Hands-on Malicious Script Analysis for Ransomware Response

  • Wednesday, 16 Aug 2023 1:00PM EDT (16 Aug 2023 17:00 UTC)
  • Speaker: Ryan Chapman

A large majority of ransomware incidents involve both obfuscated scripts and Cobalt Strike. PowerShell reigns supreme as the most common type of obfuscated script found in ransomware cases. Do you know what to do should you find an obfuscated PowerShell script during response? What if you run into an obfuscated, PowerShell-based Cobalt Strike downloader? Do you know how to decode the downloader? Do you know how to review the shellcode found multiple levels within the code structure to determine where the Cobalt Strike beacon is being hosted?

Come join SANS "FOR528: Ransomware for Incident Responders" author Ryan Chapman as he walks you through one of our FOR528 labs that shows you these very skills. You will use a virtual machine custom developed just for this workshop to review obfuscated code from real FOR528 labs. As a bonus, you will also learn how to extract the configuration from a Cobalt Strike Beacon. The better you are at performing these tasks yourself, the quicker you'll be able to derive additional TTPs and IOCs to assist in your overall response. Come learn HANDS-ON!

  1. Learning objectives:

- Learn to recognize PowerShell beacon downloader scripts

- Analyze a beacon downloader script using CyberChef

- Utilize beacon configuration parsers to extract configs from Cobalt Strike–generated shellcode and PEs

- Evaluate Cobalt Strike beacon configurations to understand how they operate

2. Pre-req Knowledge

A background in Incident Response (IR) is suggested. This workshop is aimed toward the incident responder who needs to respond to ransomware attacks. Thus, IR experience or at least alert triage experience such as one acquired within a SOC or CIRT is recommended. Familiarity with the basics of PowerShell will be helpful, as we will be decoding obfuscated PowerShell commands. Finally, familiarity with the Linux operating system will be useful. You will be pivoting through directories and running commands using the Bourne Again Shell (bash). Though we will be providing the exact commands to run, the more experience you have with *nix-based operating systems, the better.

Click HERE for System Requirements and VM Download Instructions.