Ransomware and proactif analysis

Dridi Mahmoud Dridi Mahmoud

Dridi Mahmoud

Consultant en sécurité chez Secteur de la vente au détail | Conseil en sécurité, Garantie de la sécurité, Cyberdéfense

发布日期: 2019年9月22日
+ 关注


Hello folks,

As we all know ransomware take advantage of access permission (Read-write-modify) which is mandatory for a simple user for working with files (word,excel....).My approach is (inspired from BigFix (qradar)) to watch the amount of updated files in amount of time for example ( 100 files updated in 60 secondes) then action

here is part of script and what do you thing of the adequat action:

-disable network card

-kill process

-others 

This is part of proactif analysis beacause prevention is better than cure.


P.S: https://timgolden.me.uk/python/win32_how_do_i/watch_directory_for_changes.html (start point)

import os

import requests

import win32file

import win32con

import time

n=0

ACTIONS = {

 1 : "Created",

 2 : "Deleted",

 3 : "Updated",

 4 : "Renamed from something",

 5 : "Renamed to something"

}

#can use any extension that matter for the watch process

patterns = ["txt","doc","xls","png","pdf"]


FILE_LIST_DIRECTORY = 0x0001


path_to_watch = "C:\\"

hDir = win32file.CreateFile (

 path_to_watch,

 FILE_LIST_DIRECTORY,

 win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE | win32con.FILE_SHARE_DELETE,

 None,

 win32con.OPEN_EXISTING,

 win32con.FILE_FLAG_BACKUP_SEMANTICS,

 None

)

while 1:


 results = win32file.ReadDirectoryChangesW (

  hDir,

  1024,

  True,

  win32con.FILE_NOTIFY_CHANGE_FILE_NAME |

   win32con.FILE_NOTIFY_CHANGE_DIR_NAME |

   win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES |

   win32con.FILE_NOTIFY_CHANGE_SIZE |

   win32con.FILE_NOTIFY_CHANGE_LAST_WRITE |

   win32con.FILE_NOTIFY_CHANGE_SECURITY,

  None,

  None

 )

 for action, file in results:

  full_filename = os.path.join (path_to_watch, file)

  for pattern in patterns:

   if pattern in full_filename:

   s=(full_filename, ACTIONS.get (action, "Unknown"))

   print(s)

   if action==3:

    n=sum(1 for _ in s)

    time=0

    if (time<60) and (n>10): #ten update within 60 sec

     #---------------> Action)

    My start point is:https://timgolden.me.uk/python/win32_how_do_i/watch_directory_for_changes.html

    

   


    

要查看或添加评论,请登录

Dridi Mahmoud的更多文章

  • Routing is a game
    2019年5月31日

    Routing is a game

    Once upon a time my boss came to me and asked me to figure out what could be wrong in such redistribution .I thought it…

  • SDN !!??
    2016年9月22日

    SDN !!??

    I was wondering lately about this word "SDN" Software Defined Networking ,what is that ?? are we talking about NSX ? I…

  • Computer forensics investigation
    2016年5月27日

    Computer forensics investigation

    Computer forensics is the practice of collecting, analysing and reporting on digital data in a way that is legally…

社区洞察

其他会员也浏览了