Configuring WildFire. Version 1.0 PAN-OS 5.0.1. Johan Loos. johan@accessdenied.be



Similar documents
Configuring User Identification via Active Directory

WildFire. Preparing for Modern Network Attacks

Configuring Global Protect SSL VPN with a user-defined port

Step by Step. Use the Cloud Login Website

WildFire Cloud File Analysis

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Content Inspection Features

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Sentral servers provide a wide range of services to school networks.

TERAcloud w w w. t e r a c l o u d. u k

Configure your firewall for administrative access via RADIUS authentication

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

IPS Anti-Virus Configuration Example

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

How to FTP (How to upload files on a web-server)

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Cyclope Internet Filtering Proxy. - Installation Guide -

Advanced Endpoint Protection Overview

SafeWord Domain Login Agent Step-by-Step Guide

WildFire Cloud File Analysis

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Setting up Hyper-V for 2X VirtualDesktopServer Manual

IIS, FTP Server and Windows

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

WF-500 File Analysis

Installation and Setup: Setup Wizard Account Information

How to Use Your New Online Client Vault

WildFire Features. Palo Alto Networks. PAN-OS New Features Guide Version 6.1. Copyright Palo Alto Networks

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

About the VM-Series Firewall

M2M Series Routers. Port Forwarding / DMZ Setup

How to Logon with Domain Credentials to a Server in a Workgroup

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Configuring iplanet 6.0 Web Server For SSL and non-ssl Redirect

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

6.0. Getting Started Guide

Filter Avoidance and Anonymous Proxy Guard

About the VM-Series Firewall

Deployment Guide for Citrix XenDesktop

Guide to the LBaaS plugin ver for Fuel

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

Owner of the content within this article is Written by Marc Grote

Firewall Rules (Outbound)

Load Balance Mechanism

Backing up IMail Server using Altaro Backup FS

Configuring Security for FTP Traffic

WildFire Reporting. WildFire Administrator s Guide. Version 6.1

Access Control Rules: URL Filtering

CIS 4361: Applied Security Lab 4

Altaro Hyper-V Backup - Offsite Backups & Seeding Guide

This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.

XenApp/Citrix Program Neighborhood Installation

ClickDimensions Quick Start Guide For Microsoft Dynamics CRM /1/2011 ClickDimensions

Secure Web Appliance. Reverse Proxy

WF-500 Appliance File Analysis

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

Connecting to Remote Desktop Windows Users

How-to setup a proxy in the cloud

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

Using Microsoft Expression Web to Upload Your Site

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Penetration Testing Walkthrough

File Manager Pro User Guide. Version 3.0

SSL Inspection Step-by-Step Guide. June 6, 2016

How to Connect to Anonyproz OpenVPN Servers in Failover and Switcher Modes

Logging into Citrix (Epic) using an RSA Soft Token - New RSA User

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Paxera Uploader Basic Troubleshooting

Crown Field Support Engineering

App Orchestration 2.5

Genius in Salesforce.com Pre- Installation Setup

Unified Security, ATP and more

OpenVPN over SSH tunneling

VX 9000E WiNG Express Manager INSTALLATION GUIDE

JMC Next Generation Web-based Server Install and Setup

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

NAS 224 Remote Access Manual Configuration

How to use ArGoSoft Mail Server.NET Freeware

Avaya IP Office SIP Configuration Guide

1 Axis camera configuration IP configuration Setting up date and time Installing an IPS Analytics Application...

Connecting With Lifesize Cloud

RemotelyAnywhere Getting Started Guide

Get Started Guide - PC Tools Internet Security

Lab Configuring Access Policies and DMZ Settings

Zscaler Cloud Web Gateway Test

SecureIT Plus Firewall Features and Functionality

NAS 221 Remote Access Using Cloud Connect TM

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

Manage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright Palo Alto Networks

Quick Start Guide.

Installation Guide and Machine Setup

Outlook . Step 1: Open and Configure Outlook

Setting up VMware Server v1 for 2X VirtualDesktopServer Manual

IPS Attack Protection Configuration Example

Bitrix Site Manager ASP.NET. Installation Guide

Web Hosting Training Guide. Web Hosting Training Guide. Author: Glow Team Page 1 of 28 Ref: GC278_v1.1

Transcription:

Configuring WildFire Version 1.0 PAN-OS 5.0.1 Johan Loos johan@accessdenied.be

WildFire Overview WildFire is a cloud based malware detection service. Basically is the idea when the user downloads a file, the file is uploaded to the WildFire cloud for further inspection if its malware or not. This file is executed in a sandbox environment and looks for the behavior. I have a couple of scenarios here: Scenario 1: The user downloads a payload which contains a reverse shell. The payload will be presented as an executable file which the user downloads via his web browser. When the user launches this executable file, a reverse connection is initiated to the attacker s machine. Scenario 2: The user downloads an executable file which contains a backdoor. The backdoor is linked to a legitimate executable file (winmine.exe). When the user launches the executable file, the user can play the game, but a reverse connection is also opened to the attacker s machine. Scenario 3: The user downloads an executable file which contains a backdoor. The file is linked to a legitimate executable file (sol.exe) but the file is now encoded. When the user launches the executable file, the user can play the game, but a reverse connection is also opened to the attacker s machine. Scenario 4: We scramble a malicious file detected by WildFire and try to bypass WildFire by scrambling this file. Configure WildFire Task List Configure a File Blocking policy Scenario 1: User downloads a payload which contains a reverse shell Scenario 2: User downloads an executable file which contains a backdoor Scenario 3: Encode an existing file with a backdoor Scenario 4: Encode a malicious file to bypass WildFire Overview of the WildFire Report Create a File Blocking policy Navigate to Setup WildFire Under General Settings, you can specify the size of the buffer used to store captured files. Under Session, you can uncheck what you want to send to the WildFire cloud by clicking on the Edit button Navigate to Objects Security Policies File Blocking and click Add On the File Blocking page, type a name for the File Blocking Profile Configuring WildFire 2

Specify a file type you want to inspect, under direction select upload, under Action select Forward Click OK Configure your security policy to use the WildFire profile Navigate to Policies Security Policy and click Add On the General page, type a name for your policy Click on Source Select a Source Zone and a Source Address Configuring WildFire 3

Click on Destination Select a Destination Zone Click on Application Add the applications you need or select Any Click on Service Select Add and select service-http, service-https Configuring WildFire 4

Click on Actions Select your WildFire Blocking Profile Click OK Scenario 1: User downloads a payload which contains a reverse shell Create a reverse shell which listens on IP address 10.32.6.10 and port 443. The payload is written into an executable file rev_met.exe Create a listener on the attacking machine to listen on IP address 10.32.6.10 and port 443. Configuring WildFire 5

When the user downloads the file, a hash of the file is uploaded to the WildFire Cloud and executed in the sandbox environment. After analyses, WildFire marks the file as Benign When the user launches the file rev_met.exe, a reverse shell is opened to the attacker his machine Configuring WildFire 6

Reverse shell is recognized as unknown-tcp traffic over port 443 Configuring WildFire 7

Scenario 2: User downloads an executable file which contains a backdoor Create a reverse shell which listens on IP address 10.32.6.10 and port 443. The payload is written into an executable file rev_back.exe Link this reverse shell (rev_back.exe) into a legitimate program (winmine.exe). Launch InPect and link the two files together. Save the file as winmine.exe Create a listener on the attacking machine to listen on IP address 10.32.6.10 and port 443. When the user downloads the file, a hash of the file is uploaded to the WildFire Cloud and executed in the sandbox environment. Configuring WildFire 8

After analyses, WildFire marks the file as Benign When the user launches the file Winmine, he can play theme and a reverse shell is opened to the attacker his machine Reverse shell is recognized as unknown-tcp traffic over port 443 Configuring WildFire 9

Scenario 3: Encode an existing file with a backdoor Create a reverse shell which listens on IP address 10.32.6.10 and port 443 and use the shikata_gai_nai encoder to encode the payload 3 times, and export it to a file called solx.exe. The input file is Solitaire (sol.exe). Create a listener on the attacking machine to listen on IP address 10.32.6.10 and port 443. When the user downloads the file, a hash of the file is uploaded to the WildFire Cloud and executed in the sandbox environment. After analyses, WildFire marks the file as Benign Configuring WildFire 10

When the user launches the file solx.exe, he can play theme and a reverse shell is opened to the attacker his machine. Reverse shell is recognized as unknown-tcp traffic over port 443 Configuring WildFire 11

Scenario 4: Encode a malicious file to bypass WildFire Before a can test this scenario, I had a look on the Internet to find some files where I can download malicious files. Normally when you need such files, you have to look around for it, and if you don t need them, you get them When the user downloads a file from a website, WildFire analyzes this file in the WildFire cloud. After analyses, WildFire marks the file as Malware The malicious file is now visible under Monitor Logs WildFire Good stuff, I have finally found a file which is detected as malware. I ve renamed the file xxx-pornmovies.avi.exe into 1-xxx-porn-movie.avi.exe. Let s scramble the malicious file 1-xxx-porn-movie.avi.exe into a file called 2xpm.exe When the user downloads the file (2xpm.exe), the file is send to the the WildFire Cloud. Configuring WildFire 12

After investigation, WildFire marks the file as Benign Scambling or encoding a file means that the hash changes. WildFire has to perform the action again. Configuring WildFire 13

Overview of the WildFire Report This report gives you an overview on the files sent and the status Configuring WildFire 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information