detection-container
detection-container copied to clipboard
CrowdStrike
Ransomware detection
Hello,
Thanks for this excellent repo, but I'm failing to see if there is any TTP related to ransomware activity that could trigger a detection on falcon Linux sensor?
Regards, -- Mathieu
Hi @gelim - this repo is just a subset of events for testing and demos. We could integrate a ransomware demo though. Do you have samples we could look at?
Found some - https://github.com/fabrimagic72/malware-samples/tree/master/Ransomware
Yes for instance, or the opensource https://github.com/tarcisio-marinho/GonnaCry that could be "defused", but still valid to asess any detection logic on the defense side.
@gelim Many of the cloud team at CrowdStrike are prepping for AWS re:Inforce and there may not be much movement on this for a few weeks. If you're interested & able, patches would be welcome!
If I find some code that trigger ransomware detection logic on Linux falcon sensor, I will update here. For the moment it seems there is only event dedicated to ransomware on the Windows platform.
For instance Gonnacry will be prevented by NGAV ( This file meets the File Attribute ML algorithm's high-confidence threshold for malware.)
The GonnaCry should do the trick. Their README calls out being written for Linux - https://github.com/tarcisio-marinho/GonnaCry
As I mentioned previously the original binary is getting a prevention with a generic alert. Additionally a fresh build will not be prevented nor detected.