20 Comments

Hi Eric,

Thanks for this lab, it has been equal parts fun and educational! Found you through SimplyCyber's youtube channel, hope to see you back on there again!

Expand full comment

Hello Eric,

Awesome guide, and great resources! I am not understanding one part on Part 4. When writing the rule why did you use "<<routing/parent>>" not the image path such as $SystemRoot$\explorer.exe or vssadmin.exe ?

Expand full comment

By targeting the parent process, we kill the offending process that ran the bad command, e.g. the malware.

Expand full comment

Hi Eric, Just wanted to write and ask if you can link Part 4 to your 3rd article to be able to find it more easily.

Expand full comment

Done, thanks!

Expand full comment

For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:

PS C:\Windows\system32> whoami

Shell exited

But I decided to try another time and repeat the shell process. On my second attempt, it worked the way it was supposed to; hanging and failing to return anything from the whoami command.

So my question is, during my first attempt why was I exited from the shell?

Thanks for the lab and the blog, it was truly educational, I'm going to mess around to learn more.

Expand full comment

This is exactly what we hoped would happen... Because your D&R rule was configured to terminate the parent process of whatever ran the vssadmin command, your shell was terminated by the EDR agent because you ran the offending command. Does that make sense?

The "Shell Exited" is functionally equivalent to it hanging and failing to return anything.

Expand full comment

I updated the post to reflect this possibility.

Expand full comment

From where did you repeat the process again to get the same outcome as Eric explained.?

Expand full comment

Hi Eric , Thanks for this labs walkthrough I really appreciate it. 1 question please,

For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:

PS C:\Windows\system32> whoami

Shell exited

Why is this happening?

What can I do . Thanks.

Expand full comment

This is exactly what we hoped would happen... Because your D&R rule was configured to terminate the parent process of whatever ran the vssadmin command, your shell was terminated by the EDR agent because you ran the offending command. Does that make sense?

Expand full comment

I updated the post to reflect this possibility.

Expand full comment

Yes it does. Now I understand it better . I am grateful thank you..

Expand full comment

I am a bit confused if we're supposed to download the ransomware simulator on the last part directly from the Windows VM? Run it using powershell?

Expand full comment

It's an optional continuation for the reader to try, I don't prescribe any specific way to do it.

Expand full comment

Hello Eric. Thanks for the well made guide. I had a lot of fun following along.

What kind of experience can i put down on a CV that would seem relevant to a SOC position after this lab? Thanks

Expand full comment

hello Eric, how exactly do you download and execute Florian’s ransomware simulator ?

I am having a hard time with that, Thanks for the blogs

Expand full comment

Hello Ruben,

At the Github site, look for QuickBuck 1.0.3 Obfuscated at the right side, download and run it.

Hope this help

Expand full comment

hello Eric, how exactly do you download and execute Florian’s ransomware simulator ?

I am having a hard time with that, Thanks for the blogs

Expand full comment

I Figured it out you need to do what the guy above says and download the obfuscated version of Quickbuck onto the victim VM that being your windows VM. Execute it by launching Sliver like in Part 2 and running shell like in Part 3 and going to the file directory C: Users/User/Downloads and executing the program by running quickbuck run on the command line it will run from there and you should see it execute and generate a ransomware .txt file. Success! Use the github as a reference on how to run it on the command line and how it should look like :) hope yall were about to figure out in the time frame but hopes this helps anyone else looking to learn this lab! :)

Expand full comment