Ransomware Attack Simulation and Investigation for Blue Teamers
December 7 @ 9:00 am – 6:00 pm EST
Instructor: Markus Schober
Course Length: 16 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
Pricing:
This class is part of the Antisyphon Snake Oil? Summit 2023. Registration for any Snake Oil? Summit class includes registration for the summit and all of its presentations, talks, and streams.
Clicking on the button above will take you
to our registration form on Cvent.
Course Description
As a cyber security defender and investigator, we often just get to analyze an environment that suffered a ransomware attack after the ransomware execution, where we are trying to make our way back in time to understand the scope and initial infection vectors of a breach. However, knowing how attackers operate and having an understanding of their tools can help tremendously to conduct a more effective analysis and response and ultimately lower the impact of such attacks. This is why in this workshop we will teach you how to perform the common steps of every phase in a ransomware attack scenario as the attacker, from initial infection to impact.
We will set up a basic C2 infrastructure with PowerShell Empire, and execute attack phases such as initial access and reconnaissance, persistence mechanisms, privilege escalation, credential dumping, lateral movement, defense evasion, data exfiltration, and encryption with ransomware. In every step you will also learn about the fundamental concepts that are required to conduct the attack and defend against those including hands-on analysis using Splunk, Velociraptor and forensic tools as needed. In the last part of the workshop, you will learn best practices on how to effectively conduct investigations of the attacked environment using various tools that are part of the lab setup. Upon completion of the workshop, participants will have a better understanding of the steps ransomware threat actors take to achieve their objectives, as well as the best practices for detecting and ultimately preventing ransomware attacks.
Audience
This training is for blue teamers with intermediate technical skills who want to learn hands-on how the various phases of ransomware attacks are carried out, as well as how to detect, analyze and prevent those.
Requirements
- RDP access
Online Lab Setup
- Live response lab: Kali Linux, Windows Hosts, Splunk, Velociraptor
- Forensic tools
- Triage data collections and memory images
Agenda
- Introduction, Ransomware lifecycle, C2 infrastructure, Threat landscape
- Lab intro: VMs, Kali, PowerShell Empire
- Preparation: Listeners, stagers, C2 setup
- Initial access: Stager delivery, initial access
- Discovery 1: Local recon, enumeration and living off the land tools
- Persistence 1: Accounts, scheduled tasks, keys, folders
- Privilege escalation: User accounts, sessions, tokens, UAC bypasses
- Discovery 2: Domain discovery, ADFind and living off the land tools
- Credential Access: Mimikatz, LSASS, Kerberos, NTLM, PTH
- Lateral movement: Authentication events, techniques, analysis
- Persistence 2 : WMIC
- Defensive evasion: Process injection, DLL hijacking
- Collection and Exfiltration: Data staging, exfil tools
- Impact: Ransomware execution, techniques, tools
- Investigation and analysis techniques: Splunk & Velociraptor
Trainer & Author
Markus Schober is the founder of a blue team training and consulting company named Blue Cape Security. Prior to that, he served as a manger and Principal Security Consultant at IBM X-Force Incident Response. Over the past decade he has led numerous cyber security breach investigations for major organizations, where he specialized in Incident Response, Digital Forensics and Crisis Management. He also advised organizations on building strong cyber security programs and conducted trainings, workshops and exercises for technical as well as executive audiences. He also has a background in software engineering in both the United States and Europe.
Instructor Twitter Handle: @mascho
