Professional Documents
Culture Documents
BACKGROUND
The organisation lab.local is today using only stateful inspection firewall. They are looking for a more
comprehensive security solution that is capable of handling the more sophisticated threats like drive by
downloads and bots.
In their company the security policy creates a kind of grey area that allows users to connect to anywhere on
Internet. The CEO has make this decision because it is best from a company business perspective to have a
good work life balance, and wanted to extend this to the use of their IT facilities.
The CISO would like to implement a security solution that is able to allow the users to work in accordance with
the security policy but get notified and educated when they visit resources that are malicious.
Since this company works in the IT security segment, employees need to be able to approve and continue
with the malicious activity event though in normal businesses this activity would be instantly blocked.
The security admin that is going to work with the solution on a daily basis is looking for a solution that is easy
to work with and enables the company to centrally manage and investigate threats down to a forensic level
across multiple technologies.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals
1
2 Threat Prevention Labs – Day 1
Table of Contents
Lab Topology .............................................................................................................................. 2
Lab #1 – Forensics of firewall logs using SmartLog .................................................................... 4
Lab #2 – Forensics and preventing malicious activity ................................................................. 8
Lab #3 – Threat Emulation with Threat Cloud emulation ........................................................... 15
Lab #4 – Cloud emulation of files .............................................................................................. 19
Lab #5 – Viewing logs and forensic reports............................................................................... 22
LAB TOPOLOGY
Internet CloudShare
Net 172.27.254.0/24
.254
eth0
Kali Linux (.10)
.254
eth1
Net 192.168.80.0/24 .254 Net 10.2.1.0/24
eth2
LAB REQUIREMENTS
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 2
3 Threat Prevention Labs – Day 1
Ensure you change your Keyboard layout on Windows based machines to match that of your region before you start the course.
SETUP INFORMATION
Gateway 172.27.254.254 Login: admin
GW Password: vpn123
Domain lab.local
Eth0 172.27.254.254
Eth1 10.2.1.254
Eth2 192.168.80.254
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 3
4 Threat Prevention Labs – Day 1
In this lab you will try to investigate a potential breach in the system, the CISO suspects that there is an external
organisation spying on the company because sensitive information about mergers and acquisitions has leaked to
competitors.
The CISO suspects that the machine John Lennon is using is infected with malware and wants you to investigate
what this machine has done.
Lab Pre-requisites
In order to complete this lab you will use the following VM’s.
Win7_32 jlennon VM
Kali Linux VM
Manager VM
Gateway VM
Win2012r2 VM
We will start the virtual machines and control the infected victim machine inside the secure location remotely from the C&C
machine to produce some logs. Then we will try to see if we can find any suspicious behaviour in the firewall logs.
PROCEDURE
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 4
5 Threat Prevention Labs – Day 1
If it does not start automatically and looks like the above screenshot rebbot the machine by clicking on the Terminal icon
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 5
6 Threat Prevention Labs – Day 1
5. On Win7_32 jlennon VM log in as user jlennon password vpn123 verify that you can ping the Kali Linux VM 172.27.254.10 to
check connectivity. If there is no response please check that step 3 was performed correct.
6. Open win2012r2 vm and start SmartLog and connect to 192.168.80.100 with the below admin credentials.
User: admin
Password: vpn123
7. Review the logs. Use the Auto Scroll feature shown here:
8. Create a query in SmartLog and search for the source IP that user John Lennon’s machine is using.
9. What is the best way to find the source IP? (Try src:10.2.1.10)
11. On Kali Linux VM Gh0stRAT C&C console, right click on the victim PC and select file manager.
12. If you do not see the victim PC it has not communicated with the C&C yet. Just wait, you should do so within a few minutes.
13. In file manager on the remote side, go to jlennon desktop, right click and create a directory called HACKED and close file
manager. (You can reach this via C:\Users\JLennon\Desktop\)
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 6
7 Threat Prevention Labs – Day 1
14. On Jlennon victim machine verify that there is a new directory called HACKED on the desktop.
15. In SmartLog refresh the screen, do you see any suspicious activities?
Remotely control a victim’s computer inside a secure location in the organisation without raising an alert to the Security
Administrator.
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 7
8 Threat Prevention Labs – Day 1
The organisation lab.local has now invested in a more comprehensive security solution based on Check Point
Software Blades that will meet their security requirements.
In this lab, as the Security Expert, you will configure the Threat Prevention blades acquired by the organisation, in
accordance with security policy that the organisation has adopted.
In order to complete this lab you will need the following VM’s.
Win2012r2 VM
Kali Linux VM
Win7_32 jlennon VM
Gateway VM
Manager VM
We will start the virtual machines and control the infected victim machine inside the secure location remotely from
the C&C to produce some logs.
PROCEDURE
2. Log into SmartDashboard and edit the Gateway Check Point object.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 8
9 Threat Prevention Labs – Day 1
4. Enable the IPS blade on the Check Point object and under IPS on the left hand list, select the profile
Recommended_Protection_Detect.
Note: This profile is based on the normal Recommended_Protection profile but all active protections are set to detect. This will
cause the IPS to only detect malicious traffic in accordance with the organisations current security policy.
5. Make sure the inspection scope is set to Perform IPS inspection on all traffic (shown above).
6. Enable the Anti-Bot blade, uncheck Share anonymous attack information (since this is a lab).
7. Configure the blade according to the Anti-Bot and Anti-Virus policy (refer later to step 17 below)
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 9
10 Threat Prevention Labs – Day 1
9. For the security gateway to have awareness of the DMZ you need to set the interfaces used as DMZ to be defined as such. This
is done under the topology settings on the gateway.
10. Set the eth2 interface (where Win2012r2 resides) as a DMZ interface. Click OK.
13. Enable SmartEvent Server on the Check Point Manager (NOT Gateway) object under the Management tab.
Note: The correlation unit will be activated automatically when checking SmartEvent Server.
17. Set the Threat Prevention -> Policy to Detect threats by changing the profile in the action column to
Recommended_Profile_CloudEmu.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 10
11 Threat Prevention Labs – Day 1
18. Open the Threat Prevention Recommended_Profile_CloudEmu profile. (Right click on the profile and edit)
19. Disable Threat Extraction as it is not needed yet if it has been left enabled.
21. Also, select Process all file types and enable deep inspection scanning. This is done mainly in labs only due to
performance impact.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 11
12 Threat Prevention Labs – Day 1
24. Change the firewall policy to force users to authenticate using Identity awareness when accessing the internet; you can do this
by enabling rule 6 and disabling rule 7.
25. Install the Network Security and Threat Prevention Policy. Wait for the policy installation to complete before continuing.
27. On the Win7_32 jlennon VM log in as jlennon with password vpn123 and verify connectivity by pinging the Win2012r2 VM
with the following command: “ping server”. Do not restart if prompted.
28. On the Win7_32 jlennon VM verify connectivity by pinging the Kali Linux VM with the following command: ping
172.27.254.10.
29. On the Win7_32 jlennon VM open the Mozilla Thunderbird e-mail client.
30. As you can see there is a mail from White Hat with the subject Salary and Personal Information posted online! Sent to John.
Since John is a very jumpy kind of person he gets very afraid that all his personal information is posted on the website and
immediately clicks the link in the e-mail.
32. From John’s perspective it seems like the website is broken. John is happy with this since his personal information is not
viewable there. He does not think much more about this anymore, instead he just continues with his daily business as usual.
33. Now move to the next steps, and see the Black Hat view of John’s actions.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 12
13 Threat Prevention Labs – Day 1
After you configured the new layers of protection (in detect mode), the CISO thinks they have evidence of suspicious activity.
They report more sensitive information about mergers and acquisitions has once again leaked to competitors.
The CISO has asked you to investigate what John Lennon’s machine and block remote control to this machine from the
attacker.
PROCEDURE
1. Acting as a Black Hat verify that you have remote control of the Victim PC.
2. On attacker Kali Linux VM use the Gh0stRat C&C console right click on the victim PC and open remote shell.
3. List the file in the directory of the remote machine you are connected to by running the command dir.
7. Try to find out what has happened after the Successful Login of John Lennon.
10. What is the malware family that this machine is infected with?
11. What is the protection name of the protection that detects this infection?
12. If you would like to provide remediation suggestions for cleaning this infected machine. Where in the logs would you be able to
find that information?
13. Now change the Threat Prevention policy action column to use the Recommended_Profile.
15. After the threat prevention policy is successfully installed, remote control of the Win7_32 jlennon VM should now be prevented.
16. On attacker Kali Linux VM use the Gh0stRat C&C console right click on the victim PC and open file manager.
17. On attacker Kali Linux VM use the Gh0stRat C&C console right click on the victim PC and open remote shell.
18. In Win2012r2 machine SmartLog refresh the view of the search query on user John Lennon and try to find if you have any
prevented Anti-Bot Logs.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 13
14 Threat Prevention Labs – Day 1
Question: Did the protections trigger? If not – why not? Think about profile confidence levels (if those protections
trigger in detect).
19. Open SmartEvent (if enabled) and generate a Daily Threat Prevention report to have handy when the CISO asks you for a
report of the malicious activity. After report generation is complete, look at the last results and save it as a PDF on the host
machine.
2. After forensics analysis of the logs be able to conclude what the Victim PC was infected with and prevented further
communication from the Victim PC to C&C Server.
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 14
15 Threat Prevention Labs – Day 1
In this lab you will activate the Threat Emulation blade and do the basic configuration needed to emulate
documents passing through the gateway. Please note that these steps are typical for this lab environment and may
not be suitable to real life.
Lab Pre-requisites
If you already configured labs from earlier in the Threat Prevention course, just verify the steps in lab #3 match
your configuration!
In order to complete this lab you will need the following VM’s. Do not start them yet unless already running.
Kali Linux VM
Win7_32 jlennon VM
Gateway VM
Manager VM
Win2012r2 VM
We will first activate the Threat Emulation blade on the Check Point object.
PROCEDURE
1. Start SmartDashboard and connect to 192.168.80.100 with the below admin credentials.
User: admin
Password: vpn123
2. Activate the Threat Emulation blade on the Check Point object Gateway. Activate SmartEvent Server and Correlation Unit
on the Management server if it is not already enabled.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 15
16 Threat Prevention Labs – Day 1
3. This will start the Threat Emulation First Time Wizard. Select ThreatCloud Emulation Service and click Next.
4. From the Threat Prevention tab, edit the Recommended_Profile_CloudEmu profile and Disable Static analysis to ensure all
files are sent for emulation (Threat Emulation settings > Advanced > Disable static analysis for filtering files).
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 16
17 Threat Prevention Labs – Day 1
5. Confirm the Recommended_Profile_CloudEmu profile is in use on the gateway by checking the Policy tab under Threat
Prevention.
6. Now click Install Policy and make sure that both the Network Security and Threat Prevention policy are installed
8. Go to the Threat Prevention tab and Gateways section and verify the emulation quota status.
Verify configuration
1. Start Putty on the Win2012r2 VM and connect to the Gateway using ssh.
IP Address: 192.168.80.254
User: admin
Password: vpn123
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 17
18 Threat Prevention Labs – Day 1
2. At the clish command prompt type ping www.google.com to verify Internet connectivity.
This process is required, due to downloading files to the gateway, rather than through the gateway.
PROCEDURE
1. If not already available open a putty SSH session to the Gateway and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
2. Enable local scanning mode by issuing the command tecli debug scan local enable
At the conclusion of this lab you should have accomplished the following:
2. Configured the Threat Emulation Blade to fit this lab environment and verified quota status.
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 18
19 Threat Prevention Labs – Day 1
DO NOT use the Windows client VM or Windows host to download the files in the following labs since ALL of the
files are malicious. This is dangerous. Instead we will download the files to the GW.
Normally the GW will not scan files sent to itself, but, a command can enable local emulation.
We will download the files to the GW itself with a CLI tool and monitor the emulation processes.
Lab Pre-requisites
In order to complete this lab, you will need to have completed the steps in Lab #3.
PROCEDURE
1. If not already available open a putty SSH session to the Gateway from Win2012r2 VM and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
4. Check the cloud quota details with the command tecli show cloud quota
5. From the Gateway VM command line in the putty session check that you can ping the Kali Linux VM (172.27.254.10)
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 19
20 Threat Prevention Labs – Day 1
6. Duplicate the SSH session and log into expert mode. Make the window large. Run the command watch –d -–
interval=0.5 “tecli show cloud queue”. Switch focus back to the first SSH session and continue with the commands.
7. Issue the command cd malfiles to enter an already created folder for the malware files to be received.
8. Execute ./getmalfiles.sh and try to watch both SSH sessions. You will see how quickly files are sent to the cloud.
9. After the script completes (can be cancelled any time with CTRL+C) run the command tecli cache dump all to see the
verdict on each file. Notice that there may some benign files and some malicious files – This is because some of the files are
malicious on one OS image only (which you may not use)
(you can use tecli cache dump all |sort -u -t' ' -k1,1 command to see cached files uniquely by sha1 field)
10. Verify you don’t see anything in emulation queue, open SmartDashboard. In the Threat Prevention tab and Gateways section.
Verify that the file counts and quota details have changed accordingly.
11. While the cloud emulation is taking place, run tecli show statistics a few times from the clish command line to view the
emulation statistics. Note the Average Sample Process Time. It is the time taken for a file to be received, sent to cloud and a
verdict returned.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 20
21 Threat Prevention Labs – Day 1
1. Download malicious files that are then sent to the cloud for emulation.
2. Monitored the emulation backend and processes using tecli and GUI.
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 21
22 Threat Prevention Labs – Day 1
Lab Pre-requisites
In order to complete this lab, you will need:
- Preconfigured Gateway
- Completed the steps in Lab #5
2. Select the Threat Emulation section in the structure on the left side
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 22
23 Threat Prevention Labs – Day 1
3. Have a look at the logs – in a production environment, you will see logs about malicious files. Malicious files will be blocked
or detected, based on policy. Benign files will display a green highway / motorway symbol.
Note: Keep in mind your timezone as hosts are based on GMT.
4. Below is an example of a file that is NOT infected (all test samples are malicious) the log details look like this:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 23
24 Threat Prevention Labs – Day 1
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 24
25 Threat Prevention Labs – Day 1
6. Click on the icon behind the report to see the detailed forensics report. Below you will see 2 examples.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 25
26 Threat Prevention Labs – Day 1
7. Scroll downwards in the forensics report and notice the different sections.
At the conclusion of this lab you should have accomplished the following:
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 26
27 Threat Prevention Labs – Day 1
BACKGROUND
The organization lab.local is looking for a solution that can help them with the increased number of unknown
malware that traverse their existing security solution and has infected their client and server computers.
They are running Windows 7 clients with MS Office 2013 and Adobe Acrobat 11.
The security admin wants to capture malicious executables and documents containing malware.
Table of Contents
Lab Topology ............................................................................................................................ 28
Lab #6 – Threat emulation private cloud ................................................................................... 30
Local emulation preparations .................................................................................................... 30
Lab #7 – Local emulation of files............................................................................................... 35
Lab #8 – Viewing event forensic reports in SmartEvent ............................................................ 37
Lab #9 – Local emulation of files in SMTP traffic using MTA ..................................................... 41
Lab #10 – Threat Extraction in SMTP traffic using MTA ............................................................ 44
Lab #11 – SandBlast Agent deployment and malware detection............................................... 48
Lab #12 – Threat Extraction of files over HTTP using chrome Plugin ....................................... 56
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 27
28 Threat Prevention Labs – Day 1
LAB TOPOLOGY
Internet CloudShare
Net 172.27.254.0/24
.254
eth0
Kali Linux (.10)
.254
eth1
Net 192.168.80.0/24 .254 Net 10.2.1.0/24
eth2
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 28
29 Threat Prevention Labs – Day 1
SETUP INFORMATION
Gateway 172.27.254.254 Login: admin
GW Password: vpn123
Domain lab.local
Eth0 172.27.254.254
Eth1 10.2.1.254
Eth2 192.168.80.254
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 29
30 Threat Prevention Labs – Day 1
To ensure the lab can proceed quickly and not require large file downloads, the following Windows 7 image should be
used for all activity as it was already downloaded to the system. You can check the image used under Threat Prevention
Policy -> Profile section. Check the profile Recommended_Profile_LocalEmu is in use. If you edit the profile, you
can also see Threat Emulation Settings -> Emulation environment .
Lab Pre-requisites
In order to complete this lab, you will need:
- Manager VM
- Gateway VM
- Win2012r2 jlennon VM
- Kali Linux VM
- Completed the steps in Day 1 labs.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 30
31 Threat Prevention Labs – Day 1
1. Confirm online updates (engine and images) have been disabled via Threat Prevention Tab->Advanced->Updates
section.
3. Install Policy
4. Reactivating Threat Emulation - In the Gateway object, select the Threat Emulation checkbox and choose local emulation
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 31
32 Threat Prevention Labs – Day 1
5. In the Threat Emulation->Advanced section select ONLY the Win7, Office 2013, Adobe 11 image.
6. Remember to disable sharing anonymous attack information with Check Point before you continue.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 32
33 Threat Prevention Labs – Day 1
Wait until policy installation is finished before proceeding with step 10. (Reinitializing the images)
If not images will be downloaded completely from web.
8. If not already available open a Putty SSH session to the Gateway machine from Win2012r2 VM and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
10. Check that GW received settings to perform local emulation by issuing two commands
tecli advanced schema profile | grep local
11. Check readiness status by issuing the command tecli show download all | grep –i status
Note: If you see the image in an “unused” status, run the command fw kill ted
This will restart ted and will immediately reevaluate the status of the image
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 33
34 Threat Prevention Labs – Day 1
At the conclusion of this lab you should have accomplished the following:
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 34
35 Threat Prevention Labs – Day 1
Lab Pre-requisites
In order to complete this lab, you will need:
- Win7_32 VM
- Manager VM
- Gateway VM
- Win2012r2 VM
- Completed the steps in Lab #1
LOCAL EMULATION
Lab Instructions
1. If not already available open a Putty SSH session to the Gateway from Win2012r2 VM and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
3. The cache must be cleaned to make sure that the emulation will happen again. Run the command tecli cache clean
to clean the cache.
4. Duplicate the SSH session and log into expert mode. Make the window large. Run the command watch –d “tecli
show emu emu”. Switch focus back to the first SSH session and continue with the commands.
5. To emulate some of the files, cd malfiles, use the ls command to list the contents of the directory. Now use the
command te_add_file -f=<filename> to add the files one at a time to the gateway for emulation. It is also possible
to add a directory of files using te_add_file -d=<directory>
6. In your other SSH window, you should find tecli should look something like this. It is advised to select a few different file
types.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 35
36 Threat Prevention Labs – Day 1
At the conclusion of this lab you should have accomplished the following:
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 36
37 Threat Prevention Labs – Day 1
Lab Pre-requisites
In order to complete this lab, you will need:
- Win7_32 VM
- Manager VM
- Gateway VM
- Win2012r2 VM
- Completed the steps in Lab #2
Go to the Events tab and select the Threat Prevention->Important Threat Emulation query
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 37
38 Threat Prevention Labs – Day 1
View some of event summary for some of the events – also try the details view.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 38
39 Threat Prevention Labs – Day 1
2. Go to the Reports tab and select the Threat Prevention->Daily report and click Generate to generate a report for today
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 39
40 Threat Prevention Labs – Day 1
At the conclusion of this lab you should have accomplished the following:
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 40
41 Threat Prevention Labs – Day 1
Lab Pre-requisites
In order to complete this lab, you will need:
- Win7_32 jlennon VM
- Manager VM
- Gateway VM
- Win2012r2 VM
2. On Win7_32 machine log in as user jlennon password vpn123, verify that you can ping server.
4. Create a new mail and attach the following clean file “C:\Documents and Settings\jlennon\My
Documents\CP_R80_ReleaseNotes.pdf”, send the mail to jlennon@lab.local. Click Send to send the email.
5. Click on Get Mail to receive the mail you have just sent.
6. If you received the file it mean that the mail server and mail client are working as expected
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 41
42 Threat Prevention Labs – Day 1
2. Edit the Gateway object and disable (untick) Anti-Virus, to ensure that the malicious file is not blocked with AV blade (lab
use only, allowing us to see emulation).
4. On Win7_32 Jlennon reconfigure Mozilla thunderbird to use the CP gateway address as SMTP server by following these
steps
d. You MUST remove the entry for server.lab.local server at this stage.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 42
43 Threat Prevention Labs – Day 1
2. Start a Putty session on , go into expert mode and run the command
watch tecli show emu emu
This will monitor the emulation process on the Win7, Office 2003/2007 VM on the Gateway. When the files are done stop it
with CTRL-C.
3. Click on Get Mail to receive the mail you just sent. Note that the attachment has been striped and replaced with a text file.
5. Open SmartEvent and by just looking at the event card of this event
a. Try to find out who the intended recipient of this e-mail was.
b. Try to find out what the Malware family was.
At the conclusion of this lab you should have accomplished the following:
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 43
44 Threat Prevention Labs – Day 1
Lab Pre-requisites
In order to complete this lab, you will need:
Win7_32 jlennon VM
Gateway VM
Manager VM
Win2012r2 VM
3. If asked (should not be required if Threat Emulation is enabled) - Specify the domain of the company lab.local and the next
hop mail server that will process mail for this domain Host_192.168.80.80. Press Next and then Finish to complete the
Wizard. Check that your Threat Prevention profile has the Threat Extraction component enabled. If not, enable it now.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 44
45 Threat Prevention Labs – Day 1
4. Note: you can change the TP profile settings to see the difference between convert to PDF, and clean – this is done in
the Profile, Threat Extraction Settings. Look at the Extraction method. Try Convert to PDF first.
6. On Win7_32 jlennon VM, Create a new mail and attach the following file “C:\Documents and Settings\jlennon\My
Documents\malfiles\tex_example_calc.doc”, send the mail to jlennon@lab.local.
Note: This is a real sample of a Malicious File handle with care!
7. Review SmartLog to see how with TE and TEX enabled, threat extraction has proactively cleaned the file of potentially
malicious content (using either clean, or convert to pdf).
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 45
46 Threat Prevention Labs – Day 1
8. Click on Get Messages in Thunderbird to receive the mail you just sent. Note that the attachment now has a double
extension (.doc.pdf), ignore the “Open with”, this is a limitation of the Win7 VM.
9. Click Save File on the tex_example_calc.doc.pdf file and then open with Adobe Acrobat Reader. Notice the file is free
from potential threats / active code.
10. Review SmartLog to see how with the Parallel extraction hotfix (sk108074) and the device running Emulation and
Extraction, files are converted very quickly by TEX, and then the emulation result is shown shortly after, ensuring the user
gets a clean file, fast.
Hint: Update SmartLog to show both TE and TEX logs:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 46
47 Threat Prevention Labs – Day 1
10. With Threat Emulation and Threat Extraction happening in parallel, you will see two log entries for the one event. Firstly, the
extraction of the potentially malicious content, and second, the result of the emulation process (shows detect, as file has already
been
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 47
48 Threat Prevention Labs – Day 1
1. On win2012r2 open SmartDashboard login as admin password vpn123. The server IP address should be 192.168.80.100.
3. In Threat Prevention tab, change the profile to Recommended_Profile_CloudEmu and now install the Threat Prevention
policy.
Remember to set the emulation location back to cloud on the Gateway object:
Remember to set the Emulation -> Advanced to use the recommended images from the profile:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 48
49 Threat Prevention Labs – Day 1
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 49
50 Threat Prevention Labs – Day 1
3. On the Deployment tab -> Software Deployment Rules create a new rule.
The path is \Directories\Lab.local\Computers\VICTIM-PC2. Tick the VICTIM-PC2 checkbox.
Click Next.
The Active Directory of the customer has already been linked to the installation using Deployment -> Organisational
Scanners
a. Notice an SBA deployment includes, Forensics and Anti Ransomware, Anti Bot and Threat Emulation (plus
optional Compliance, Firewall and Application Control). Anti-Virus is not part of SBA but can be purchased as an
add-on to provide additional malware detection capabilities.
7. Optional: You can change the location of the file emulations between cloud or local. In the Policy -> SandBlast Agent
Threat Extraction and Emulation change this setting to use either Cloud, or Local emulation:
a. Note: The local appliance will receive files from endpoints and send files to cloud for emulation.
8. Use the Install Policy button, to install the new policy to the server. Say Yes to save rule changes when prompted.
9. Confirm only the software deployment rules change, and click Install.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 50
51 Threat Prevention Labs – Day 1
12. Install the EPS.msi file, found in the Documents folder. This file was previously exported from the Check Point Manager
object. Just press next until you see the option to Finish.
13. On the Win7_32 client, you will see the software deployed. In this lab, the heartbeat timer has been shortened to force
install quickly. When prompted, accept the installation, and reboot when asked.
The software requires .Net Framework 4.5 or higher – to speed up deployment .NET installation has already been
completed..
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 51
52 Threat Prevention Labs – Day 1
15. Right click on the SandBlast Agent ( ) tray icon, and select Display Overview. Wait until each blade is green / on /
ready.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 52
53 Threat Prevention Labs – Day 1
16. On Win7_32 rstarr, open Firefox browser. Click the SB Agent Demo File and open it with Word.
17. Open the malware and enable macros if prompted (macros should have been disabled already). The attack process can
take up to 2 minutes so be patient. Once you are prompted, click view details to see the log of the malicious activity.
18. On the SandBlast Agent, Click Overview, and then Forensics. Open the report, by clicking on the event UID.
19. Depending on the speed of detection, the attack could be seen by the Bot communications from the macro, or, Threat
Emulation detection based on the file behaviour
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 53
54 Threat Prevention Labs – Day 1
20. Click on the Forensics Blade. Click the Incident ID to see the forensics report. Click the arrow in the bottom right to
see more details.
21. On Win7_32 rstarr, open Firefox browser. Click the SB AR sample TE link, open and run the file. Note the malicious file is
detected by Threat Emulation and quarantined (deleted) before executing any malicious activity.
22. On Win7_32 rstarr, open “C:\Documents and Settings\rstarr\My Documents” location and run the
SBA_AntiRansomware.bat script. Choose option “1” to prepare the demo
This script disconnect the connection between the host machine from the Check Point Emulation Cloud.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 54
55 Threat Prevention Labs – Day 1
23. On Win7_32 rstarr, open Firefox browser. Click the SB AR sample offline link, open and run the file. The attack process
can take up to 2 minutes so be patient. Open My Pictures folder to see the attack progress.
Note the attack is detected and quarantined by Anti-Ransomware. The encrypted files are restored to original location
24.
25. After remediation took place and the files were restored on Win7_32 rstarr, open “C:\Documents and Settings\rstarr\My
Documents” location and run the SBA_AntiRansomware.bat script. Choose option “3” to return system to normal
operation.
At the conclusion of this lab you should have accomplished the following:
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 55
56 Threat Prevention Labs – Day 1
1. This lab relies upon steps in the following SK, which have already been completed. Please review the SK:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108695
2. This lab assumes continuation of lab 4-6 – if you have not done so, follow steps in lab 4-6 inclusive first.
3. Using SmartDashboard, change the Threat Prevention policy to use the Recommended_Profile policy.
4. Ensure Threat Emulation and Threat Extraction are enabled in the Recommended_Profile Threat Prevention policy.
a. Set the extraction mode to Extract files from potential malicious parts under Threat Extraction Settings.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 56
57 Threat Prevention Labs – Day 1
5. Ensure Threat Emulation and Threat Extraction are enabled on Gateway object.
7. Once the policy has finished installing, on Win7_32 rstarr, open the document “C:\Documents and Settings\rstarr\My
Documents\malfiles\Threat Extraction Demo File.docx”.
The file size is 1.9MB, and contains an embedded PDF, which you can open – please confirm this now.
Before we work on this file, we will look at the original file, to understand it better.
8. Now, unzip the file, using 7Zip, and open the folder:
9. Open the folder Threat Extraction Demo File, then open the word directory and look at the contents. You should see this
– keep this folder open, you will need it later. Notice this file has embedded objects and functions contained within it –
the Embeddings folder.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 57
58 Threat Prevention Labs – Day 1
10. The next step is to pass this file through Threat Extraction Chrome Plugin. Open Chrome, and click on the link to the
Threat Extraction Demo file.
11. First, check the SandBlast Chrome Plugin has been installed. This may require opening Chrome, wait 30 seconds, then
close and reopen Chrome again. Look in the top corner for the plugin
12. The file will be cleaned as it is downloaded – noticed the plugin shows messages in the bottom right corner of the screen.
Once downloaded, click Show in folder.
On Win7_32, you should now be in the folder C:\Users\rstarr.lab\Downloads, and you will see the Threat Extracted
version of the file.
The file size is 181KB, and contains no embedded PDF – please confirm this now by opening the file.
Open the file in Word. The embedded pdf file will no longer open.
13. Unzip the new file, once again, but this time, it will be into the downloads folder:
14. Compare the two folders, to see how Threat Extraction has rebuilt the file, extracting the active components. If you
navigate to the word subfolder again, you should notice the missing embeddings folder on the extracted file.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 58
59 Threat Prevention Labs – Day 1
15. Optional: If this test is successful, change the SandBlast Agent policy to convert files downloaded to PDF by editing the
Extraction and Emulation settings -> PTK Protect web downloads with Threat Emulation object.
16. Set the agent to Convert to PDF rather than extract. Then install Policy.
17. Re-open Chrome browser and such as Google on Win7_32 rstarr and search for cv.doc. Download the first example
document file. You will see in real time how quickly Threat Extraction reconstructs the documents.
At the conclusion of this lab you should have accomplished the following:
1. Be aware that Threat Extraction can now work over HTTP as well as SMTP
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 59
60 Threat Prevention Labs – Day 1
Student Notes:
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 60