Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 15 subscribers
  • Views 2496 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware simulation

dc31xx

Hi,

In an attempt to trigger CryptoGuard in a test setting I wrote several test scripts encrypting 50k+ files on disk in suspicious file paths. None of them seem to have triggered Cryptoguard, which makes me wonder if it's triggered solely on known IOC's. My first thought was that the number of I/O operations would have been enough to trigger an alarm, but it didn't. Is there something to be said about the detection that could help me trigger an alarm?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    It all comes down to context and actions. How did you do the encryption? A Powershell script that calls on Windows to encrypt the file?

  • 0 in reply to FormerMember

    I used the .Net AesCryptoServiceProvider in PowerShell and ran it against a directory of files, renaming them as it went. Seemed to trigger Sophos after certain number of files were encrypted. I forgot what the threshold was, it has been a while.

  • FormerMember
    0 FormerMember in reply to Kyle Parrish

    what you describe is what I would expect to happen. CG doesn't trigger instantly - it monitors an has a context dependent rule set that will trigger when the the thresholds/criteria are met.

  • 0 in reply to Kyle Parrish

    I did use AesCryptoServiceProvider  as well against more than 50k files, renaming them to .encrypted after encrypting them. I also ran test where I encrypt/decrypt them multiple times etc. but all without any luck. After that I created a .NET executable (.exe) to try if that makes a difference, but it didn't.

    Can you tell more about the files you encrypted? (file size, age) that might be different. Also, did you test recently, or was that some time ago? Thanks for the responses so far!

Reply
  • 0 in reply to Kyle Parrish

    I did use AesCryptoServiceProvider  as well against more than 50k files, renaming them to .encrypted after encrypting them. I also ran test where I encrypt/decrypt them multiple times etc. but all without any luck. After that I created a .NET executable (.exe) to try if that makes a difference, but it didn't.

    Can you tell more about the files you encrypted? (file size, age) that might be different. Also, did you test recently, or was that some time ago? Thanks for the responses so far!

Children
Unfiltered HTML