ABSTRACT

Harmony Endpoint (E84.60) and

Threat Hunting Demo Days Lab
guide
Version
2.2

HARMONY ENDPOINT

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 0

Table of Contents
Table of Contents ................................................................................................................................... 1
Introduction ............................................................................................................................................ 2
Background Story ................................................................................................................................... 2
Environment Details ............................................................................................................................... 3
Your mission ........................................................................................................................................... 4
Lab #1 – Harmony Endpoint Scenarios ................................................................................................... 4
Stage 1 – Social engineering, phishing and credential theft targeted attack ......................................... 4
Stage 2 – Backdoor attack leading to a Ransomware attack ............................................................... 12
Stage 3 – Automated EDR and centralized Threat Hunting ................................................................. 17
Appendix-A: How to work with a GCP environment ............................................................................ 23
Appendix-B: Environment Exclusions and policy modifications........................................................... 25

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 1

Introduction
Today’s modern IT infrastructure has enabled us to work freely outside our offices and network perimeter.
Past investments focused on network security while attackers shifted to target endpoints. Endpoints are
our main work devices to access corporate email, applications, and data. They are also the most vulnerable
devices across organizational assets. You should be asking yourself, how safe are your endpoints and users
when research suggests that 70 percent of successful breaches start on the endpoint?

Imagine a consolidated endpoint security platform, covering all of your endpoint needs, including
advanced threat prevention, automated response and remediation, and real-time threat visibility and
analysis. In addition to that, how would you feel when your endpoint security solution automatically
prevents and responds to critical events saving you time and money?

To solve your challenges and to meet future business goals, your organization must have a consolidated
endpoint security strategy. Your users are the most vulnerable assets in your IT environment and are also
the most exposed.

Harmony Endpoint is a complete endpoint security solution integrated into the Check Point Infinity
architecture. It is based on the three pillars of effective endpoint security. Prevention focused protection;
Efficiency by automation; and faster recovery from attacks. Harmony Endpoint provides multiple layers of
endpoint security best practice protection. By reducing the attack surface and preventing attacks before
execution and damage you get the best ROI. Behavioral and runtime protection followed by fast and
automatic containment keep you protected even against unknown zero-day attacks. And finally, with an
automated response, triage, analysis, and report you to reduce the cost of operation.
Harmony Endpoint focuses on the Simplicity of deployment and operation from the cloud management
platform with an investment in multiple innovative threat prevention technologies, including machine
learning and AI, automated detection, and remediation. Check Point ThreatCloud offers automated shared
intelligence across all assets and with Harmony Endpoint insightful forensic capabilities it ensures the
continuous collection of data to automatically perform triage, report and response while providing
complete and centralized threat visibility and Threat Hunting capabilities.
More info - https://www.checkpoint.com/products/advanced-endpoint-protection/

Background Story
This story is based on a real event
The story starts from an attacker targeting your organization. Your organization is about to transition to a
public traded company. The attacker plans to infiltrate your organization and make a lot of money. The
attacker plans to steal sensitive data, create backdoors and cripple servers with a ransomware attack to
profit from the ransom and from selling sensitive data.
From the news and social media, the attacker learns about key people in the organization like Bruce, the
CFO. The attacker decides to target Bruce to infiltrate the organization and steal sensitive data.
The attack will start with a sophisticated social engineering attack and credential theft, phishing and
dumping attacks.
The next stage is to use the credentials to spread the backdoor, steal sensitive data and send a full scale
ransomware attack.
Finally, the attacker plans to book a vacation long vacation and enjoy the money

Spoiler Alert: the organization is protected by Check Point Harmony Endpoint and the attacker never leaves
for vacation

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 2

Lab scenarios
1. Social engineering, phishing and credential theft targeted attack
Our Scenario will demonstrate how Harmony Endpoint for Browsers protects users from identity theft by
phishing sites. We will view a phishing email with a link to a phishing site. Zero-Phish technology prevents
phishing attacks from both known and unknown sites. Scanning is performed in real time when the user tries to
access a site.

2. Backdoor attack leading to a Ransomware attack

Our scenario shows remote ransomware attack via backdoor on compromised user computer and Harmony
Endpoint capability of fully automatic attack prevention, remediation and restoration of encrypted files.

3. Automated EDR and centralized Threat Hunting

Our scenario demonstrates Harmony Endpoint Threat Hunting capability for all attack’s component, cross all
protected endpoint clients. Harmony Endpoint automated EDR capabilities and centralized Threat Hunting have
the best host based forensics capabilities and largest amount of information gathered and analyzed, allowing
easily visualize and hunt organization wide attack attempts and anomalies.

Environment Details

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 3

Your mission
You mission (if you choose to accept it) is to simulate, in real time, the capabilities of Check Point
Harmony Endpoint Solution. Harmony Endpoint brings additional advantages and benefits to the
endpoint level providing multi layered prevention and real time protection and analysis.

Lab #1 – Harmony Endpoint Scenarios

Lab Objectives – in this lab you will simulate, in real time, the advanced capabilities of Check Point
Harmony Endpoint Solution, Cloud management, WebUI console and EDR.

How to connect to Endpoint Cloud Management portal

From you PC or from the Jump server machine, open the Chrome browser and login to the Check Point
Infinity portal. You can use the bookmark or type https://portal.checkpoint.com
Username = [email protected]
Password = Cpwins123#
Account = chkp-demodays.xyz

How to work with the GCP environment (link to Appendix-A)

Stage 1 – Social engineering, phishing and credential theft targeted

attack
Goal
Experience Harmony Endpoint advanced real-time phishing prevention capabilities and runtime detection
and automated response

Important points
 Harmony Endpoint zero-phishing real-time scanning and prevention capabilities protecting
organizations from the most common attack vector
 Harmony Endpoint behavioral guard runtime detection of credential scraping attack with automated
response, analysis and triage.
 Multi-layered endpoint protection platform preventing multi-vector credential stealing attacks

Instructions
1. From the Jump server machine, on the desktop, use the remote desktop link to connect to the
windows attacker machine.
2. Minimize the window and open a connection to the Windows 10 Protected machine, use the remote
desktop link from the desktop to connect.
3. Minimize the window and connection to the kali attacker machine, use the remote desktop link from
the desktop to connect.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 4

4. At the kali attacker machine, open 2 terminal windows. You can open them side by side or on different
desktop views.
5. On the left terminal window execute /root/demo/serve-phish.sh to launch the attacker zero-day
phishing website and view the connections.
6. On the right terminal window execute /root/demo/follow-phish-dump.sh to view the credentials that
will be phished from the user.

7. Minimize the kali attacker RDP window and navigate to the windows attacker machine.
8. Open the Outlook client from the taskbar
9. Send the targeted credential theft email for Bruce Morgan the CFO. The email is in the drafts folder of
the SBlab IT Department section.

10. Minimize the windows attacker RDP window and navigate to the Windows 10 Protected machine.
11. Open the outlook client from the taskbar and review the targeted email…… looks legitimate, right?

This is how easy it is to perform a social engineering and credential theft attack, and this scenario
demonstrates why it is so successful and the critical need for real-time phishing prevention.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 5

12. Click the download AnyDesk Installer link, and it will open in the chrome browser.
If the page doesn’t load, close the browser and click the link again
13. Notice that Bruce’s details are already filled in to build trust with the user, and all that is left for him is
to fill in his (Bruce’s) password.

14. Press the password textbox to fill in any password you would like and notice that zero-phishing scans
and detects the site as a phishing site preventing the user from exposing their credentials to the
attacker.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 6

15. Don’t close the user notification tab, and move back to the previous tab to show that the user is now
blocked from handing his credentials to the attacker.

16. We have added in the policy the ability for the user to proceed even after phishing prevention is done
in order to progress the scenario and show what happens in case zero-phishing is not implemented.
17. Go back to the user notification tab, click Advanced and then click anydesk.sbdemo.con link.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 7

18. Now you will be able to fill in any password you want and click download your installer.
Suggestion: use a funny password like “WhereIsMyPassword” or “PhishingRulz”
Notice that now the attack proceeds, as multiple engines that would have stopped the file from
downloading or executing are excluded.
This is the place to briefly mention the following engines that would have prevented the attack before
moving on.
 Web Download protection with Threat Emulation preventing the download of the zero-day
malware
 Real time File reputation protection from ThreatCloud preventing known malware
 Static File Analysis powered by machine learning models to prevent unknown executables pre
execution

If the download doesn’t start after a few seconds, click download the installer again
19. Click Keep.
20. Before executing the fake “SBlab AnyDesk Enterprise.exe” zero-day malware. Navigate back to the Kali
attacker machine to see that Bruce’s password was successfully stolen and can be used to launch a
large scale attack on that organization.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 8

 This is a good place to explore the ramifications of a successful phishing attack to an organization
21. Navigate back to the Windows 10 Protected machine to resume the attack scenario.
22. Execute the “SBlab AnyDesk Enterprise.exe” and click run.
Refer back to the email and the website to show the full extent of the social engineering attack
showing that exact screen, building trust with the user to click on run

23. The credential scraping attack will now execute.

An AnyDesk application window will now open with a popup window indicating that it was installed
successfully, making sure the user believes everything is successful. Another important part of a good
social engineering attack.
Notice that at this time, Harmony Endpoint Behavioral guard detected the attack during runtime and
automatically remediated it.
Show that the application window was terminated and the malware was quarantined as part of the
automated remediation process.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 9

24. Navigate back to the Jump server machine and open the Chrome browser to the Harmony Endpoint
management platform
25. Navigate to the Security overview screen to show to full scope of the attack, including the detailed and
automated response, analysis and triage

Start from the phishing attack prevention and the user choosing to visit the infected site and getting their
credential stolen.
Continue with the behavioral guard runtime detection and full attack remediation.
26. You can also see the events from the logs tab on the Harmony Endpoint management platform or from
the security overview screen and search for anydesk to see the behavioral guard log for the mimikaz
detection.
27. From the log, open the forensics report to view the full and automated attack analysis, triage and
response.
©2021 Check Point Software Technologies Ltd. All rights reserved | P. 10
28. View the MITRE ATT&CK integration, entry point, remediation and suspicious activities.
It is recommended to walkthrough the attack from the incident details tree view.

Note that attack was stopped at an early stage by detecting the malicious PowerShell execution
before Mimikatz was able to steal the user’s credentials

Navigating through the forensics report can be easier from SmartView or from the Harmony Endpoint
on the Windows 10 Protected machine.
 Link to SmartView can be found at the service management tab
 Credentials = admin/Cpwins1!

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 11

 Stage 2 – Backdoor attack leading to a Ransomware attack
Goal
Experience Harmony Endpoint Anti-Ransomware capabilities to detect according to the behavior of an
unknown Ransomware followed by an automated remediation, analysis, triage and file restoration

Important points
 Harmony Endpoint Anti-Ransomware behavioral detection during runtime of a Ransomware attack
focused on detecting any type of Ransomware attack.
 Harmony Endpoint Anti-Ransomware automated remediation and files restoration protecting users
data and allowing them to continue working without wasting organizations’, time, money and effort.
 Multi-layered endpoint protection platform with automated EDR capabilities to fully recover from
attacks.

Instructions
1. From the Jump server machine, on the desktop, use the remote desktop link to connect to the kali
attacker machine.
2. Open a terminal window and navigate to /root/demo/backdoors/ :
cd /root/demo/backdoors/
3. Execute msfconsole -r meterpreter-listen.rc
4. The process takes a few seconds and you will see the following:

This will open a reverse TCP handler (listener) on the kali attacker machine for the backdoor

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 12

5. Minimize the kali attacker RDP window and open a remote desktop connection to the windows server
protected attacker machine. using the link on the Jump server desktop.

6. Open My Documents folder, extract scvhost.zip and execute the scvhost.exe file
This will open a meterpreter reverse TCP shell back to the kali attacker machine

7. Minimize the windows server protected RDP window and navigate back to the kali attacker machine
to the opened meterpreter session
8. Type in the blank line and execute resource start_attack.rc
Note, attack starts in 10 sec. Navigate back to window server protected machine to view attack

9. This will load and execute a Ransomware attack on the window server protected machine.
10. Navigate to the windows server protected machine to view the Ransomware attack, file encryption,
detection, automatic remediation and file restoration

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 13

 If the file restoration succeeded screen is not shown that is ok.
Close the RDP window of the protected server machine and open it again to view that the background
picture is restored.

11. Navigate back to the Jump server machine and open the Chrome browser to the Harmony Endpoint
management platform
12. Navigate to the Security overview screen to see the full scope of the attack, including the detailed and
automated response, analysis and triage

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 14

29. From the log open the forensics report to see the full and automated attack analysis, triage and
response.
©2021 Check Point Software Technologies Ltd. All rights reserved | P. 15
View the MITRE ATT&CK integration, entry point, remediation and suspicious activities.
It is recommended to walkthrough the attack from the incident details tree view

Navigating through the forensics report can be easier from SmartView or from the Harmony Endpoint
on the Windows Server Protected machine.
 Link to SmartView can be found at the service management tab
 Credentials = admin/Cpwins1!

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 16

 Stage 3 – Automated EDR and centralized Threat Hunting
Goal
Experience Harmony Endpoint Centralized EDR and Threat Hunting capabilities

Important points
 Harmony Endpoint automated EDR capabilities with industry’s best host based forensics capabilities
and largest amount of information gathered and analyzed
 Harmony Endpoint centralized Threat Hunting receives forensics information from all agents to enable
real time hunting of IoCs and IoAs
 Multi-layered endpoint protection platform with automated EDR and centralized Threat Hunting to
visualize and hunt organization wide attack attempts and anomalies.

Instructions
1. Navigate to the Threat Hunting section at the Harmony Endpoint management platform on chkp-
demodays.xyz account.

2. There are 2 main ways to start hunting.

a. Starting from a known IoC from a previous forensics report – such as part 3 Ransomware attack
trigger or entry point or a specific machine.
IoCs can be found in publications such as in our research.checkpoint.com

b. Start with a predefined query

Harmony Endpoint Threat Hunting service includes useful predefined queries that can be used
to view contextual real time centralized forensics details and search for possible attack
attempts that are yet to be discovered. It also help to understand user behavior and anomalies
in the organization.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 17

 Let’s start hunting
3. First, let’s start by looking at the forensics report and using the attack start process from stage 2
Pithon_setup.exe

4. At the search line press the + sign, choose process name is and type pithon_setup.exe

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 18

5. Process exists only on the Windows server protected machine and it is not signed.
6. Let’s add the BOAZ-GAR-WINDOW machine to the query, search for unsigned processes and remove
the pithon_setup.exe to find potential backdoor processes we have yet to discover.
a. Click on the not signed at the “signed by” field and choose to include
b. Click on the BOAZ-GAR-WINDOW at the machine field and choose to include
c. Finally, remove the query for pithon_setup.exe by clicking the ‘X’ next to it in the query line

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 19

7. The time line bar shows us the number of events happing at a certain time. Let’s take a close view.
8. Click on the latest series of events to zoom in.

9. Let’s zoom in a little closer to exclude the trusted processes by clicking on the red hexagon.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 20

10. Great hunting, you have found the backdoor process scvhost.exe that the attacker used to infiltrate
the server and execute a Ransomware attack

11. Include the scvhost.exe in the query and remove all other parameters to pivot from here to hunt all the
other possible backdoors at the organization if exist.
Notice it is spelled scvhost.exe and not svchost.exe as it should be
12. In a real life scenario you will set the date to a past date to include all possible backdoor processes in
order to review the history and if the attacker implemented more backdoors in the organization that
are yet to be activated.

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 21

13. Now that we have all the backdoor processes in one place, you will be able to quarantine them by
clicking on action and Quarantine.

14. In real life scenarios, you will be able to quarantine as an admin.

In this demo scenario, you will only be able to show that it is possible but you will not have permissions
to do so since the demo user is read only.

15. In case you demonstrated with your own portal or admin users you can go back to the windows server
protected machine, open task manager and see that the scvhost.exe process is not running.
Great work stopping the attacker from running away with your money.

WOW!
©2021 Check Point Software Technologies Ltd. All rights reserved | P. 22
Appendix-A: How to work with a GCP environment
The environment page holds the details to your environment that include the external IP addresses of the
Guacamole and the Jump server.

1. Start by opening a new browser tab and connect to the external IP of the guacamole server over
HTTP. http://<Guacamole_external_ip>
2. You will now be automatically redirected to the guacamole login screen
Username= admin Password = Cpwins1!
 In case you are not redirected automatically add ‘:8080/guacamole’ after the IP to reach the
guacamole login screen. http://<Guacamole_external_ip>:8080/guacamole

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 23

3. Once logged in, you will be redirected to the jump server, which is a windows server machine.
4. From the jump server (windows console) machine you will connected to all demo assets and
execute all demo scenarios
 It is possible to connect with remote desktop directly to the jump server but it is not
recommended as you will be running malware scenarios and it might leak to your own
machine.
 If you are connecting with remote desktop to the jump server, please disable clipboard.
Connecting to the jump server using RDP, can expose your system to malwares.
Please use guacamole to demonstrate

5. If you encounter a shutdown event tracker message, please disregard and write a character in each
empty text box then click ok to continue

6. Open Remote Desktop connections to all machines participating in the demonstration BEFORE you
start to demonstrate.

 You can easily navigate between open RDP windows from the taskbar

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 24

 Appendix-B: Environment Exclusions and policy modifications
Machine Description Comments
Harmony Endpoint - Cloud Harmony Endpoint cloud admin/Cpwins1!
Management (Harmony management, WebUI and Threat
Endpoint) Hunting services
Attacker windows 10 Attacker windows machine admin/Cpwins1!
Attacker Kali Linux Attacker kali machine admin/Cpwins1!
Windows 10 protected user Windows 10 protected user Bruce/Cpwins1!
machine
Windows server protected Windows server – AD+DNS+Mail. administrator/Cpwins1!
Domain=sbdemo.com
Jump server Jump server for RDP connection admin/Cpwins1!
to the machines and browser
connection to the Infinity portal
Guacamole Redirect HTTP connection to the admin/Cpwins1!
Jump server

Exclusion list
SBA-Demo Users Threat Emulation, Extraction and
policy rule Zero-Phishing exclusions
URL filtering Detect
Download protection Off
File Monitoring Off
Anti-Malware Off
SBA-Demo Users Threat Emulation, Extraction and SHA1 - 635a122c-2868394a-52f35be0-e48dd3a6-
policy rule Zero-Phishing exclusions bcc57aa8
SHA1 - cb703a7d-b84f4b81-338f24f5-978212ba-
d2556d7a(scvhost.exe)
SHA1 - 4ccfe4cf-5839024e-768520c6-3e3a1982-
eee092f0
SHA1 - edf72377-360d11ed-761a4867-278504e3-
5e5ae2a0
Anti-Ransomware and Behavioral scvhost.exe
Guard exclusions (SHA1 cb703a7db84f4b81338f24f5978212bad2556d7a)
Anti-Malware Off

 Use the network diagram above and scenarios description from the presentation to better
understand the environment.
 Note that this environment is hosted on GCP and Check Point Infinity Portal

©2021 Check Point Software Technologies Ltd. All rights reserved | P. 25