In the “Rhysida” threat hunting lab, analysts are tasked with investigating a multi-stage, real-world cyberattack that began with a successful phishing campaign and rapidly escalated into full domain compromise. This scenario simulates the operational tactics of modern ransomware groups, demonstrating how adversaries can leverage social engineering, legitimate tools, and advanced persistence techniques to silently infiltrate and dominate an enterprise environment.
The incident initiates when a system administrator unknowingly provides their credentials to a convincing phishing page spoofing the Microsoft login portal. Soon after, suspicious login attempts begin from external IP addresses, signaling the attacker’s attempt to establish access using stolen credentials. From this foothold, the attacker employs secure shell (SSH) for initial access, introduces remote access tools such as AnyDesk, and disables endpoint defenses using PowerShell obfuscation techniques. As the intrusion progresses, the adversary disables logging mechanisms using tools like auditpol and wevtutil, employs reg.exe to maintain persistence via registry keys, and utilizes rundll32.exe for stealthy code execution. Data collection is staged in public directories, compressed with PowerShell’s Compress-Archive cmdlet, and beaconed to a command-and-control server, culminating in the deployment of a custom ransomware payload, Nbd6a7v.exe.
Through this lab, defenders will dissect each phase of the attack chain aligned with the MITRE ATT&CK framework, from initial access to impact. Using tools such as Splunk and CyberChef, they will un