Académique Documents
Professionnel Documents
Culture Documents
Although FireEye has attempted to provide accurate information as this training course,
information in presentations, handouts, materials, job aides, and eLearning may contain
technical inaccuracies or typographical errors. The contents of this training material are believed
to be current and accurate as of their publication dates. FireEye assumes no responsibility for
the accuracy of the information. FireEye may change the programs or products mentioned at
any time without notice. Mention of non-FireEye products or services is for information purposes
only and constitutes neither an endorsement nor a recommendation.
www.fireeye.com
4
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide
LAB Setup
Your instructor will setup a lab environment for you on CrossFire. The instructor will provide you with a self-
registration link using your company email address and that link will take you to a self-registration portal that looks
like the following:
Once you register, you will be redirected to a screen that provides you with your user name and password. Take
note of these for future use. Now click on the icon that says Proceed to lab.
5
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide
From the drop-down menu labelled This lab use purpose, select Training. Then, in for whom is the training
for, write your company name and click Submit and continue.
1. After you click Submit and continue, you will see the main CrossFire Labs scenario dashboard and be ready
to create a new environment from the Create Scenarios tab.
RDP Button
• Once you are logged in, the system will being auto configuration.
• The last step will prompt you to reboot.
• After the reboot, log back in to the system.
Generate Attack
4. You are now ready to begin the attack scenario that will generate the alerts on the NX in your lab by launching
the email attacks from the desktop icon labeled SEND EMAIL ATTACKS.
5. Log into the victim VM. Start the Windows Live Mail client and click Send/Receive to retrieve new emails.
LAB COMMENTS
Take note of the IP address of the attacker and the victim. You will need the IP address to identify the attacker in
the NX.
6. Open the Google Account Activity email and click on the embedded link. This will open the email with the
malicious URL sent by the attacker pointing the victim to a multi-flow Adobe Flash exploit. The victim will then be
infected and will connect back to the Attacker's command and control infrastructure.
LAB COMMENTS:
This will produce the Web infection and will allow the student to check how the NX detects the exploit phase of an
attack.
7
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide
7. Switch back to the attacker VM and go to the Spy-Net console. The victim should now appear as
compromised.
LAB COMMENTS:
This will generate a callback alert on the NX and it will allow the student to view the callback in the NX GUI. The
student will also be able to view an alert generated by the NX for the next step of the attack life cycle, which is the
dropper phase.
8. By now, most of the MVX analysis should be completed. From the CrossFire scenario dashboard connect to
the NX using the Web UI button. Make note of victim's IP address to identify the correct alerts.
8
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide
Lab1
Your company has implemented an NX as protection from zero day attacks and advanced web-based threats.
The SOC team has identified a spear phishing attack that was sent to one of the company executives. The SOC
tier 1 team received a critical alert from the NX and raised a ticket for further investigation and analysis of the alert
by a tier 2 analyst.
You are the tier 2 analyst and will begin your investigation. Navigate to the Alerts tab on NX and list the last
attacks seen for victim. Review the alert to understand the capability of the malware, which machine in your
network is affected, whether or not the malware made a callback and whether or not the malware made a
secondary download. Use the questions below to organize your analysis.
b. What malware name is associated with this Web infection? What does this indicate?
________________________________________________________________________________
c. What guest image(s) did the MVX engine use for analysis?
________________________________________________________________________________
d. Name the infection URLs and the file that was downloaded during the exploitation of the host.
________________________________________________________________________________
e. Was there a related callback? If so, what was the associated malware name?
________________________________________________________________________________
9
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide
Lab 2
Investigate any payloads delivered during the attack and answer the following questions:
3. What are the two operating systems that were chosen for analysis?
_______________________________________________________________________________________
4. What is the name of the host that was contacted by the victim and what type of web server software is the
attacker hosting?
_______________________________________________________________________________________
10
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
11
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.