Open gelim opened 2 years ago
Hi @gelim - this repo is just a subset of events for testing and demos. We could integrate a ransomware demo though. Do you have samples we could look at?
Yes for instance, or the opensource https://github.com/tarcisio-marinho/GonnaCry that could be "defused", but still valid to asess any detection logic on the defense side.
GonnaCry or Satan could work for examples in the container.
@gelim Many of the cloud team at CrowdStrike are prepping for AWS re:Inforce and there may not be much movement on this for a few weeks. If you're interested & able, patches would be welcome!
If I find some code that trigger ransomware detection logic on Linux falcon sensor, I will update here. For the moment it seems there is only event dedicated to ransomware on the Windows platform.
For instance Gonnacry will be prevented by NGAV (This file meets the File Attribute ML algorithm's high-confidence threshold for malware.
)
The GonnaCry should do the trick. Their README calls out being written for Linux - https://github.com/tarcisio-marinho/GonnaCry
As I mentioned previously the original binary is getting a prevention with a generic alert. Additionally a fresh build will not be prevented nor detected.
Hello,
Thanks for this excellent repo, but I'm failing to see if there is any TTP related to ransomware activity that could trigger a detection on falcon Linux sensor?
Regards, -- Mathieu