Lecture Notes: Incident Analysis and Threat Hunting with Ransomware

Background and Context

• Network Compromise Attempt: Hackers attempting to deploy ransomware.
• Platform: Analysis conducted on a Windows 11 virtual machine.
• Case Study: Handled by Huntress Security Operations Center.
• Incident Type: Critical severity due to ransomware deployment.

Incident Response

• Isolation Measures: Host was isolated to prevent spread across the network.
• Agent Requirement: Importance of having security agents like Huntress for visibility.
• Remote Access Compromise: Unauthorized remote desktop protocol (RDP) access from an admin user on the domain controller.

Ransomware Deployment

• Ransomware Execution: Involved a win.exe file with specific command-line arguments.
• Tool Locations: Ransomware was stored in the ‘Videos’ folder within a user's profile.
• Indicators of Compromise: Timeline and IP addresses were redacted.

Threat Actor Tools and Techniques

• Batch Scripts:
  • backup.bat: Deletes volume shadow copies to prevent data recovery.
  • clean_dobat: Cleans up cached credentials and clears RDP history.
  • close_apps.bat and kill_process.CMD: Repeatedly attempt to terminate various processes including backup, SQL, and cloud apps.
  • delete.bat: Clears Windows event logs using built-in utilities.
  • loggy_cleaner.dobat: Similar actions, removing various system logs and history.

Forensic Artifacts

• Jumplists: Windows keeps track of accessed items; tools available for analysis.
• Registry Keys: Targeted deletions of RDP, run history, and DNS cache.
• Recycle Bin: Automatic clearing of contents across potential drive letters.

Tool Analysis: Feedly Threat Intelligence

• Feature Set: AI-powered insights for threat analysis and intelligence gathering.
• Capabilities:
  • Summarizes reports and articles.
  • Generates attack hypotheses and flow diagrams.
  • Provides control over analyzed sources and ensures fact verification.

Ransomware and Network Tools Examination

• Ransomware Binary: win.exe is the ransomware executable.
• Toolkit Analysis: Examination of tools like NS.exe for network scanning and potential exploitation.
• Multi-Platform Impact: medical.zip contained binaries for various operating systems (Linux, Windows, ESXi).

Dynamic Analysis

• Sandbox Execution: Any.run platform used for interactive analysis.
• Ransom Note Examination: Data is encrypted and extortion message includes contact URLs and warnings.

Conclusion and Prevention

• Detection Strategies: Emphasizes importance of EDR solutions to catch such activities.
• Threat Hunting: Focus on MITRE ATT&CK techniques and forensic artifacts.
• Security Awareness: Encourages maintaining visibility and using comprehensive threat intelligence tools.