Vous êtes sur la page 1sur 10

Alert Essentials: Lab Guide

Lab book v 1.0


August 2016
Disclaimer

Although FireEye has attempted to provide accurate information as this training course,
information in presentations, handouts, materials, job aides, and eLearning may contain
technical inaccuracies or typographical errors. The contents of this training material are believed
to be current and accurate as of their publication dates. FireEye assumes no responsibility for
the accuracy of the information. FireEye may change the programs or products mentioned at
any time without notice. Mention of non-FireEye products or services is for information purposes
only and constitutes neither an endorsement nor a recommendation.

ALL INFORMATION PROVIDED IN THIS TRAINING COURSE AND RELEVANT ASSOCIATED


MATERIAL ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, WHETHER
EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. FIREEYE DISCLAIMS ALL
WARRANTIES, EXPRESSED OR IMPLIED INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. Some
jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not
apply to you.

FIREEYE SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR


INCIDENTAL DAMAGES INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR
REVENUES, COSTS OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING
OUT OF THE USE OR INABILITY TO USE THIS MATERIAL OR ANY FIREEYE PRODUCT, OR
DAMAGES RESULTING FROM USE OR RELIANCE ON THE INFORMATION PRESENT,
EVEN IF FIREEYE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

www.fireeye.com

Produced by the FireEye Education Team for FireEye, Inc.

© 2016 FireEye, Inc.


1440 McCarthy Blvd., Milpitas, CA 95035

The information contained within the document is confidential and proprietary.


Do not duplicate without written permission from FireEye, Inc.
Alerts Essentials: Lab Guide

1 hour Alert Essentials: Labs


Objectives
This document leverages CrossFire and the Total FireEye Solution for students to perform their labs during the
Alert Essentials class. The scenario will show:

• How an unsuspecting person may be induced to click on a URL.


• How a Remote Access Tool (RAT) can be detected by the NX
• Alerting on malicious web traffic showing a multi-flow attack.

4
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide

LAB Setup
Your instructor will setup a lab environment for you on CrossFire. The instructor will provide you with a self-
registration link using your company email address and that link will take you to a self-registration portal that looks
like the following:

Once you register, you will be redirected to a screen that provides you with your user name and password. Take
note of these for future use. Now click on the icon that says Proceed to lab.

5
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide

From the drop-down menu labelled This lab use purpose, select Training. Then, in for whom is the training
for, write your company name and click Submit and continue.

1. After you click Submit and continue, you will see the main CrossFire Labs scenario dashboard and be ready
to create a new environment from the Create Scenarios tab.

Wait for the VMs to be created and started.

2. Log into victim VM using the remote console button.

RDP Button
• Once you are logged in, the system will being auto configuration.
• The last step will prompt you to reboot.
• After the reboot, log back in to the system.

3. Log into attacker VM


• Once logged in, the system will begin its auto configuration.
• The last step will prompt you to start the SpyNet console application.
• Choose Y (yes) to launch SpyNet.
• Ensure that SpyNet is waiting for connections on port 81. If not, select the START menu option.
6
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide

Generate Attack
4. You are now ready to begin the attack scenario that will generate the alerts on the NX in your lab by launching
the email attacks from the desktop icon labeled SEND EMAIL ATTACKS.

5. Log into the victim VM. Start the Windows Live Mail client and click Send/Receive to retrieve new emails.

LAB COMMENTS
Take note of the IP address of the attacker and the victim. You will need the IP address to identify the attacker in
the NX.

6. Open the Google Account Activity email and click on the embedded link. This will open the email with the
malicious URL sent by the attacker pointing the victim to a multi-flow Adobe Flash exploit. The victim will then be
infected and will connect back to the Attacker's command and control infrastructure.

LAB COMMENTS:
This will produce the Web infection and will allow the student to check how the NX detects the exploit phase of an
attack.

7
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide

7. Switch back to the attacker VM and go to the Spy-Net console. The victim should now appear as
compromised.

LAB COMMENTS:
This will generate a callback alert on the NX and it will allow the student to view the callback in the NX GUI. The
student will also be able to view an alert generated by the NX for the next step of the attack life cycle, which is the
dropper phase.

8. By now, most of the MVX analysis should be completed. From the CrossFire scenario dashboard connect to
the NX using the Web UI button. Make note of victim's IP address to identify the correct alerts.

8
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide

Lab1
Your company has implemented an NX as protection from zero day attacks and advanced web-based threats.
The SOC team has identified a spear phishing attack that was sent to one of the company executives. The SOC
tier 1 team received a critical alert from the NX and raised a ticket for further investigation and analysis of the alert
by a tier 2 analyst.

You are the tier 2 analyst and will begin your investigation. Navigate to the Alerts tab on NX and list the last
attacks seen for victim. Review the alert to understand the capability of the malware, which machine in your
network is affected, whether or not the malware made a callback and whether or not the malware made a
secondary download. Use the questions below to organize your analysis.

1. List alerts generated by your victim host on the NX.


_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2. Review and triage the alert:
a. What is the IP of the infected host in your network?
________________________________________________________________________________

b. What malware name is associated with this Web infection? What does this indicate?
________________________________________________________________________________

c. What guest image(s) did the MVX engine use for analysis?
________________________________________________________________________________

d. Name the infection URLs and the file that was downloaded during the exploitation of the host.
________________________________________________________________________________

e. Was there a related callback? If so, what was the associated malware name?
________________________________________________________________________________

f. Did the callback lead to a secondary download?


________________________________________________________________________________

g. What is the malware name?


________________________________________________________________________________ _

h. What is the MD5 of the file that was downloaded?


________________________________________________________________________________

9
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
Alerts Essentials: Lab Guide

Lab 2
Investigate any payloads delivered during the attack and answer the following questions:

1. Name the alert responsible for the dropper/backdoor phase?


_______________________________________________________________________________________

2. What is the AV Suite name?


_______________________________________________________________________________________

3. What are the two operating systems that were chosen for analysis?
_______________________________________________________________________________________

4. What is the name of the host that was contacted by the victim and what type of web server software is the
attacker hosting?
_______________________________________________________________________________________

10
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.
11
FireEye, Inc. All Rights Reserved. FireEye Proprietary Information – Not for Public Disclosure.

Vous aimerez peut-être aussi