Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Incident Response Techniques for Ransomware Attacks Contributors About the author About the reviewer Preface
Who this book is for What this book covers Download the color images Conventions used Get in touch Disclaimer Share Your Thoughts
Section 1: Getting Started with a Modern Ransomware Attack Chapter 1: The History of Human-Operated Ransomware Attacks
2016 – SamSam ransomware
Who was behind the SamSam ransomware
2017 – BitPaymer ransomware
The mastermind behind the BitPaymer ransomware
2018 – Ryuk ransomware
Who was behind the Ryuk ransomware?
2019-present – ransomware-as-a-service
Who was behind ransomware-as-a-service programs?
Summary
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Initial attack vectors
RDP compromise Spear phishing Software vulnerabilities
Post-exploitation Data exfiltration Ransomware deployment Summary
Chapter 3: The Incident Response Process
Preparation for an incident
The team The infrastructure
Threat detection and analysis Containment, eradication, and recovery Post-incident activity Summary
Section 2: Know Your Adversary: How Ransomware Gangs Operate Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence Operational cyber threat intelligence Tactical cyber threat intelligence Summary
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Gaining initial access
External remote services (T1133) Exploiting public-facing applications (T1190) Phishing (T1566) Supply chain compromise (T1195)
Executing malicious code
User execution (T1204) Command and scripting interpreters (T1059) Exploitation for client execution (T1203) Windows Management Instrumentation (T1047)
Obtaining persistent access
Valid accounts (T1078) Create account (T1136) Boot or logon autostart execution (T1547) Scheduled task/job (T1053) Server software component (T1505)
Escalating privileges
Exploiting for privilege escalation (T1068) Creating or modifying system process (T1543) Process injection (T1055) Abuse elevation control mechanism (T1548)
Bypassing defenses
Exploiting for defense evasion (T1211) Deobfuscating/decoding files or information (T1140) File and directory permissions modification (T1222) Impairing defenses (T1562) Indicator removal on host (T1070) Signed binary proxy execution (T1218)
Accessing credentials
Brute force (T1110) OS credential dumping (T1003) Steal or forge Kerberos tickets (T1558)
Moving laterally
Exploiting remote services (T1210) Remote services (T1021) Using alternate authentication material (T1550)
Collecting and exfiltrating data
Data from local system (T1005) Data from network shared drives (T1039) Email collection (T1114) Archive collected data (T1560) Exfiltration over web service (T1567) Automated exfiltration (T1020)
Ransomware deployment
Inhibit system recovery (T1490) Data encrypted for impact (T1490)
Summary
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Threat research reports Community Threat actors Summary
Section 3: Practical Incident Response Chapter 7: Digital Forensic Artifacts and Their Main Sources
Volatile memory collection and analysis Non-volatile data collection Master file table Prefetch files LNK files Jump lists SRUM Web browsers Windows Registry Windows event logs Other log sources Summary
Chapter 8: Investigating Initial Access Techniques
Collecting data sources for an external remote service abuse investigation Investigating an RDP brute-force attack Collecting data sources for a phishing attack investigation Investigating a phishing attack Summary
Chapter 9: Investigating Post-Exploitation Techniques
Investigating credential access techniques
Credential dumping with hacking tools Credential dumping with built-in tools Kerberoasting
Investigating reconnaissance techniques
Network scanning Active Directory reconnaissance
Investigating lateral movement techniques
Administrative shares PsExec RDP
Summary
Chapter 10: Investigating Data Exfiltration Techniques
Investigating web browser abuse for data exfiltration Investigating cloud service client application abuse for data exfiltration Investigating third-party cloud synchronization tool abuse for data exfiltration Investigating the use of custom data exfiltration tools Summary
Chapter 11: Investigating Ransomware Deployment Techniques
Investigation of abusing RDP for ransomware deployment Crylock ransomware overview Investigation of Administrative shares for ransomware deployment REvil ransomware overview Investigation of Group Policy for ransomware deployment LockBit ransomware overview Summary
Chapter 12: The Unified Ransomware Kill Chain
Cyber Kill Chain®
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives
MITRE ATT&CK®
Reconnaissance Resource development Initial access Execution Persistence Privilege escalation Defense evasion Credential access Discovery Lateral movement Collection Command and control Exfiltration Impact
The Unified Kill Chain
Initial Foothold Network Propagation Actions on Objectives
The Unified Ransomware Kill Chain
Gain Access to the Network Establish Foothold Network Discovery Key Assets Discovery Network Propagation Data Exfiltration Deployment Preparation Ransomware Deployment Extortion
Summary Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you Share Your Thoughts
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion