APT28 in the Snare

In this room, as a DFIR team member, you are tasked with conducting the investigation phase of the incident response process, based on a scenario prepared for you that involves techniques and tactics used by APT28.

We recommend reviewing the APT28 Inception Theory room before starting this one, as it will give you a better understanding of the group’s behaviour and the steps they might perform during the intrusion. However, this is not mandatory.

This room is designed for DFIR team members, Threat Hunters, and SOC L2/L3 analysts who want to gain a deeper understanding of the potential behaviour of an APT group and how such activity can be detected using logs and forensic artifacts.

Learning Objectives

• Detect initial access and execution techniques associated with APT28 activity.
• Investigate persistence mechanisms leveraged by APT28.
• Identify privilege escalation behaviours and detect data theft attempts.
• Utilise tools from Eric Zimmerman's toolset and perform log correlation for enhanced analysis.

Room Prerequisites

It is suggested to clear the following rooms first before proceeding:

• APT28 Inception Theory
• Sysmon
• Cyber Kill Chain
• Windows Forensics 2
• Windows Applications Forensics