Raccine
Raccine copied to clipboard
Neo23x0
A Simple Ransomware Vaccine
With Raccine installed, when I launch "Omen Gaming Hub" there is a false positive with the following content: Yara matches: Rule file: C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar YARA Output: ransomware_command_lines C:\Users\User1\AppData\Local\Temp\RaccineUserContext\Rac1971.tmp Raccine Context:...
Earlier I was on [Termius](https://www.termius.com/) running a few SFTP sessions, when I tried launching a remote file in Notepad++. Upon attempting this, Termius shut off in a way that made...
Hi, I am customizing the GUI in code but when I create the build , visual studio says that build is crashed. Hence when I run batch file and after...
Hi. I have tried to install Raccine in a folder different that C:\Program Files so I changed the install-raccine.bat creating a new variable called %RaccinePath% instead of %ProgramFiles% and setting...
https://github.com/Neo23x0/Raccine/blob/b8ea99ad4b4e393b3cab2639b33755a26d3a8868/raccine.cpp#L223 You may want to check out this article on parent pid spoofing. https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
When deployed, `RaccineSettings` produces a dangling `Form1` window even without interaction
I was testing Raccine in our environment, and I realized that the group policy settings don't work. Raccine stores its settings in `HKLM\SOFTWARE\Raccine`, while the group policy places registry keys...
Another possible attack vector is to rapidly create a large number of snapshots which hit the default limit of 64 which then triggers windows to remove oldest ones until all...
Ransomware seeking to avoid this protection can simply call the VSS API directly rather than invoking vssadmin, e.g. [IVssBackupComponents::DeleteSnapshots](https://docs.microsoft.com/windows/win32/api/vsbackup/nf-vsbackup-ivssbackupcomponents-deletesnapshots).
Some suggestions for the windows hardening script: ## Block remote commands Disable DCOM See (https://docs.microsoft.com/en-us/windows/win32/com/enabledcom) ``` REG.EXE ADD HKEY_LOCAL_MACHINE\Software\Microsoft\OLE /v EnableDCOM /t REG_SZ /d N /F ``` ## Block remote...