Awesome guide, and great resources! I am not understanding one part on Part 4. When writing the rule why did you use "<<routing/parent>>" not the image path such as $SystemRoot$\explorer.exe or vssadmin.exe ?
Thanks for this lab, it has been equal parts fun and educational! Found you through SimplyCyber's youtube channel, hope to see you back on there again!
For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:
PS C:\Windows\system32> whoami
Shell exited
But I decided to try another time and repeat the shell process. On my second attempt, it worked the way it was supposed to; hanging and failing to return anything from the whoami command.
So my question is, during my first attempt why was I exited from the shell?
Thanks for the lab and the blog, it was truly educational, I'm going to mess around to learn more.
Hello Eric,
Awesome guide, and great resources! I am not understanding one part on Part 4. When writing the rule why did you use "<<routing/parent>>" not the image path such as $SystemRoot$\explorer.exe or vssadmin.exe ?
Hi Eric,
Thanks for this lab, it has been equal parts fun and educational! Found you through SimplyCyber's youtube channel, hope to see you back on there again!
Hi Eric, Just wanted to write and ask if you can link Part 4 to your 3rd article to be able to find it more easily.
For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:
PS C:\Windows\system32> whoami
Shell exited
But I decided to try another time and repeat the shell process. On my second attempt, it worked the way it was supposed to; hanging and failing to return anything from the whoami command.
So my question is, during my first attempt why was I exited from the shell?
Thanks for the lab and the blog, it was truly educational, I'm going to mess around to learn more.
Hi Eric , Thanks for this labs walkthrough I really appreciate it. 1 question please,
For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:
PS C:\Windows\system32> whoami
Shell exited
Why is this happening?
What can I do . Thanks.
I am a bit confused if we're supposed to download the ransomware simulator on the last part directly from the Windows VM? Run it using powershell?
Hello Eric. Thanks for the well made guide. I had a lot of fun following along.
What kind of experience can i put down on a CV that would seem relevant to a SOC position after this lab? Thanks
hello Eric, how exactly do you download and execute Florian’s ransomware simulator ?
I am having a hard time with that, Thanks for the blogs
hello Eric, how exactly do you download and execute Florian’s ransomware simulator ?
I am having a hard time with that, Thanks for the blogs