Name: Cyber Security Incident Response Wannacry Ransomware
Rating: 4.1 (154 reviews)

Udemy Business

Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Created byBalazs Lendvay

Last updated 10/2020

English

What you'll learn

Investigate and understand the behavior of the Wannacry ransomware in a lab environment using your own computer if you will.
Triage and identify indicators of compromise.
Live-analysis of the infected lab machine for windows artifacts
Static-analysis of the identified executable and artifacts
Sandbox analysis of the malicious activity, including network activity, processes, services, autoruns
Create a summary report of the incident and identify remediation recommendations

Course content

9 sections • 55 lectures • 5h 24m total length

01.01 Introduction12:16
Introduction to the training and the instructor.
01.02 What is Wannacry?4:49
Short introduction to the Wannacry ransomware and it's impact.
01.03 Scenario1:23
Introduction to our scenario we will walk through in the training.
01.04 Supporting Materials0:11
Please see the supporting material attached. Download this before proceeding to the next section.
The info.txt has most of the links and commands you might need to use during the course.
The zip file contains the evidences and supporting material including the presentation. Password is: "wannacry".

03.01 Goals0:44
Introduction to the section.
03.02 Getting the tools: Windows 7 installer ISO image2:53
Downloading the Windows 7 installer ISO.
03.03 Installing Windows 74:47
Installing Windows 7 in the lab environment.
03.04 Disabling Windows security features4:36
Disabling some features in Windows to enable Wannacry to infect.
03.05 Configuring shared folders1:41
Configure shared folders for file transfer and tool install.

06.01 Goals1:59
Introduction to the section.
06.02 Getting the tools: memory capture tool WinPMEM1:07
Downloading the tools for taking a memory image.
06.03 Taking a memory image2:34
Taking a memory snapshot.
06.04 Getting the tools: disk capture tool AccessData FTK lite4:50
Downloading the disk imaging tool.
06.05 Taking a disk image4:07
Taking a disk image using FTK Imager.
06.06 Getting the tools: Sysinternals4:20
Downloading the Microsoft Sysinternals Suite.
06.07 Live assessment: network, processes, services, autoruns20:39
Quick analysis of the Windows 10 machine. Network connections, processes, services, autoruns.

07.01 Goals0:42
Introduction to the section.
07.02 Gathering system information2:16
Gathering system information for the report.
07.03 File and Process information #119:34
Windows 10 analysis file and process information #1.
07.04 File and Process information #228:24
Windows 10 analysis file and process information #2.
07.05 File and Process information #313:43
Windows 10 analysis file and process information #3.
07.06 Autoruns6:50
Autoruns analysis.
07.07 Getting the tools: hexa editor HxD1:20
Downloading a hex editor.
07.08 Using HxD12:55
Analysis using a hex editor HxD.
07.09 Getting the tools: static exe analysis: Exeinfo, PeiD, PEStudio, x64dbg3:46
Downloading the tools for static exe file information extraction.
07.10 Exe analysis – exinfo, PeiD, pestudio10:27
Static exe file analysis.
07.11 Getting the password for the embedded ZIP file8:24
Getting the password for the embedded payload in the Wannacry executable.
07.12 Getting the tools: Registry tools WRR and Registry Explorer1:32
Downloading Registry editing tools.
07.13 Using Registry tools8:48
Analysing the registry using the registry explorer tools.

08.01 Goals0:54
Introduction to the section.
08.02 Getting the tools: Wireshark, RegShot2:44
Downloading network capturing and registry snapshot tools.
08.03 Preparing the lab machines and tools5:14
Preparing the lab for the sandbox analysis.
08.04 Monitor and execute the malware7:00
Executing Wannacry in the lab and capturing the activity.
08.05 Preparing for analyzing the results2:20
Prepare the sandbox analysis results for analysis.
08.06 Analyzing Network traffic capture14:08
Analysing network traffic capture.
08.07 Analyzing Procmon results9:54
Analysing procmon capture.
08.08 Analyzing Regshot results3:40
Analysing registry changes.
08.09 Getting the tool and configure Redline6:26
Using Redline automated forensics tool to capture the system activity.
08.10 Analyzing using Redline13:04
Analysing Redline capture.
08.11 Download tools: fakenet1:11
Download fakenet networking tool.
08.12 Analyzing the killswitch domain4:40
Analysing the killswitch domain in the network traffic.
08.13 Analyzing one more file10:19
Analysing one more executable in the Windows 7.

Requirements

Basic Windows knowledge (process, file, filesystem, registry)
Interest in computer forensics and malware analysis
At least one virtualization technology if you want to perform the practical tests (e.g. Virtualbox/VmWare)

Description

Wannacry has been one of the most famous ransomware in computer history (so far) which allows us to investigate how it worked and identify indicators of compromise. The goal of the course is not to protect against Wannacry, but to provide you with a methodology to be able to quickly assess the behavour of a suspicious application in a computer. The tools we are using in this course are free for personal use, but there are way more other solutions you can use for the same purpose.

At the end of this training you will have a solid understanding how the ransomware works and how to protect you environment, also you will be able to use the tools to identify and analyse other malicious tools. You will not be a malware analyst, this is not the course for that. This course will give you the steps to be able to do incident response in a quick manner and see what areas you need to develop yourself using other courses. Deep malware analysis is a very interesting area, but not necessarily the part of the incident response team. There are companies specialized in malware analysis, or people specializing in malware analysis. One can spend hours, days, weeks, months analyzing a single malware. This course aims for quick response.

Who this course is for:

People with interest in information security
People with interest in incident resposne
Security Operations Center team members
People interested to start analyzing malware

What you'll learn

Explore related topics

Course content

Introduction4 lectures • 19min

Lab Setup Windows 103 lectures • 23min

Lab Setup Windows 75 lectures • 15min

Lab Setup networking OPNsense3 lectures • 12min

Lab Setup preparing the lab for Wannacry4 lectures • 8min

Urgent live analysis of windows 107 lectures • 40min

Detailed analysis of Windows 1013 lectures • 1hr 59min

Sandbox analysis of Wannacry Windows 713 lectures • 1hr 22min

Remediation Actions & Reporting3 lectures • 8min

Requirements

Description

Who this course is for: