Loading Events

« All Events

  • This event has passed.

Ransomware Attack Simulation and Investigation for Blue Teamers w/ Markus Schober

Event Series Event Series (See All)

October 18, 2023 @ 8:30 am 5:00 pm MDT

Course Length: 16 Hours
Format: In-Person Only

Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation.


  • In-Person: $1,095
    Includes In-Person Conference Ticket
Markus Schober
Markus Schober

Clicking this button will take you to Cvent to complete your registration.

Course Description

As a cyber security defender and investigator, we often just get to analyze an environment that suffered a ransomware attack after the ransomware execution, where we are trying to make our way back in time to understand the scope and initial infection vectors of a breach. However, knowing how attackers operate and having an understanding of their tools can help tremendously to conduct a more effective analysis and response and ultimately lower the impact of such attacks. This is why in this workshop we will teach you how to perform the common steps of every phase in a ransomware attack scenario as the attacker, from initial infection to impact.

We will set up a basic C2 infrastructure with PowerShell Empire, and execute attack phases such as initial access and reconnaissance, persistence mechanisms, privilege escalation, credential dumping, lateral movement, defense evasion, data exfiltration, and encryption with ransomware. In every step you will also learn about the fundamental concepts that are required to conduct the attack and defend against those including hands-on analysis using Splunk, Velociraptor and forensic tools as needed. In the last part of the workshop, you will learn best practices on how to effectively conduct investigations of the attacked environment using various tools that are part of the lab setup. Upon completion of the workshop, participants will have a better understanding of the steps ransomware threat actors take to achieve their objectives, as well as the best practices for detecting and ultimately preventing ransomware attacks. 


This training is for blue teamers with intermediate technical skills who want to learn hands-on how the various phases of ransomware attacks are carried out, as well as how to detect, analyze and prevent those. 


  • RDP access 

Online Lab Setup 

  • Live response lab: Kali Linux, Windows Hosts, Splunk, Velociraptor 
  • Forensic tools 
  • Triage data collections and memory images  


  • Introduction, Ransomware lifecycle, C2 infrastructure, Threat landscape
  • Lab intro: VMs, Kali, PowerShell Empire
  • Preparation: Listeners, stagers, C2 setup
  • Initial access: Stager delivery, initial access
  • Discovery 1: Local recon, enumeration and living off the land tools
  • Persistence 1: Accounts, scheduled tasks, keys, folders
  • Privilege escalation: User accounts, sessions, tokens, UAC bypasses
  • Discovery 2: Domain discovery, ADFind and living off the land tools
  • Credential Access: Mimikatz, LSASS, Kerberos, NTLM, PTH
  • Lateral movement: Authentication events, techniques, analysis
  • Persistence 2 : WMIC
  • Defensive evasion: Process injection, DLL hijacking
  • Collection and Exfiltration: Data staging, exfil tools
  • Impact: Ransomware execution, techniques, tools
  • Investigation and analysis techniques: Splunk & Velociraptor

Course Author & Instructor

Markus Schober
Markus Schober

Markus Schober is the founder of a blue team training and consulting company named Blue Cape Security. Prior to that, he served as a manger and Principal Security Consultant at IBM X-Force Incident Response. Over the past decade he has led numerous cyber security breach investigations for major organizations, where he specialized in Incident Response, Digital Forensics and Crisis Management. He also advised organizations on building strong cyber security programs and conducted trainings, workshops and exercises for technical as well as executive audiences. He also has a background in software engineering in both the United States and Europe.   

Instructor Twitter Handle: @mascho