homepage
Open menu
Contact Sales

Hands-on Malicious Script Analysis for Ransomware Response

  • Wednesday, 16 Aug 2023 1:00PM EDT (16 Aug 2023 17:00 UTC)
  • Speaker: Ryan Chapman

A large majority of ransomware incidents involve both obfuscated scripts and Cobalt Strike. PowerShell reigns supreme as the most common type of obfuscated script found in ransomware cases. Do you know what to do should you find an obfuscated PowerShell script during response? What if you run into an obfuscated, PowerShell-based Cobalt Strike downloader? Do you know how to decode the downloader? Do you know how to review the shellcode found multiple levels within the code structure to determine where the Cobalt Strike beacon is being hosted?

Come join SANS "FOR528: Ransomware for Incident Responders" author Ryan Chapman as he walks you through one of our FOR528 labs that shows you these very skills. You will use a virtual machine custom developed just for this workshop to review obfuscated code from real FOR528 labs. As a bonus, you will also learn how to extract the configuration from a Cobalt Strike Beacon. The better you are at performing these tasks yourself, the quicker you'll be able to derive additional TTPs and IOCs to assist in your overall response. Come learn HANDS-ON!

  1. Learning objectives:

- Learn to recognize PowerShell beacon downloader scripts

- Analyze a beacon downloader script using CyberChef

- Utilize beacon configuration parsers to extract configs from Cobalt Strike–generated shellcode and PEs

- Evaluate Cobalt Strike beacon configurations to understand how they operate

2. Pre-req Knowledge

A background in Incident Response (IR) is suggested. This workshop is aimed toward the incident responder who needs to respond to ransomware attacks. Thus, IR experience or at least alert triage experience such as one acquired within a SOC or CIRT is recommended. Familiarity with the basics of PowerShell will be helpful, as we will be decoding obfuscated PowerShell commands. Finally, familiarity with the Linux operating system will be useful. You will be pivoting through directories and running commands using the Bourne Again Shell (bash). Though we will be providing the exact commands to run, the more experience you have with *nix-based operating systems, the better.

Click HERE for System Requirements and VM Download Instructions.

Login to Register

Related Content

Blog
Following the Trail of Threat Actors in Google Workspace Audit Logs
Digital Forensics, Incident Response & Threat Hunting
Following the Trail of Threat Actors in Google Workspace Audit Logs
Many of the events we highlight in this blog post and the cheat sheet occur as part of normal business operations...
Megan_Roddie_370x370.png
Megan Roddie-Fonseca
read more
Blog
Quest_to_Summit_340x340.png
Industrial Control Systems Security, Digital Forensics, Incident Response & Threat Hunting
The Quest to Summit | SANS ICS Security Summit 2024
Register for the ICS Security Summit to be able to participate in The Quest to Summit and win big prizes.
370x370_Tim-Conway.jpg
Tim Conway
read more
Blog
N2C_blog_image.png
Security Awareness, Cybersecurity Leadership, Cloud Security, Open-Source Intelligence (OSINT), Industrial Control Systems Security, Digital Forensics, Incident Response & Threat Hunting, Cybersecurity and IT Essentials, Cyber Defense, Offensive Operations, Pen Testing, and Red Teaming, Artificial Intelligence (AI)
A Visual Summary of SANS New2Cyber Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS New2Cyber Summit 2024
370x370-person-placeholder.png
Alison Kim
read more