Detecting and hunting ransomware operating tools is easier than you think!

Detecting and hunting ransomware operating tools is easier than you think!

HomeSANS Digital Forensics and Incident ResponseDetecting and hunting ransomware operating tools is easier than you think!
SANS Digital Forensics and Incident Response Available on Youtube Published 1 year ago
Detecting and hunting ransomware operating tools is easier than you think!
ChannelPublish DateThumbnail & View CountDownload Video
Channel AvatarPublish Date not found Thumbnail
0 Views
View on YouTube Download Video
Ryan Chapman, SANS instructor and author of SANS FOR528: Ransomware for Incident Responders, provides an overview of the tools commonly used by ransomware operators. While there are a variety of ransomware operations and associated groups, we see a lot of overlap between the tools used by these groups (and that's an understatement!).
– Do you follow and use projects like Living Off Trusted Sites (LOTS) and Bring Your Own Vulnerable Driver (BYOVD)?
– Looking for Bloodhound/SharpHound?
– Do you know how PsExec-like tools work at a forensic level (e.g. smbexec)? Are you looking for rogue installations of Remote Monitoring & Maintenance (RMM) tools?
– Did you know that data exfiltration tools like Winzip, 7Zip, WinSCP, FileZilla, Rclone and MEGAsync often leave behind forensic artifacts that are absolute snitches and are simply phenomenal for us cyber defenders?
In this session he will discuss these tools, show you how they work, and provide tips and tricks for prevention, detection, and hunting!

The presentation slides can be found here: https://www.sans.org/webcasts/community-night-sans-secure-australia-2023-detecting-hunting-ransomware-operator-tools-its-easier-than-you-think/

About FOR528: Ransomware for Incident Responders Course

FOR528: Ransomware for Incident Responders (www.sans.org/FOR528) covers the entire lifecycle of an incident, from initial detection through incident response and post-mortem analysis. While it's impossible to prepare for every possible scenario, our course cleverly uses designed, real-world attacks and the resulting forensic artifacts to give you, the analyst, everything you need to respond when the threat becomes a reality.

About Ryan Chapman

Ryan is a Principal Incident Response Consultant at Palo Alto Networks. He has worked in Digital Forensics & Incident Response (DFIR) for over 10 years. He is the author of the new SANS course on Ransomware FOR528: Ransomware for Incident Responders and has also taught SANS FOR610: Reverse Engineering Malware. During his career, Ryan has worked in roles in the Security Operations Center and Cyber Incident Response Team handling incidents from inception to remediation. Ryan is all about the blue team, including reviewing packet captures, investigating domains and IPs, searching through log aggregation programs, analyzing malware, and performing host and network forensics.

Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.