Ransomware artifacts added to File Creation config

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing

4.73k stars 1.69k forks source link

Ransomware artifacts added to File Creation config #140

Open sduff opened 3 years ago

sduff commented 3 years ago

It can be challenging to detect ransomware activity using the existing sysmon configuration. Rather than look for excessive numbers of file writes, the most common ransomware artifacts, including file extensions and ransomware notes, have been included in the file creation stanza.

SwiftOnSecurity commented 3 years ago

Hi @sduff, this is amazing work and I want to find a way to use it. Just for my stubborn philosophical reasons I want to keep the file created area totally generic by default, but if you want to host this in your own GitHub repo I can link to it?

sduff commented 3 years ago

Yes, I'm happy to maintain a separate repo for ransomware specifics, and more than happy for you to link to it. I'll update my README.md to make it clear, feel free to close out this PR