sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard
verified publisher icon SwiftOnSecurity

Ransomware artifacts added to File Creation config

Open sduff opened this issue 4 years ago • 2 comments

It can be challenging to detect ransomware activity using the existing sysmon configuration. Rather than look for excessive numbers of file writes, the most common ransomware artifacts, including file extensions and ransomware notes, have been included in the file creation stanza.

sduff avatar Feb 18 '21 04:02 sduff

Hi @sduff, this is amazing work and I want to find a way to use it. Just for my stubborn philosophical reasons I want to keep the file created area totally generic by default, but if you want to host this in your own GitHub repo I can link to it?

SwiftOnSecurity avatar Feb 28 '21 20:02 SwiftOnSecurity

Yes, I'm happy to maintain a separate repo for ransomware specifics, and more than happy for you to link to it. I'll update my README.md to make it clear, feel free to close out this PR

sduff avatar Mar 01 '21 00:03 sduff