Regardless of whether a cyberattack begins with phishing, RDP/remote access, or exploiting a vulnerability, eventually the threat actor needs to find themselves on an endpoint to serve as a foothold for C2 communications, lateral movement, and (in some cases) exfiltration. And, as with nearly every other type of cyberattack, ransomware attacks require a somewhat predictable sequence of actions necessary to establish persistence at the system and account levels, escalate privileges, perform discovery activities, and more.
And with these actions, there are artifacts left behind that offer up not only “clues” as to what has transpired, but can often clearly spell out exactly what actions have been taken.
Opensource software like Velociraptor offer cybersecurity practitioners with advanced digital forensics, monitoring, and incident response capabilities, empowering a more flexible and effective digital forensics and incident response (DFIR) workflow. In this Real Training for Free session, we’ll take a look at the valuable forensic artifacts Windows leaves behind and how to use opensource software like Velociraptor to flexibly respond to a ransomware attack based on findings.
Up first, 4-time Microsoft MVP, Nick Cavalancia takes my seat as he discusses:
- What is DFIR and what should a basic DFIR workflow look like
- Artifacts 101: what are the core forensics artifacts that can be of value in an investigation
- Mapping an investigation to MITRE
Next up, you’ll hear from Mike Cohen, Consulting Software Engineer at RAPID7 who will uncover a typical compromise found during a ransomware attack using Velociraptor, following the artifacts based on the forensic details found. Activities will include:
- Scoping the environment
- Identifying suspicious activity
- Identifying the initial attack vector
- Gathering evidence
Mike will also discuss monitoring with Velociraptor showing how this can enhance your forensics process by collecting even more information proactively. Lastly, Mike will demonstrate how Velociraptor can be used to remediate the environment based on the uncovered actions.
This Real Training for Free session will be chock full of practical, real-world content!