The Seaside Security Conference Goa Feb-2025 featured a dedicated Threat Hunting Village, where cybersecurity professionals, researchers, and enthusiasts collaborated to analyze ransomware-themed execution techniques. Hosted and Designed by Threatactix and Seasides Team, this interactive experience provided attendees with real-world insights into ransomware operations, execution chains, and hunting methodologies.




Hypothesis Statement :
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Hypothesis Statement :
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.
Some native Windows utilities have been used by adversaries to disable or delete system recovery features:
Hypothesis Statement :
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it
Hypothesis Statement :
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems
Hypothesis Statement :
An unauthorized process (powershell.exe OR Other) running with NT AUTHORITY\SYSTEM privileges attempted to access lsass.exe, indicating a possible Credential Dumping (MITRE ATT&CK T1003) technique. This may be an attempt to extract password hashes, plaintext credentials, or Kerberos tickets from memory, which could lead to privilege escalation and lateral movement.
Hypothesis Statement :
A threat actor has gained unauthorized access to a system using administrator-equivalent privileges, potentially leading to privilege escalation or lateral movement within the network. The goal is to identify, analyze, and mitigate any malicious activities originating from IP 192.168.56.138.
Hypothesis Statement :
An adversary has dropped an executable file in a folder commonly used by malware, potentially indicating malicious activity.
Hypothesis Statement :
An adversary has leveraged a command-line or scripting interpreter (such as PowerShell, Bash, or Python) to execute potentially malicious commands or scripts on a compromised system.
Hypothesis Statement :
An attacker may have exploited DLL Search Order Hijacking (MITRE ATT&CK T1574.001) by placing a malicious UpdateAgent.dll in a location where a privileged process (svchost.exe) loads it, potentially achieving persistence, privilege escalation, and defense evasion.
Hypothesis Statement :
A potentially malicious process (Procmon64.exe) located in the temporary directory (C:\Users\Analyst\AppData\Local\Temp\Procmon64.exe) accessed Explorer.exe, which could indicate process injection, masquerading, or reconnaissance activity. The investigation aims to determine whether this access was legitimate or part of an attack involving privilege escalation or defense evasion.
Hypothesis Statement :
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.
The Threat Hunting Village for Ransomware Theme Execution was a major success, equipping participants with practical threat-hunting skills and a deeper understanding of ransomware operations. By analyzing real-world attacks, attendees gained actionable intelligence to enhance their cybersecurity posture.