shawndwells
commented
2 years ago Hi @gelim - this repo is just a subset of events for testing and demos. We could integrate a ransomware demo though. Do you have samples we could look at?
Open gelim opened 2 years ago
shawndwells
commented
2 years ago Hi @gelim - this repo is just a subset of events for testing and demos. We could integrate a ransomware demo though. Do you have samples we could look at?
shawndwells
commented
2 years ago 
gelim
commented
2 years ago Yes for instance, or the opensource https://github.com/tarcisio-marinho/GonnaCry that could be "defused", but still valid to asess any detection logic on the defense side.
redhatrises
commented
2 years ago GonnaCry or Satan could work for examples in the container.
shawndwells
commented
2 years ago @gelim Many of the cloud team at CrowdStrike are prepping for AWS re:Inforce and there may not be much movement on this for a few weeks. If you're interested & able, patches would be welcome!
gelim
commented
2 years ago If I find some code that trigger ransomware detection logic on Linux falcon sensor, I will update here. For the moment it seems there is only event dedicated to ransomware on the Windows platform.
For instance Gonnacry will be prevented by NGAV (This file meets the File Attribute ML algorithm's high-confidence threshold for malware.)
shawndwells
commented
2 years ago The GonnaCry should do the trick. Their README calls out being written for Linux - https://github.com/tarcisio-marinho/GonnaCry
gelim
commented
2 years ago As I mentioned previously the original binary is getting a prevention with a generic alert. Additionally a fresh build will not be prevented nor detected.
Hello,
Thanks for this excellent repo, but I'm failing to see if there is any TTP related to ransomware activity that could trigger a detection on falcon Linux sensor?
Regards, -- Mathieu