In this lab, you step into the role of a Threat Hunter working for a cybersecurity consulting firm tasked with investigating a recent ransomware attack on a client’s network. The ransomware has encrypted multiple machines, leaving affected users locked out of their data and confronted with ransom notes demanding payment. Reports indicate that the desktop background of compromised systems has been altered, and ransom notes have been left in various locations on the infected machines. Your primary objective is to use Elastic SIEM, populated with Sysmon event logs from one of the impacted systems, to uncover critical details about the ransomware attack.
Through a structured threat hunting approach, you will analyze different Sysmon event IDs to trace the attack's origin, identify the ransomware’s behaviors, and understand the tactics used to compromise the system. The investigation will involve pinpointing the ransom note left by the attackers, tracking the process responsible for file encryption, identifying the executable's location, and uncovering attempts to sabotage system recovery options. Additionally, you'll use threat intelligence tools to connect the ransomware activity to external command-and-control infrastructure, such as the attacker’s communication channels on the dark web.
By the end of this walkthrough, you will gain valuable insights into ransomware detection techniques, the importance of correlating event logs for incident response, and how to leverage forensic data to piece together the timeline of an attack. This lab will enhance your skills in identifying Indicators of Compromise (IOCs) and understanding common ransomware behaviors in real-world scenarios.