in ransomware/artifact.lua [2247:2329]
function CanaryStartup()
utils.DebugLog('Canary Startup Called')
local product = utils.GetProduct()
if product ~= 'elastic' then
utils.DebugLog('Not initiating canary startup (non-elastic endpoint)')
return
end
local incompatible = utils.CurrentVersionLessThan('8.6.0')
if incompatible then
utils.DebugLog('Not initiating canary startup (version < 8.6.0)')
return
end
utils.DebugLog('Elastic endpoint version is compatible with canary files!')
globals.canaryCompatible = true
CanariesCleanup(globals.namespace.diagnosticMode)
if (false == CanariesEnabled()) then
return
end
for _, namespace in pairs(globals.namespaces) do
globals.SwitchNamespace(namespace)
utils.DebugLog('build the list of canary files to be created')
local canaries = globals.BuildCanaries()
if next(canaries) == nil then
utils.DebugLog('failed to build the list of canary files')
return
end
local canaryPlanted = false
utils.DebugLog('planting canary files')
for _, canary in ipairs(canaries) do
local canaryStatus =
PlantCanary(canary.fullpath, canary.content, canary.hidden, canary.force, canary.system)
if canaryStatus == nil then
utils.DebugLog('failed to plant canary: ' .. canary.fullpath)
else
if not utils.TableHasValue(globals.namespace.canaryDirNames, canary.dirname) then
table.insert(globals.namespace.canaryDirNames, canary.dirname)
end
if not utils.TableHasValue(globals.namespace.canaryFileNames, canary.filename) then
table.insert(globals.namespace.canaryFileNames, canary.filename)
end
canaryPlanted = true
end
end
if canaryPlanted == false then
utils.DebugLog('Failed to drop any canaries!')
return
end
if globals.namespace.diagnosticMode then
globals.diagnosticCanariesDropped = true
else
globals.productionCanariesDropped = true
end
end
return true
end