3. Backdoor Attack Leading to a Ransomware Attack


Demonstration of Harmony Endpoint Anti-Ransomware capabilities to detect according to the behavior of an unknown Ransomware followed by an automated remediation, analysis, triage and file restoration

Discussion points

  • Harmony Endpoint Anti-Ransomware behavioral detection during runtime of a Ransomware attack focused on detecting any type of Ransomware attack.

  • Harmony Endpoint Anti-Ransomware automated remediation and files restoration protecting users data and allowing them to continue working without wasting organizations’, time, money and effort.

  • Multi-layered endpoint protection platform with automated EDR capabilities to fully recover from attacks.

Watch the Demonstration Video

For brevity, this video shows only the most important steps.


The procedure below describes all steps to demonstrate the scenario.




From the Jump server machine, on the desktop, use the remote desktop link to connect to the kali attacker machine


Open a terminal window and navigate to /root/demo/backdoors/

cd /root/demo/backdoors/



msfconsole -r meterpreter-listen.rc


The process takes a few seconds and you will see the following :

This will open a reverse TCP handler (listener) on the kali attacker machine for the backdoor


Minimize the kali attacker RDP window and open a remote desktop connection to the windows server protected machine using the link on the Jump server desktop


Open My Documents folder, extract scvhost.zip and execute the scvhost.exe file

This will open a meterpreter reverse TCP shell back to the kali attacker machine


Minimize the windows server protected RDP window and navigate back to the kali attacker machine to the opened meterpreter session


Type in the blank line and execute

resource start_attack.rc


This will load and execute a Ransomware attack on the window server protected machine.

You have a 10 seconds delay to navigate back to the windows server protected machine to show the attack


Minimize the kali attacker RDP window and open a remote desktop connection to the windows server protected machine from the link on the Jump server desktop


Show the Ransomware attack, file encryption, detection, automatic remediation and file restoration:


Navigate back to the Jump server machine and open the Chrome browser to the Harmony Endpoint management platform


Navigate to the Security overview screen to show to full scope of the attack, including the detailed and automated response, analysis and triage:


From the log open the forensics report to show the full and automated attack analysis, triage and response.

Show the MITRE ATT&CK integration, entry point, remediation and suspicious activities.

It is recommended to walkthrough the attack from the incident details tree view


Navigating through the forensics report can be easier from SmartView or from the Harmony Endpoint on the Windows 10 Protected machine :

  • Link to SmartView on the portal can be found at the Service Management tab :

    Credentials = epadmin/Cpwins1!