Stories from the Trenches: Initial Access to Exfiltration... by Tristan Luikey & Jonny Elrod скачать в хорошем качестве

Stories from the Trenches: Initial Access to Exfiltration... by Tristan Luikey & Jonny Elrod

2025 BSides Tampa Stories from the Trenches: Initial Access to Exfiltration - A Kill Chain Analysis by Tristan Luikey & Jonny Elrod Description This presentation will guide attendees through a real-world intrusion handled by our team, where an organization was compromised by the Black Basta ransomware group. Using the attack lifecycle as a framework, we will explore how the threat actor executed their campaign from initial access through to exfiltration. By presenting a step-by-step timeline, attendees will gain critical insight into TTPs utilized by Black Basta, which is invaluable information considering how prominent Black Basta currently is. The timeline will include: Initial Access: Social engineering via external Teams messages to establish trust and plant the initial foothold. Access to Workstation: Use of Quick Assist to RMM to the infected workstation and escalate privileges. Persistence and C2 Establishment: Injection into the OneDrive updater process to maintain persistence and establish communication through command-and-control. Lateral Movement: Pivoting across the network using RDP and PowerShell, including multiple attempts at lateral movement. Reconnaissance and Enumeration: Network scans and enumeration. Exfiltration: Using WinSCP to transfer sensitive files out of the network. Privilege Escalation: Addition of compromised accounts to administrative groups to expand control. The above is a simple list, but we will cover more information than what is listed, as this intrusion involved a large number of techniques. This presentation will go beyond the technical details of the attack. It aims to provide attendees with a comprehensive understanding of: A Day in the Life of a Threat Hunter: Offering a behind-the-scenes look at the workflows, tools, and methodologies used by IR professionals during a real intrusion. IOCs and Timelines: Highlighting the artifacts our team uncovered at each stage of the attack to piece together the full timeline. This particular intrusion provides a large variety of artifacts and a nearly complete timeline of events, allowing us to deliver a detailed presentation with opportunities for crowd engagement. Attendees will leave with practical knowledge they can apply in their own environments, including strategies for detecting and responding to APTs, ransomware groups, and social engineering campaigns. Students will leave with insight into a future career opportunity as well as an understanding of what a real breach scenario looks like.