Detecting & Hunting Ransomware Operator Tools: It Is Easier Than You Think!
HTML-код
- Опубликовано: 27 сен 2024
- Ryan Chapman, SANS Instructor and author of SANS FOR528: Ransomware for Incident Responders, provides an overview of tools leveraged often by ransomware operators. Though a multitude of ransomware operations and affiliate groups exist, we see a great deal of overlap between the tools leveraged by these groups (and that's an understatement!).
- Are you following and utilizing projects such as Living Off Trusted Sites (LOTS) and Bring Your Own Vulnerable Driver (BYOVD)?
- Are you looking for Bloodhound/SharpHound?
- Do you know how PsExec-like tools work at a forensic level (e.g., smbexec)? Are you hunting for rogue installations of Remote Monitoring & Maintenance (RMM) tools?
- Did you know that data exfiltration tools like Winzip, 7Zip, WinSCP, FileZilla, Rclone, and MEGAsync often leave forensic artifacts that are absolute snitches that are just phenomenal for us cyber defenders?
In this session he will discuss these tools, and show you how they work, and share tips & tricks related to preventing, detecting, and hunting them!
For presentation slides visit here: www.sans.org/w...
About FOR528: Ransomware for Incident Responders course
FOR528: Ransomware for Incident Responders (www.sans.org/FOR528) covers the entire life cycle of an incident, from initial detection to incident response and postmortem analysis. While there is no way to prepare for every scenario possible, our course uses deftly devised, real-world attacks and their subsequent forensic artifacts to provide you, the analyst, with all that you need to respond when the threat become a reality.
About Ryan Chapman
Ryan is a Principal Incident Response Consultant with Palo Alto Networks. He has worked in the Digital Forensics & Incident Response (DFIR) realm for over 10 years. He is the author of the new SANS course on ransomware FOR528: Ransomware for Incident Responders and he has also taught the SANS FOR610: Reverse Engineering Malware. During his career, Ryan has worked in Security Operations Center and Cyber Incident Response Team roles that handled incidents from inception through remediation. With Ryan, it's all about the blue team, including sifting through Packet Captures, researching domains and IPs, hunting through log aggregation utilities, analyzing malware, and performing host and network forensics.
Ryan is such a good presenter
Much appreciated!
shut up little arms
he really is tho
Sup
Thanks for sharing your knowledge and presenting it in a digestible way Ryan, please keep these videos coming!
Amazing resource! Hope to see more videos related to threat hunting
Glad I found this channel, great presentation 👏
Me too! And ty.
@32 min in, great list, just about everything can be added to an alert list. there are some legit companies we work with that use mega though
@36 min in, great list, everything but 7z can likely be added to an alert list (for my company)
@50 min in, omg... same, I love splunk, i just can't afford it
this was a great talk, and the speaker has almost convinced me to pay for a sans course. (seems really fun and charismatic)
Great stuff, useful hunting items, Thank you!
YES!!!! Hunt, hunt, and hunt MOARRRR!
How come this is free. Thank you as always. Hope to afford this course in the future 😅
Great Presentation! Could you please share the link to download the ppt?
👍 thank you
🔥
Are these the classes for the certs that cost like 5k?
Yup
Thank you, great video!
Thanks much!