SandBlast Network PTK Training Labs-V7.12 CloudShare

Threat Prevention Labs
SandBlast PTK labs

R77.30.03 – DAY 1
TRAINING LABS
June 2018
VERSION 7.12 (BASED ON DROP 7.1.1)
BACKGROUND
The organisation lab.local is today using only stateful inspection firewall. They are looking for a more
comprehensive security solution that is capable of handling the more sophisticated threats like drive by
downloads and bots.
In their company the security policy creates a kind of grey area that allows users to connect to anywhere on
Internet. The CEO has make this decision because it is best from a company business perspective to have a
good work life balance, and wanted to extend this to the use of their IT facilities.
The CISO would like to implement a security solution that is able to allow the users to work in accordance with
the security policy but get notified and educated when they visit resources that are malicious.
Since this company works in the IT security segment, employees need to be able to approve and continue
with the malicious activity event though in normal businesses this activity would be instantly blocked.
The security admin that is going to work with the solution on a daily basis is looking for a solution that is easy
to work with and enables the company to centrally manage and investigate threats down to a forensic level
across multiple technologies.
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals
1
2 Threat Prevention Labs – Day 1
Table of Contents
Lab Topology .............................................................................................................................. 2
Lab #1 – Forensics of firewall logs using SmartLog .................................................................... 4
Lab #2 – Forensics and preventing malicious activity ................................................................. 8
Lab #3 – Threat Emulation with Threat Cloud emulation ........................................................... 15
Lab #4 – Cloud emulation of files .............................................................................................. 19
Lab #5 – Viewing logs and forensic reports............................................................................... 22
LAB TOPOLOGY
Internet CloudShare
Net 172.27.254.0/24
.254
eth0
Kali Linux (.10)
.254
eth1
Net 192.168.80.0/24 .254 Net 10.2.1.0/24
eth2
Win2012r2 (.80) Gateway Win7_32 (.10) jlennon

R77.30.03 GUI
installed
Manager (.100) Win7_32 (.20) rstarr
LAB REQUIREMENTS
©2017 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals 2
 Ensure you change your Keyboard layout on Windows based machines to match that of your region before you start the course.
SETUP INFORMATION
Gateway 172.27.254.254 Login: admin
GW Password: vpn123
Domain lab.local
Eth0 172.27.254.254
Eth1 10.2.1.254
Eth2 192.168.80.254
Win2012r2 192.168.80.80 Login: admin

MS DC Password: vpn123
Domain lab.local
hMailServer vpn123
Manager 192.168.80.100 Login: admin

Mgmt Server Password: vpn123
Eth0 192.168.80.100 VMnet3
Win7_32 10.2.1.10 Login: jlennon

Victim Password: vpn123
Domain lab.local
Win7_32 10.2.1.20 Login: rstarr

Victim Password: vpn123
Domain lab.local
Kali Linux 172.27.254.10 Login: root

Attacker Password: toor
Domain lab.local
LAB #1 – FORENSICS OF FIREWALL LOGS USING

SMARTLOG
Lab Objectives
In this lab you will try to investigate a potential breach in the system, the CISO suspects that there is an external
organisation spying on the company because sensitive information about mergers and acquisitions has leaked to
competitors.
The CISO suspects that the machine John Lennon is using is infected with malware and wants you to investigate
what this machine has done.
Lab Pre-requisites
In order to complete this lab you will use the following VM’s.
 Win7_32 jlennon VM
 Kali Linux VM
 Manager VM
 Gateway VM
 Win2012r2 VM
 SmartConsole R77.30.03 installed on the Win2012r2 VM
FORENSICS OF STATEFUL FIREWALL LOGS

Lab Instructions
Remote control and monitor the behaviour
We will start the virtual machines and control the infected victim machine inside the secure location remotely from the C&C
machine to produce some logs. Then we will try to see if we can find any suspicious behaviour in the firewall logs.
PROCEDURE
1. Choose by clicking on Kali-Linux option
2. If you need to enter a password the password is “toor”

3. The Gh0stRAT UI and terminal window application should automatically start.
If it does not start automatically and looks like the above screenshot rebbot the machine by clicking on the Terminal icon
And type reboot and press enter to reboot the machine.

After the machine has rebooted manually start the Metasploit application using the shortcut on the desktop called
runmetasploit.sh.
If you already see metasploit application running, skip this step.
4. When prompted, select Run in Terminal.
5. On Win7_32 jlennon VM log in as user jlennon password vpn123 verify that you can ping the Kali Linux VM 172.27.254.10 to
check connectivity. If there is no response please check that step 3 was performed correct.
6. Open win2012r2 vm and start SmartLog and connect to 192.168.80.100 with the below admin credentials.
User: admin
Password: vpn123
7. Review the logs. Use the Auto Scroll feature shown here:
8. Create a query in SmartLog and search for the source IP that user John Lennon’s machine is using.
9. What is the best way to find the source IP? (Try src:10.2.1.10)
10. Do you see anything suspicious?
11. On Kali Linux VM Gh0stRAT C&C console, right click on the victim PC and select file manager.
12. If you do not see the victim PC it has not communicated with the C&C yet. Just wait, you should do so within a few minutes.
13. In file manager on the remote side, go to jlennon desktop, right click and create a directory called HACKED and close file
manager. (You can reach this via C:\Users\JLennon\Desktop\)
14. On Jlennon victim machine verify that there is a new directory called HACKED on the desktop.
15. In SmartLog refresh the screen, do you see any suspicious activities?
Lab Expected Outcomes

At the conclusion of this lab you should have accomplished the following:
 Remotely control a victim’s computer inside a secure location in the organisation without raising an alert to the Security
Administrator.
 Unable to find any suspicious activities in the logs.
Student Notes:
LAB #2 – FORENSICS AND PREVENTING MALICIOUS

ACTIVITY
Lab Objectives
The organisation lab.local has now invested in a more comprehensive security solution based on Check Point
Software Blades that will meet their security requirements.
In this lab, as the Security Expert, you will configure the Threat Prevention blades acquired by the organisation, in
accordance with security policy that the organisation has adopted.
In order to complete this lab you will need the following VM’s.
 Win2012r2 VM
 Kali Linux VM
 Gateway VM
 Manager VM
 SmartConsole installed on the host machine
FORENSICS AND PREVENTION OF MALICIOUS ACTIVITY

Lab Instructions
We will start the virtual machines and control the infected victim machine inside the secure location remotely from
the C&C to produce some logs.
 You will try to find suspicious behaviour in the logs.

 If you are able to find the suspicious behaviour you will try to locate the communication to the potential C&C server and block that
communication.
PROCEDURE
1. Make sure the security gateway is up and running
2. Log into SmartDashboard and edit the Gateway Check Point object.
3. Enable the Identity Awareness blade with the following settings:

a. Check AD Query only.
b. Select Create new domain: lab.local
c. Enter user admin password vpn123 and DC 192.168.80.80
d. Press connect you should get the following response: Successfully connected!
Note: Due to VMware arp issues you can get connection failed. If that happens ping the DC from host machine again
and try to re-connect.
e. Click Next twice.
f. Click Finish to complete the wizard.
4. Enable the IPS blade on the Check Point object and under IPS on the left hand list, select the profile
Recommended_Protection_Detect.
Note: This profile is based on the normal Recommended_Protection profile but all active protections are set to detect. This will
cause the IPS to only detect malicious traffic in accordance with the organisations current security policy.
5. Make sure the inspection scope is set to Perform IPS inspection on all traffic (shown above).
6. Enable the Anti-Bot blade, uncheck Share anonymous attack information (since this is a lab).
7. Configure the blade according to the Anti-Bot and Anti-Virus policy (refer later to step 17 below)
8. Enable the Anti-Virus blade.
9. For the security gateway to have awareness of the DMZ you need to set the interfaces used as DMZ to be defined as such. This
is done under the topology settings on the gateway.
10. Set the eth2 interface (where Win2012r2 resides) as a DMZ interface. Click OK.
11. Close the Gateway Check Point Object by pressing OK.
12. Open Manager object
13. Enable SmartEvent Server on the Check Point Manager (NOT Gateway) object under the Management tab.
Note: The correlation unit will be activated automatically when checking SmartEvent Server.
14. Close the Manager Check Point Object by pressing OK.

15. Move to Threat Prevention tab -
16. Click on policy
17. Set the Threat Prevention -> Policy to Detect threats by changing the profile in the action column to
Recommended_Profile_CloudEmu.
18. Open the Threat Prevention Recommended_Profile_CloudEmu profile. (Right click on the profile and edit)
19. Disable Threat Extraction as it is not needed yet if it has been left enabled.
20. Under the Anti-Virus Settings check the Protection Scope.

As you can see the protection scope defines that incoming files from External and DMZ should be inspected.
21. Also, select Process all file types and enable deep inspection scanning. This is done mainly in labs only due to
performance impact.
22. Finally, enable Archive scanning
23. Close the profile by pressing OK
24. Change the firewall policy to force users to authenticate using Identity awareness when accessing the internet; you can do this
by enabling rule 6 and disabling rule 7.
25. Install the Network Security and Threat Prevention Policy. Wait for the policy installation to complete before continuing.
26. Log-off Win7_32 jlenon VM and log-in again by clicking on reconnect
27. On the Win7_32 jlennon VM log in as jlennon with password vpn123 and verify connectivity by pinging the Win2012r2 VM
with the following command: “ping server”. Do not restart if prompted.
28. On the Win7_32 jlennon VM verify connectivity by pinging the Kali Linux VM with the following command: ping
172.27.254.10.
29. On the Win7_32 jlennon VM open the Mozilla Thunderbird e-mail client.
30. As you can see there is a mail from White Hat with the subject Salary and Personal Information posted online! Sent to John.
Since John is a very jumpy kind of person he gets very afraid that all his personal information is posted on the website and
immediately clicks the link in the e-mail.
31. Yes - go ahead and click the link!! 
32. From John’s perspective it seems like the website is broken. John is happy with this since his personal information is not
viewable there. He does not think much more about this anymore, instead he just continues with his daily business as usual.
33. Now move to the next steps, and see the Black Hat view of John’s actions.
Investigate what has happened and block eventual remote access
After you configured the new layers of protection (in detect mode), the CISO thinks they have evidence of suspicious activity.
They report more sensitive information about mergers and acquisitions has once again leaked to competitors.
The CISO has asked you to investigate what John Lennon’s machine and block remote control to this machine from the
attacker.
PROCEDURE
1. Acting as a Black Hat verify that you have remote control of the Victim PC.
2. On attacker Kali Linux VM use the Gh0stRat C&C console right click on the victim PC and open remote shell.
3. List the file in the directory of the remote machine you are connected to by running the command dir.
4. Run the command whoami.
5. Close remote shell.
6. In SmartLog do a search query as follows: Not Blade:Firewall AND user:jlennon
7. Try to find out what has happened after the Successful Login of John Lennon.
8. What kind of exploit did the IPS blade find?
9. Where there any viruses downloaded?
10. What is the malware family that this machine is infected with?
11. What is the protection name of the protection that detects this infection?
12. If you would like to provide remediation suggestions for cleaning this infected machine. Where in the logs would you be able to
find that information?
13. Now change the Threat Prevention policy action column to use the Recommended_Profile.
14. Now install the Threat Prevention Policy only.
15. After the threat prevention policy is successfully installed, remote control of the Win7_32 jlennon VM should now be prevented.
16. On attacker Kali Linux VM use the Gh0stRat C&C console right click on the victim PC and open file manager.
17. On attacker Kali Linux VM use the Gh0stRat C&C console right click on the victim PC and open remote shell.
18. In Win2012r2 machine SmartLog refresh the view of the search query on user John Lennon and try to find if you have any
prevented Anti-Bot Logs.
Question: Did the protections trigger? If not – why not? Think about profile confidence levels (if those protections
trigger in detect).
19. Open SmartEvent (if enabled) and generate a Daily Threat Prevention report to have handy when the CISO asks you for a
report of the malicious activity. After report generation is complete, look at the last results and save it as a PDF on the host
machine.

1. Activated threat prevention blades in order to handle more sophisticated threats.
2. After forensics analysis of the logs be able to conclude what the Victim PC was infected with and prevented further
communication from the Victim PC to C&C Server.
Student Notes:
LAB #3 – THREAT EMULATION WITH THREAT CLOUD

EMULATION
Lab Objectives
In this lab you will activate the Threat Emulation blade and do the basic configuration needed to emulate
documents passing through the gateway. Please note that these steps are typical for this lab environment and may
not be suitable to real life.
Lab Pre-requisites
If you already configured labs from earlier in the Threat Prevention course, just verify the steps in lab #3 match
your configuration!
In order to complete this lab you will need the following VM’s. Do not start them yet unless already running.
 Kali Linux VM
 Gateway VM
 Manager VM
 Win2012r2 VM
 SmartConsole installed on the host machine
THREAT EMULATION BLADE WITH THREATCLOUD EMULATION

Lab Instructions
We will first activate the Threat Emulation blade on the Check Point object.
PROCEDURE
1. Start SmartDashboard and connect to 192.168.80.100 with the below admin credentials.
User: admin
Password: vpn123
2. Activate the Threat Emulation blade on the Check Point object Gateway. Activate SmartEvent Server and Correlation Unit
on the Management server if it is not already enabled.
3. This will start the Threat Emulation First Time Wizard. Select ThreatCloud Emulation Service and click Next.
4. From the Threat Prevention tab, edit the Recommended_Profile_CloudEmu profile and Disable Static analysis to ensure all
files are sent for emulation (Threat Emulation settings > Advanced > Disable static analysis for filtering files).
5. Confirm the Recommended_Profile_CloudEmu profile is in use on the gateway by checking the Policy tab under Threat
Prevention.
6. Now click Install Policy and make sure that both the Network Security and Threat Prevention policy are installed
7. Wait for the policy install to finish.
8. Go to the Threat Prevention tab and Gateways section and verify the emulation quota status.
Verify configuration
1. Start Putty on the Win2012r2 VM and connect to the Gateway using ssh.
IP Address: 192.168.80.254
User: admin
Password: vpn123
2. At the clish command prompt type ping www.google.com to verify Internet connectivity.
EMULATION OF FILES DOWNLOADED TO THE GATEWAY

Lab Instructions
Connect to the gateway via SSH and enable the option to scan files downloaded locally.
This process is required, due to downloading files to the gateway, rather than through the gateway.
PROCEDURE
1. If not already available open a putty SSH session to the Gateway and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
2. Enable local scanning mode by issuing the command tecli debug scan local enable
This command allows files downloaded to the gateway to be emulated

3. Please notice that this setting does not survive reboot or cprestart!
1. Activated Threat Emulation blade in cloud emulation mode.
2. Configured the Threat Emulation Blade to fit this lab environment and verified quota status.
3. Enabled gateway to scan files download locally to the gateway.
Student Notes:
LAB #4 – CLOUD EMULATION OF FILES

Lab Objectives
In this lab we will download some files from a web server. The gateway will intercept the files from the flow of
traffic and execute them in the Threat Emulation sandbox.
DO NOT use the Windows client VM or Windows host to download the files in the following labs since ALL of the
files are malicious. This is dangerous. Instead we will download the files to the GW.
Normally the GW will not scan files sent to itself, but, a command can enable local emulation.
We will download the files to the GW itself with a CLI tool and monitor the emulation processes.
Lab Pre-requisites
In order to complete this lab, you will need to have completed the steps in Lab #3.
CLOUD EMULATION OF DOCUMENTS

Lab Instructions
Download files from a web server for emulation in the cloud.
PROCEDURE
1. If not already available open a putty SSH session to the Gateway from Win2012r2 VM and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
2. Enter expert mode by typing expert at the clish command prompt
3. Expert Password: vpn123
4. Check the cloud quota details with the command tecli show cloud quota
5. From the Gateway VM command line in the putty session check that you can ping the Kali Linux VM (172.27.254.10)
6. Duplicate the SSH session and log into expert mode. Make the window large. Run the command watch –d -–
interval=0.5 “tecli show cloud queue”. Switch focus back to the first SSH session and continue with the commands.
7. Issue the command cd malfiles to enter an already created folder for the malware files to be received.
8. Execute ./getmalfiles.sh and try to watch both SSH sessions. You will see how quickly files are sent to the cloud.
9. After the script completes (can be cancelled any time with CTRL+C) run the command tecli cache dump all to see the
verdict on each file. Notice that there may some benign files and some malicious files – This is because some of the files are
malicious on one OS image only (which you may not use)
(you can use tecli cache dump all |sort -u -t' ' -k1,1 command to see cached files uniquely by sha1 field)
10. Verify you don’t see anything in emulation queue, open SmartDashboard. In the Threat Prevention tab and Gateways section.
Verify that the file counts and quota details have changed accordingly.
11. While the cloud emulation is taking place, run tecli show statistics a few times from the clish command line to view the
emulation statistics. Note the Average Sample Process Time. It is the time taken for a file to be received, sent to cloud and a
verdict returned.
Lab Expected Outcome

1. Download malicious files that are then sent to the cloud for emulation.
2. Monitored the emulation backend and processes using tecli and GUI.
Student Notes:
LAB #5 – VIEWING LOGS AND EMULATION FORENSIC

REPORTS
Lab Objectives
In this lab, you'll learn how to use the logging utilities to view more details about the emulated files.
Lab Pre-requisites
In order to complete this lab, you will need:
- Preconfigured Gateway
- Completed the steps in Lab #5
VIEWING LOGS AND FORENSIC REPORTS

Lab Instructions
1. In SmartDashboard, open SmartView Tracker from the SmartConsole menu.

Note: You can also use SmartLog if you prefer that.
2. Select the Threat Emulation section in the structure on the left side
3. Have a look at the logs – in a production environment, you will see logs about malicious files. Malicious files will be blocked
or detected, based on policy. Benign files will display a green highway / motorway symbol.
Note: Keep in mind your timezone as hosts are based on GMT.
4. Below is an example of a file that is NOT infected (all test samples are malicious) the log details look like this:
5. Locate an infected documents and view the log details
6. Click on the icon behind the report to see the detailed forensics report. Below you will see 2 examples.
7. Scroll downwards in the forensics report and notice the different sections.
1. Locate Threat Emulation logs in SmartView Tracker / SmartLog.
2. View log details and forensics reports.
Student Notes:
SandBlast PTK LABS

R77.30.03 – DAY 2
TRAINING LABS
June 2018
VERSION 7.12 (BASED ON DROP 7.1.1)
BACKGROUND
The organization lab.local is looking for a solution that can help them with the increased number of unknown
malware that traverse their existing security solution and has infected their client and server computers.
They are running Windows 7 clients with MS Office 2013 and Adobe Acrobat 11.
The security admin wants to capture malicious executables and documents containing malware.
Table of Contents
Lab Topology ............................................................................................................................ 28
Lab #6 – Threat emulation private cloud ................................................................................... 30
Local emulation preparations .................................................................................................... 30
Lab #7 – Local emulation of files............................................................................................... 35
Lab #8 – Viewing event forensic reports in SmartEvent ............................................................ 37
Lab #9 – Local emulation of files in SMTP traffic using MTA ..................................................... 41
Lab #10 – Threat Extraction in SMTP traffic using MTA ............................................................ 44
Lab #11 – SandBlast Agent deployment and malware detection............................................... 48
Lab #12 – Threat Extraction of files over HTTP using chrome Plugin ....................................... 56
LAB TOPOLOGY
Internet CloudShare
Net 172.27.254.0/24
.254
eth0
Kali Linux (.10)
.254
eth1
Net 192.168.80.0/24 .254 Net 10.2.1.0/24
eth2
Win2012r2 (.80) Gateway Win7_32 (.10) jlennon

R77.30.03 GUI
installed
Manager (.100) Win7_32 (.20) rstarr
SETUP INFORMATION
 Gateway  172.27.254.254  Login: admin
 GW Password: vpn123
 Domain  lab.local 
 Eth0  172.27.254.254 
 Eth1  10.2.1.254 
 Eth2  192.168.80.254 
 Win2012r2  192.168.80.80  Login: admin

 MS DC Password: vpn123
 hMailServer   vpn123
 Manager  192.168.80.100  Login: admin

 Mgmt Password: vpn123
Server
 Eth0  192.168.80.100  VMnet3
 Win7_32  10.2.1.10  Login: jlennon

 Victim Password: vpn123
 Win7_32  10.2.1.20  Login: rstarr

 Victim Password: vpn123
 Kali Linux  172.27.254.10  Login: root

 Attacker Password: toor
LAB #6 – THREAT EMULATION PRIVATE CLOUD

Lab Objectives
In this lab we will emulate documents in a sandbox on the gateway instead of in the cloud.
To ensure the lab can proceed quickly and not require large file downloads, the following Windows 7 image should be
used for all activity as it was already downloaded to the system. You can check the image used under Threat Prevention
Policy -> Profile section. Check the profile Recommended_Profile_LocalEmu is in use. If you edit the profile, you
can also see Threat Emulation Settings -> Emulation environment .
Lab Pre-requisites
- Manager VM
- Gateway VM
- Win2012r2 jlennon VM
- Kali Linux VM
- Completed the steps in Day 1 labs.
LOCAL EMULATION PREPARATIONS

Lab Instructions
1. Confirm online updates (engine and images) have been disabled via Threat Prevention Tab->Advanced->Updates
section.
2. In the Gateway object, deselect/Uncheck the Threat Emulation checkbox.

Install policy for both Network Security and Threat Prevention.
3. Install Policy
4. Reactivating Threat Emulation - In the Gateway object, select the Threat Emulation checkbox and choose local emulation
5. In the Threat Emulation->Advanced section select ONLY the Win7, Office 2013, Adobe 11 image.
Only one image is selected for performance reasons.

Note: The image selected in this table must be available for use from the Threat Prevention profile applied to the gateway.
For example, if the profile offers only Windows XP image to the gateways running that TP profile, then selecting one of the
Win7 images will cause an error at policy installation time.
6. Remember to disable sharing anonymous attack information with Check Point before you continue.
7. Install policy for both Network Security and Threat Prevention.
Wait until policy installation is finished before proceeding with step 10. (Reinitializing the images)
If not images will be downloaded completely from web.
8. If not already available open a Putty SSH session to the Gateway machine from Win2012r2 VM and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
9. Enter expert mode by typing “expert” at the clish command prompt.
Expert Password: vpn123
10. Check that GW received settings to perform local emulation by issuing two commands
tecli advanced schema profile | grep local
tecli advanced schema general | grep local
11. Check readiness status by issuing the command tecli show download all | grep –i status
Note: If you see the image in an “unused” status, run the command fw kill ted
This will restart ted and will immediately reevaluate the status of the image
12. If the image is in Ready state exit with CTRL-C.

13. Set the emulator to run 3 concurrent Virtual Machines, by running the command tecli adv attrib set max_vm 3
1. Prepare gateway local emu settings.
2. Reset OS image to fit local hardware.
Student Notes:
LAB #7 – LOCAL EMULATION OF FILES

EMULATION OF FILES
In this lab we will emulate documents in a sandbox on the gateway instead of the cloud.
Lab Pre-requisites
- Win7_32 VM
- Manager VM
- Gateway VM
- Win2012r2 VM
LOCAL EMULATION
Lab Instructions
1. If not already available open a Putty SSH session to the Gateway from Win2012r2 VM and log in.
IP Address: 192.168.80.254
User: admin
Password: vpn123
2. Enter expert mode by typing “expert” at the clish command prompt
Expert Password: vpn123
3. The cache must be cleaned to make sure that the emulation will happen again. Run the command tecli cache clean
to clean the cache.
4. Duplicate the SSH session and log into expert mode. Make the window large. Run the command watch –d “tecli
show emu emu”. Switch focus back to the first SSH session and continue with the commands.
5. To emulate some of the files, cd malfiles, use the ls command to list the contents of the directory. Now use the
command te_add_file -f=<filename> to add the files one at a time to the gateway for emulation. It is also possible
to add a directory of files using te_add_file -d=<directory>
6. In your other SSH window, you should find tecli should look something like this. It is advised to select a few different file
types.
This will shows the emulation progress on the gateway.

Note: Limiting the number of concurrent VM’s, selecting a complete directory rather than single files will cause an emulation
queue.
To view emulation logs, from expert mode use tail –f $FWDIR/log/ted.elg
1. Emulate documents on the OS sandboxes locally on the gateway
2. Monitor the process from CLI
Student Notes:
LAB #8 – VIEWING EVENT FORENSIC REPORTS IN

SMARTEVENT
Lab Objectives
In this lab, you'll learn how to use SmartEvent to view more details about the emulated files.
Lab Pre-requisites
- Win7_32 VM
- Manager VM
- Gateway VM
- Win2012r2 VM
VIEWING EVENTS AND FORENSIC REPORTS

Lab Instructions
1. In SmartDashboard, open SmartEvent from the SmartConsole menu.
Go to the Events tab and select the Threat Prevention->Important Threat Emulation query
View some of event summary for some of the events – also try the details view.
1. Try opening one summary report
2. Go to the Reports tab and select the Threat Prevention->Daily report and click Generate to generate a report for today
3. When the report is done click Save as PDF
4. View the PDF report
1. Work with events in SmartEvent
2. Create a daily Threat Prevention report
Student Notes:
LAB #9 – LOCAL EMULATION OF FILES IN SMTP TRAFFIC

USING MTA
Lab Objectives
In this lab, you'll learn how to enable MTA mode while using local emulation. This allows the gateway to participate in the email flow
and therefore hold mails and strip malicious attachment if found. Without MTA, the gateway is passive in the email chain and can’t
guarantee successful email interception.
Lab Pre-requisites
- Win7_32 jlennon VM
- Manager VM
- Gateway VM
- Win2012r2 VM
TEST THE MAIL SERVER

Lab Instructions
1. open the Win7_32 Jlennon machine
2. On Win7_32 machine log in as user jlennon password vpn123, verify that you can ping server.
3. Start the Mozilla Thunderbird mail client
4. Create a new mail and attach the following clean file “C:\Documents and Settings\jlennon\My
Documents\CP_R80_ReleaseNotes.pdf”, send the mail to jlennon@lab.local. Click Send to send the email.
5. Click on Get Mail to receive the mail you have just sent.
6. If you received the file it mean that the mail server and mail client are working as expected
CONFIGURE MTA IN SMART DASHBOARD

1. In SmartDashboard open the Check Point Gateway object and enable the Mail Transfer Agent with the following settings:
2. Edit the Gateway object and disable (untick) Anti-Virus, to ensure that the malicious file is not blocked with AV blade (lab
use only, allowing us to see emulation).
3. Install the Network Security and Threat Prevention Policy.
4. On Win7_32 Jlennon reconfigure Mozilla thunderbird to use the CP gateway address as SMTP server by following these
steps
a. Click on jlennon@lab.local and View settings for this account.
b. Click on Outgoing Server (SMTP).

c. Select Gateway MTA – 10.2.1.254 and click Set Default.
Note: This tells the email client to use the CP Gateway as the next hop for email.
d. You MUST remove the entry for server.lab.local server at this stage.
e. Save these settings.
INLINE PREVENTION WITH THREAT EMULATION USING MTA

MODE
1. Create a new mail and attach the following file “C:\Documents and Settings\jlennon\My
Documents\malfiles\MaliciousFile.doc”, send the mail to jlennon@lab.local.
 Note: This is a real sample of a Malicious File handle with care!
2. Start a Putty session on , go into expert mode and run the command
watch tecli show emu emu
This will monitor the emulation process on the Win7, Office 2003/2007 VM on the Gateway. When the files are done stop it
with CTRL-C.
3. Click on Get Mail to receive the mail you just sent. Note that the attachment has been striped and replaced with a text file.
4. Open the Attachment.txt and check the contents
5. Open SmartEvent and by just looking at the event card of this event
a. Try to find out who the intended recipient of this e-mail was.
b. Try to find out what the Malware family was.
1. Configure inline prevention with Threat Emulation using MTA mode

2. From an end-user view seen what will happen to the mail that contains a malicious file.
3. Used SmartEvent to detect who was the intended recipient of the attack and what was the malwares activity.
Student Notes:
LAB #10 – THREAT EXTRACTION IN SMTP TRAFFIC

USING MTA
Lab Objectives
In this lab, you'll learn how Threat Emulation and Threat Extraction (TEX) interact. Threat Extraction is supported with MTA enabled
and, supports email only (web support is available via browser plugin). TEX is supported with Local or Cloud emulation. In this test,
we will send some sample files to John Lennon. With MTA, the gateway can intercept the file, manipulate the contents, and then
send the result to the recipient. Without MTA, TEX is not possible as the file cannot be manipulated.
Lab Pre-requisites
 Gateway VM
 Manager VM
 Win2012r2 VM
INLINE PREVENTION WITH THREAT EMULATION USING MTA

MODE
1. This lab assumes continuation of lab 4 – if you have not done so, follow steps in lab 4 “CONFIGURE MTA IN SMART
DASHBOARD” first.
2. Enable Threat Extraction in SmartDashboard and follow the wizard. You will see how supported files are sent to
emulation and extraction in parallel.
3. If asked (should not be required if Threat Emulation is enabled) - Specify the domain of the company lab.local and the next
hop mail server that will process mail for this domain Host_192.168.80.80. Press Next and then Finish to complete the
Wizard. Check that your Threat Prevention profile has the Threat Extraction component enabled. If not, enable it now.
4. Note: you can change the TP profile settings to see the difference between convert to PDF, and clean – this is done in
the Profile, Threat Extraction Settings. Look at the Extraction method. Try Convert to PDF first.
5. Install the Network Security and Threat Prevention Policy.
6. On Win7_32 jlennon VM, Create a new mail and attach the following file “C:\Documents and Settings\jlennon\My
Documents\malfiles\tex_example_calc.doc”, send the mail to jlennon@lab.local.
 Note: This is a real sample of a Malicious File handle with care!
7. Review SmartLog to see how with TE and TEX enabled, threat extraction has proactively cleaned the file of potentially
malicious content (using either clean, or convert to pdf).
8. Click on Get Messages in Thunderbird to receive the mail you just sent. Note that the attachment now has a double
extension (.doc.pdf), ignore the “Open with”, this is a limitation of the Win7 VM.
9. Click Save File on the tex_example_calc.doc.pdf file and then open with Adobe Acrobat Reader. Notice the file is free
from potential threats / active code.
10. Review SmartLog to see how with the Parallel extraction hotfix (sk108074) and the device running Emulation and
Extraction, files are converted very quickly by TEX, and then the emulation result is shown shortly after, ensuring the user
gets a clean file, fast.
Hint: Update SmartLog to show both TE and TEX logs:
10. With Threat Emulation and Threat Extraction happening in parallel, you will see two log entries for the one event. Firstly, the
extraction of the potentially malicious content, and second, the result of the emulation process (shows detect, as file has already
been
LAB #11 – SANDBLAST AGENT DEPLOYMENT AND

MALWARE DETECTION
Lab Objectives
In this lab, you'll learn how deploy the SandBlast Agent to a client machine. You will then use this deployed client to open a very
simple “dummy” malware sample, and see the product in action, so you will understand the user experience.
Lab Pre-requisites
 Win7_32 rstarr VM
 Gateway VM
 Win2012r2 VM
 Manager VM
 Kali-Linux VM
CONFIGURE THE GATEWAY TO OPERATE IN DETECT MODE

In order to allow the malicious file to be handled by the Agent or the browser plugin, we must change the gateway profile to detect mode
allowing files to pass through.
1. On win2012r2 open SmartDashboard login as admin password vpn123. The server IP address should be 192.168.80.100.
2. Open the Check Point Gateway.
3. In Threat Prevention tab, change the profile to Recommended_Profile_CloudEmu and now install the Threat Prevention
policy.
Remember to set the emulation location back to cloud on the Gateway object:
Remember to set the Emulation -> Advanced to use the recommended images from the profile:
Install the Network Security and Threat Prevention policy
DEPLOY THE BLADES TO WIN7_32 HOST
1. On the Win2012r2 machine, start SmartEndpoint, ensure the version is R77.30.03.
2. Login as admin password vpn123. The server IP address should be 192.168.80.100.
3. On the Deployment tab -> Software Deployment Rules create a new rule.
The path is \Directories\Lab.local\Computers\VICTIM-PC2. Tick the VICTIM-PC2 checkbox.
Click Next.
The Active Directory of the customer has already been linked to the installation using Deployment -> Organisational
Scanners
4. Keep the default settings for client deployment. Press Next.
5. Change the rule name to SandBlast Agent Package. Click Finish.
6. The rule should look like this
a. Notice an SBA deployment includes, Forensics and Anti Ransomware, Anti Bot and Threat Emulation (plus
optional Compliance, Firewall and Application Control). Anti-Virus is not part of SBA but can be purchased as an
add-on to provide additional malware detection capabilities.
7. Optional: You can change the location of the file emulations between cloud or local. In the Policy -> SandBlast Agent
Threat Extraction and Emulation change this setting to use either Cloud, or Local emulation:
a. Note: The local appliance will receive files from endpoints and send files to cloud for emulation.
8. Use the Install Policy button, to install the new policy to the server. Say Yes to save rule changes when prompted.
9. Confirm only the software deployment rules change, and click Install.
10. On Win7_32 rstarr machine log in as rstarr/vpn123.
11. Using Windows explorer, open the Documents folder.
12. Install the EPS.msi file, found in the Documents folder. This file was previously exported from the Check Point Manager
object. Just press next until you see the option to Finish.
13. On the Win7_32 client, you will see the software deployed. In this lab, the heartbeat timer has been shortened to force
install quickly. When prompted, accept the installation, and reboot when asked.
a. You will see a software deployment messages:

b. When prompted, press Install
The software requires .Net Framework 4.5 or higher – to speed up deployment .NET installation has already been
completed..
c. Once Win7_32 reboots, log back in as rstarr with password vpn123.
14. Once rebooted, log into Win7_32 as rstarr, password vpn123.
15. Right click on the SandBlast Agent ( ) tray icon, and select Display Overview. Wait until each blade is green / on /
ready.
16. On Win7_32 rstarr, open Firefox browser. Click the SB Agent Demo File and open it with Word.
17. Open the malware and enable macros if prompted (macros should have been disabled already). The attack process can
take up to 2 minutes so be patient. Once you are prompted, click view details to see the log of the malicious activity.
18. On the SandBlast Agent, Click Overview, and then Forensics. Open the report, by clicking on the event UID.
19. Depending on the speed of detection, the attack could be seen by the Bot communications from the macro, or, Threat
Emulation detection based on the file behaviour
20. Click on the Forensics Blade. Click the Incident ID to see the forensics report. Click the arrow in the bottom right to
see more details.
TESTING RANSOMWARE SAMPLE
21. On Win7_32 rstarr, open Firefox browser. Click the SB AR sample TE link, open and run the file. Note the malicious file is
detected by Threat Emulation and quarantined (deleted) before executing any malicious activity.
22. On Win7_32 rstarr, open “C:\Documents and Settings\rstarr\My Documents” location and run the
SBA_AntiRansomware.bat script. Choose option “1” to prepare the demo
This script disconnect the connection between the host machine from the Check Point Emulation Cloud.
23. On Win7_32 rstarr, open Firefox browser. Click the SB AR sample offline link, open and run the file. The attack process
can take up to 2 minutes so be patient. Open My Pictures folder to see the attack progress.
Note the attack is detected and quarantined by Anti-Ransomware. The encrypted files are restored to original location
24.
25. After remediation took place and the files were restored on Win7_32 rstarr, open “C:\Documents and Settings\rstarr\My
Documents” location and run the SBA_AntiRansomware.bat script. Choose option “3” to return system to normal
operation.
1. Understand the client / server architecture of SandBlast Agent
2. Understand how to deploy SandBlast Agent and what components it includes
3. Have an awareness of the triggers and detection capabilities
Student Notes:
LAB #12 – THREAT EXTRACTION OF FILES OVER HTTP

USING CHROME PLUGIN
Lab Objectives
In this lab, you'll learn how the Threat Extraction (TEX) blade can clean files in the HTTP/S stream. Threat Extraction requires the
Threat Emulation blade to be enabled, but MTA is not required (it’s fine to leave it on). We will see how we can clean files using the
Threat Extraction Chrome Plugin (other browsers will be supported in E80.65).
Lab Pre-requisites
 Win7_32 rstarr VM
 Kali Linux VM
 Manager VM
 Gateway VM
 Win2012r2 VM
THREAT EXTRACTION USING SANDBLAST CHROME PLUGIN
1. This lab relies upon steps in the following SK, which have already been completed. Please review the SK:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108695
2. This lab assumes continuation of lab 4-6 – if you have not done so, follow steps in lab 4-6 inclusive first.
3. Using SmartDashboard, change the Threat Prevention policy to use the Recommended_Profile policy.
4. Ensure Threat Emulation and Threat Extraction are enabled in the Recommended_Profile Threat Prevention policy.
a. Set the extraction mode to Extract files from potential malicious parts under Threat Extraction Settings.
In General Properties of Profile tab shows Threat Extraction method of Extract.

Recommended_Profile enable Threat
Extraction
5. Ensure Threat Emulation and Threat Extraction are enabled on Gateway object.
6. Install the Threat Prevention policy onto Gateway.
7. Once the policy has finished installing, on Win7_32 rstarr, open the document “C:\Documents and Settings\rstarr\My
Documents\malfiles\Threat Extraction Demo File.docx”.
The file size is 1.9MB, and contains an embedded PDF, which you can open – please confirm this now.
Before we work on this file, we will look at the original file, to understand it better.
8. Now, unzip the file, using 7Zip, and open the folder:
9. Open the folder Threat Extraction Demo File, then open the word directory and look at the contents. You should see this
– keep this folder open, you will need it later. Notice this file has embedded objects and functions contained within it –
the Embeddings folder.
10. The next step is to pass this file through Threat Extraction Chrome Plugin. Open Chrome, and click on the link to the
Threat Extraction Demo file.
11. First, check the SandBlast Chrome Plugin has been installed. This may require opening Chrome, wait 30 seconds, then
close and reopen Chrome again. Look in the top corner for the plugin
12. The file will be cleaned as it is downloaded – noticed the plugin shows messages in the bottom right corner of the screen.
Once downloaded, click Show in folder.
On Win7_32, you should now be in the folder C:\Users\rstarr.lab\Downloads, and you will see the Threat Extracted
version of the file.
The file size is 181KB, and contains no embedded PDF – please confirm this now by opening the file.
Open the file in Word. The embedded pdf file will no longer open.
13. Unzip the new file, once again, but this time, it will be into the downloads folder:
14. Compare the two folders, to see how Threat Extraction has rebuilt the file, extracting the active components. If you
navigate to the word subfolder again, you should notice the missing embeddings folder on the extracted file.
Original Threat Extracted
15. Optional: If this test is successful, change the SandBlast Agent policy to convert files downloaded to PDF by editing the
Extraction and Emulation settings -> PTK Protect web downloads with Threat Emulation object.
16. Set the agent to Convert to PDF rather than extract. Then install Policy.
17. Re-open Chrome browser and such as Google on Win7_32 rstarr and search for cv.doc. Download the first example
document file. You will see in real time how quickly Threat Extraction reconstructs the documents.
1. Be aware that Threat Extraction can now work over HTTP as well as SMTP
2. Have an understanding of the SK to configure the gateway

3. Have knowledge of the Chrome plugin and test upload utility.
4. Be able to demonstrate to a customer, the file before, and after extraction.
Student Notes:

SandBlast Network PTK Training Labs-V7.12 CloudShare

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SandBlast Network PTK Training Labs-V7.12 CloudShare

Uploaded by

Copyright:

Available Formats

Threat Prevention Labs

SandBlast PTK labs

VERSION 7.12 (BASED ON DROP 7.1.1)

Win2012r2 (.80) Gateway Win7_32 (.10) jlennon

Manager (.100) Win7_32 (.20) rstarr

Win2012r2 192.168.80.80 Login: admin

Manager 192.168.80.100 Login: admin

Win7_32 10.2.1.10 Login: jlennon

Win7_32 10.2.1.20 Login: rstarr

Kali Linux 172.27.254.10 Login: root

LAB #1 – FORENSICS OF FIREWALL LOGS USING

 SmartConsole R77.30.03 installed on the Win2012r2 VM

FORENSICS OF STATEFUL FIREWALL LOGS

Remote control and monitor the behaviour

1. Choose by clicking on Kali-Linux option

2. If you need to enter a password the password is “toor”

And type reboot and press enter to reboot the machine.

If you already see metasploit application running, skip this step.

4. When prompted, select Run in Terminal.

10. Do you see anything suspicious?

Lab Expected Outcomes

 Unable to find any suspicious activities in the logs.

LAB #2 – FORENSICS AND PREVENTING MALICIOUS

 SmartConsole installed on the host machine

FORENSICS AND PREVENTION OF MALICIOUS ACTIVITY

 You will try to find suspicious behaviour in the logs.

1. Make sure the security gateway is up and running

3. Enable the Identity Awareness blade with the following settings:

8. Enable the Anti-Virus blade.

11. Close the Gateway Check Point Object by pressing OK.

12. Open Manager object

14. Close the Manager Check Point Object by pressing OK.

16. Click on policy

20. Under the Anti-Virus Settings check the Protection Scope.

22. Finally, enable Archive scanning

23. Close the profile by pressing OK

26. Log-off Win7_32 jlenon VM and log-in again by clicking on reconnect

31. Yes - go ahead and click the link!! 

Investigate what has happened and block eventual remote access

4. Run the command whoami.

5. Close remote shell.

6. In SmartLog do a search query as follows: Not Blade:Firewall AND user:jlennon

8. What kind of exploit did the IPS blade find?

9. Where there any viruses downloaded?

14. Now install the Threat Prevention Policy only.

Lab Expected Outcomes

1. Activated threat prevention blades in order to handle more sophisticated threats.

LAB #3 – THREAT EMULATION WITH THREAT CLOUD

 SmartConsole installed on the host machine

THREAT EMULATION BLADE WITH THREATCLOUD EMULATION

7. Wait for the policy install to finish.

EMULATION OF FILES DOWNLOADED TO THE GATEWAY

This command allows files downloaded to the gateway to be emulated

Lab Expected Outcomes

1. Activated Threat Emulation blade in cloud emulation mode.

3. Enabled gateway to scan files download locally to the gateway.

LAB #4 – CLOUD EMULATION OF FILES

CLOUD EMULATION OF DOCUMENTS

2. Enter expert mode by typing expert at the clish command prompt

3. Expert Password: vpn123

Lab Expected Outcome

LAB #5 – VIEWING LOGS AND EMULATION FORENSIC

VIEWING LOGS AND FORENSIC REPORTS