 29

Response action – DO NOT CLICK ANY BUTTONS IN THE SYSTEM

Response action – DO NOT CLICK ANY BUTTONS IN THE SYSTEM

1. Decide whether the alert is True-Positive or False-Positive: It is a True-Positive alert.

HOW: Investigation & Threat Hunting 30