in ransomware/artifact.lua [2553:2860]
function Ransomware.PathHistory(eventData, processData)
local pathEvents = {}
local previousPathEvents = {}
local pathEventTable = {}
for _, v in pairs(processData.events) do
if not utils.TableHasKey(pathEventTable, v.filePath) then
pathEventTable[v.filePath] = {}
end
table.insert(pathEventTable[v.filePath], v.operation)
end
for _, v in pairs(processData.events) do
if v.filePath == eventData.filePath then
if v.operation == eventData.operation then
utils.DebugLog('SKIPPING DUPLICATE EVENT (DuplicateEventCheck fail): ' .. eventData.filePath)
return true
end
table.insert(pathEvents, v)
elseif globals.FILE_RENAME == eventData.operation then
if v.filePath == eventData.filePreviousPath then
utils.DebugLog('added to previousPathEvents: ' .. v.filePath)
table.insert(previousPathEvents, v)
end
elseif globals.FILE_DELETE == eventData.operation then
local subString = string.find(v.filePath, eventData.filePath, nil, true)
if nil ~= subString then
utils.DebugLog('deleted filePath found as substring in different event with different filePath')
local prevCreate = false
local prevRename = false
if nil ~= pathEventTable[eventData.filePath] then
for _, prevOperation in pairs(pathEventTable[eventData.filePath]) do
if globals.FILE_CREATE_NEW == prevOperation then
utils.DebugLog('globals.FILE_CREATE_NEW == prevOperation')
prevCreate = true
break
elseif globals.FILE_RENAME == prevOperation then
utils.DebugLog('globals.FILE_RENAME == prevOperation')
prevRename = true
break
end
end
end
if prevCreate then
utils.DebugLog('prevCreate detected for eventData.filePath')
break
elseif prevRename then
utils.DebugLog('prevRename detected for eventData.filePath')
break
end
alert.RaiseFileAlertMetric(eventData, 'DELETED_PATH_SUBSTRING_FOUND')
if globals.FILE_CREATE_NEW == v.operation then
utils.DebugLog('substring was previously created...')
local prevDelete = false
for _, prevOperation in pairs(pathEventTable[v.filePath]) do
if globals.FILE_DELETE == prevOperation then
utils.DebugLog('globals.FILE_DELETE == prevOperation')
prevDelete = true
break
end
end
if prevDelete then
utils.DebugLog('prevDelete detected for v.filePath!!!')
break
end
if globals.EXTENSION_SUSPICIOUS == v.currentExtensionData.category then
utils.DebugLog('ALERT_SCORE_CHANGE: DELETE_EXTENSION_BLOCKLIST_PREVIOUSLY_CREATED_FILEPATH: ' ..
globals.config.DELETE_EXTENSION_BLOCKLIST_PREVIOUSLY_CREATED_FILEPATH['score'])
eventData.alertScore = eventData.alertScore +
globals.config.DELETE_EXTENSION_BLOCKLIST_PREVIOUSLY_CREATED_FILEPATH['score']
alert.RaiseFileAlertMetric(eventData, 'DELETE_EXTENSION_BLOCKLIST_PREVIOUSLY_CREATED_FILEPATH')
end
if globals.ENTROPY_REALLY_HIGH < v.entropy and eventData.currentExtensionData.lowEntropy then
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST: ' ..
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST['score'])
eventData.alertScore = eventData.alertScore + globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST')
end
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHEST: ' ..
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHEST['score'])
eventData.alertScore = eventData.alertScore + globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHEST['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHEST')
elseif globals.ENTROPY_VERY_HIGH < v.entropy and eventData.currentExtensionData.lowEntropy then
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER: ' ..
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore + globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER')
end
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHER: ' ..
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGHER')
elseif globals.ENTROPY_HIGH < v.entropy and eventData.currentExtensionData.lowEntropy then
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH: ' ..
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH')
end
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGH: ' ..
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGH['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGH['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_EXTENSION_KNOWN_WITH_LOW_ENTROPY_WITH_PREVIOUSLY_CREATED_SUBSTRING_POSSIBLE_MISMATCH_ENTROPY_HIGH')
elseif globals.ENTROPY_STATUS_REALLY_HIGH == v.entropyStatus then
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST: ' ..
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHEST')
end
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHEST: ' ..
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHEST['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHEST['score']
alert.RaiseFileAlertMetric(eventData, 'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHEST')
elseif globals.ENTROPY_STATUS_VERY_HIGH == v.entropyStatus then
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER: ' ..
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGHER')
end
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHER: ' ..
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData, 'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGHER')
elseif globals.ENTROPY_STATUS_HIGH == v.entropyStatus then
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH: ' ..
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN_ENTROPY_HIGH')
end
utils.DebugLog('ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGH: ' ..
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGH['score'])
eventData.alertScore = eventData.alertScore +
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGH['score']
alert.RaiseFileAlertMetric(eventData, 'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_ENTROPY_HIGH')
else
if globals.EXTENSION_UNKNOWN == v.currentExtensionData.category then
utils.DebugLog(
'ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN: ' ..
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN['score']
alert.RaiseFileAlertMetric(eventData,
'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING_EXTENSION_UNKNOWN')
end
utils.DebugLog('ALERT_SCORE_CHANGE: DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING: ' ..
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING['score'])
eventData.alertScore = eventData.alertScore +
globals.config.DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING['score']
alert.RaiseFileAlertMetric(eventData, 'DELETE_WITH_PREVIOUSLY_CREATED_SUBSTRING')
end
end
break
else
subString = string.find(v.fileName, '^' .. eventData.fileName, nil, true)
if nil ~= subString then
end
end
elseif globals.FILE_CREATE_NEW == eventData.operation and globals.FILE_CREATE_NEW == v.operation and
eventData.fileName == v.fileName then
if eventData.entropy == v.entropy then
end
elseif globals.FILE_CREATE_NEW == eventData.operation then
local subString = string.find(eventData.filePath, v.filePath, nil, true)
if nil ~= subString and globals.FILE_DELETE == v.operation then
local noCreate = true
for _, prevOperation in pairs(pathEventTable[v.filePath]) do
if globals.FILE_CREATE_NEW == prevOperation then
noCreate = false
utils.DebugLog('globals.FILE_CREATE_NEW == prevOperation')
end
end
if noCreate then
utils.DebugLog('created filePath contains previously deleted filePath as substring')
utils.DebugLog('v.filePath: ' .. v.filePath)
utils.DebugLog('eventData.filePath: ' .. eventData.filePath)
if eventData.headerMismatch then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_KNOWN_HEADER_MISMATCH_WITH_PREVIOUSLY_DELETED_SUBSTRING: ' ..
globals.config.CREATE_EXTENSION_KNOWN_HEADER_MISMATCH_WITH_PREVIOUSLY_DELETED_SUBSTRING['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_KNOWN_HEADER_MISMATCH_WITH_PREVIOUSLY_DELETED_SUBSTRING['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_KNOWN_HEADER_MISMATCH_WITH_PREVIOUSLY_DELETED_SUBSTRING')
else
utils.DebugLog('no headerMismatch')
end
utils.DebugLog('eventData.fileExtension: ' .. eventData.fileExtension)
if not utils.TableHasKey(globals.extensionMap, eventData.fileExtension) then
if globals.ENTROPY_STATUS_REALLY_HIGH == eventData.entropyStatus then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHEST: ' ..
globals.config.CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHEST['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHEST['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHEST')
elseif globals.ENTROPY_STATUS_VERY_HIGH == eventData.entropyStatus then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHER: ' ..
globals.config.CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGHER')
elseif globals.ENTROPY_STATUS_HIGH == eventData.entropyStatus then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGH: ' ..
globals.config.CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGH['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGH['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_WITH_PREVIOUSLY_DELETED_FILEPATH_SUBSTRING_ENTROPY_HIGH')
end
end
break
end
end
end
end
end