in ransomware/artifact.lua [3446:3617]
function Ransomware:TotalIndividualScore(eventData, processData)
if processData.numHeaderMismatchExtensions > 0 then
utils.DebugLog('processData.numHeaderMismatchExtensions: ' .. processData.numHeaderMismatchExtensions)
end
if eventData.headerMismatch then
if globals.HEADER_MISMATCH_THRESHOLD <= processData.numHeaderMismatchExtensions then
utils.DebugLog('processData.numHeaderMismatchExtensions: ' .. processData.numHeaderMismatchExtensions)
utils.DebugLog('ALERT_SCORE_CHANGE: HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET: ' ..
(globals.config.HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET['score'] *
processData.numHeaderMismatchExtensions))
eventData.alertScore = eventData.alertScore +
(globals.config.HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET['score'] *
processData.numHeaderMismatchExtensions)
alert.RaiseFileAlertMetric(eventData, 'HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET')
end
elseif eventData.previousHeaderMismatch then
if globals.HEADER_MISMATCH_THRESHOLD <= processData.numHeaderMismatchExtensions then
utils.DebugLog('processData.numHeaderMismatchExtensions: ' .. processData.numHeaderMismatchExtensions)
utils.DebugLog('ALERT_SCORE_CHANGE: PREVIOUS_HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET: ' ..
(globals.config.PREVIOUS_HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET['score'] *
processData.numHeaderMismatchExtensions))
eventData.alertScore = eventData.alertScore +
(globals.config.PREVIOUS_HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET['score'] *
processData.numHeaderMismatchExtensions)
alert.RaiseFileAlertMetric(eventData, 'PREVIOUS_HEADER_MISMATCH_EXTENSIONS_THRESHOLD_MET')
end
end
if globals.ENTROPY_STATUS_MISMATCH_REALLY_HIGH == eventData.entropyStatus then
if globals.ENTROPY_MISMATCH_THRESHOLD <= processData.numEntropyMismatchExtensions then
utils.DebugLog('ALERT_SCORE_CHANGE: ENTROPY_MISMATCH_HIGHEST: ' ..
(globals.config.ENTROPY_MISMATCH_HIGHEST['score'] *
processData.numHeaderMismatchExtensions))
eventData.alertScore = eventData.alertScore +
(globals.config.ENTROPY_MISMATCH_HIGHEST['score'] *
processData.numEntropyMismatchExtensions)
alert.RaiseFileAlertMetric(eventData, 'ENTROPY_MISMATCH_HIGHEST')
if eventData.headerMismatch then
utils.DebugLog('ALERT_SCORE_CHANGE: ENTROPY_MISMATCH_HIGHEST_WITH_HEADER_MISMATCH: ' ..
globals.config.ENTROPY_MISMATCH_HIGHEST_WITH_HEADER_MISMATCH['score'])
eventData.alertScore = eventData.alertScore +
globals.config.ENTROPY_MISMATCH_HIGHEST_WITH_HEADER_MISMATCH['score']
alert.RaiseFileAlertMetric(eventData, 'ENTROPY_MISMATCH_HIGHEST_WITH_HEADER_MISMATCH')
end
end
elseif globals.ENTROPY_STATUS_MISMATCH_VERY_HIGH == eventData.entropyStatus then
if globals.ENTROPY_MISMATCH_THRESHOLD <= processData.numEntropyMismatchExtensions then
utils.DebugLog('ALERT_SCORE_CHANGE: ENTROPY_MISMATCH_HIGHER: ' ..
(globals.config.ENTROPY_MISMATCH_HIGHER['score'] *
processData.numEntropyMismatchExtensions))
eventData.alertScore = eventData.alertScore +
(globals.config.ENTROPY_MISMATCH_HIGHER['score'] *
processData.numEntropyMismatchExtensions)
alert.RaiseFileAlertMetric(eventData, 'ENTROPY_MISMATCH_HIGHER')
if eventData.headerMismatch then
utils.DebugLog('ALERT_SCORE_CHANGE: ENTROPY_MISMATCH_HIGHER_WITH_HEADER_MISMATCH: ' ..
globals.config.ENTROPY_MISMATCH_HIGHER_WITH_HEADER_MISMATCH['score'])
eventData.alertScore = eventData.alertScore +
globals.config.ENTROPY_MISMATCH_HIGHER_WITH_HEADER_MISMATCH['score']
alert.RaiseFileAlertMetric(eventData, 'ENTROPY_MISMATCH_HIGHER_WITH_HEADER_MISMATCH')
end
end
elseif globals.ENTROPY_STATUS_VERY_HIGH == eventData.entropyStatus then
utils.DebugLog('ALERT_SCORE_CHANGE: ENTROPY_HIGHER: ' .. globals.config.ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore + globals.config.ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData, 'ENTROPY_HIGHER')
if not utils.TableHasKey(globals.extensionMap, eventData.fileExtension) then
utils.DebugLog('ALERT_SCORE_CHANGE: ENTROPY_HIGHER_EXTENSION_UNKNOWN: ' ..
globals.config.ENTROPY_HIGHER_EXTENSION_UNKNOWN['score'])
eventData.alertScore = eventData.alertScore + globals.config.ENTROPY_HIGHER_EXTENSION_UNKNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'ENTROPY_HIGHER_EXTENSION_UNKNOWN')
end
end
if self.IsRansomExtension(eventData) then
utils.DebugLog('ALERT_SCORE_CHANGE: EXTENSION_BLOCKLIST: ' .. globals.config.EXTENSION_BLOCKLIST['score'])
eventData.alertScore = eventData.alertScore + globals.config.EXTENSION_BLOCKLIST['score']
alert.RaiseFileAlertMetric(eventData, 'EXTENSION_BLOCKLIST')
end
if globals.FILE_RENAME == eventData.operation then
if globals.ENTROPY_STATUS_MISMATCH_REALLY_HIGH == eventData.previousEntropyStatus then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_ENTROPY_MISMATCH_HIGHEST: ' ..
(globals.config.RENAME_ENTROPY_MISMATCH_HIGHEST['score'] *
processData.numEntropyMismatchExtensions))
eventData.alertScore = eventData.alertScore +
(globals.config.RENAME_ENTROPY_MISMATCH_HIGHEST *
processData.numEntropyMismatchExtensions)
alert.RaiseFileAlertMetric(eventData, 'RENAME_ENTROPY_MISMATCH_HIGHEST')
elseif globals.ENTROPY_STATUS_MISMATCH_VERY_HIGH == eventData.previousEntropyStatus then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_ENTROPY_MISMATCH_HIGHER: ' ..
(globals.config.RENAME_ENTROPY_MISMATCH_HIGHER['score'] *
processData.numEntropyMismatchExtensions))
eventData.alertScore = eventData.alertScore +
(globals.config.RENAME_ENTROPY_MISMATCH_HIGHER['score'] *
processData.numEntropyMismatchExtensions)
alert.RaiseFileAlertMetric(eventData, 'RENAME_ENTROPY_MISMATCH_HIGHER')
end
if globals.KNOWN_TO_SUSPICIOUS == eventData.renameTransition then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_EXTENSION_KNOWN_TO_BLOCKLIST: ' ..
globals.config.RENAME_EXTENSION_KNOWN_TO_BLOCKLIST['score'])
eventData.alertScore = eventData.alertScore + globals.config.RENAME_EXTENSION_KNOWN_TO_BLOCKLIST['score']
alert.RaiseFileAlertMetric(eventData, 'RENAME_EXTENSION_KNOWN_TO_BLOCKLIST')
elseif globals.KNOWN_TO_UNKNOWN == eventData.renameTransition then
if eventData.multipleExtension then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_EXTENSION_KNOWN_TO_UNKNOWN_MULTIPLE: ' ..
globals.config.RENAME_EXTENSION_KNOWN_TO_UNKNOWN_MULTIPLE['score'])
eventData.alertScore = eventData.alertScore +
globals.config.RENAME_EXTENSION_KNOWN_TO_UNKNOWN_MULTIPLE['score']
alert.RaiseFileAlertMetric(eventData, 'RENAME_EXTENSION_KNOWN_TO_UNKNOWN_MULTIPLE')
else
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_EXTENSION_KNOWN_TO_UNKNOWN: ' ..
globals.config.RENAME_EXTENSION_KNOWN_TO_UNKNOWN['score'])
eventData.alertScore = eventData.alertScore + globals.config.RENAME_EXTENSION_KNOWN_TO_UNKNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'RENAME_EXTENSION_KNOWN_TO_UNKNOWN')
end
local subString = string.find(eventData.filePath, eventData.filePreviousPath, nil, true)
if nil ~= subString then
utils.DebugLog('filePreviousPath found in filePath!')
if not utils.TableHasKey(processData.appendedPaths, eventData.filePreviousExtension) then
processData.appendedPaths[eventData.filePreviousExtension] = 0
end
processData.appendedPaths[eventData.filePreviousExtension] =
processData.appendedPaths[eventData.filePreviousExtension] + 1
for k, v in pairs(processData.appendedPaths) do
utils.DebugLog(k .. ' | ' .. v)
end
end
elseif globals.KNOWN_TO_BLANK == eventData.renameTransition then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_EXTENSION_KNOWN_TO_BLANK: ' ..
globals.config.RENAME_EXTENSION_KNOWN_TO_BLANK['score'])
eventData.alertScore = eventData.alertScore + globals.config.RENAME_EXTENSION_KNOWN_TO_BLANK['score']
alert.RaiseFileAlertMetric(eventData, 'RENAME_EXTENSION_KNOWN_TO_BLANK')
elseif globals.UNKNOWN_TO_SUSPICIOUS == eventData.renameTransition then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_EXTENSION_UNKNOWN_TO_BLOCKLIST: ' ..
globals.config.RENAME_EXTENSION_UNKNOWN_TO_BLOCKLIST['score'])
eventData.alertScore = eventData.alertScore + globals.config.RENAME_EXTENSION_UNKNOWN_TO_BLOCKLIST['score']
alert.RaiseFileAlertMetric(eventData, 'RENAME_EXTENSION_UNKNOWN_TO_BLOCKLIST')
elseif globals.UNKNOWN_TO_UNKNOWN == eventData.renameTransition then
utils.DebugLog('ALERT_SCORE_CHANGE: RENAME_EXTENSION_UNKNOWN_TO_UNKNOWN: ' ..
globals.config.RENAME_EXTENSION_UNKNOWN_TO_UNKNOWN['score'])
eventData.alertScore = eventData.alertScore + globals.config.RENAME_EXTENSION_UNKNOWN_TO_UNKNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'RENAME_EXTENSION_UNKNOWN_TO_UNKNOWN')
end
end
if 0 < eventData.numAbnormalExtensionCharacters then
utils.DebugLog('ALERT_SCORE_CHANGE: ABNORMAL_EXTENSION_CHARACTERS: ' ..
(globals.config.ABNORMAL_EXTENSION_CHARACTERS['score'] *
eventData.numAbnormalExtensionCharacters))
eventData.alertScore = eventData.alertScore +
(globals.config.ABNORMAL_EXTENSION_CHARACTERS['score'] *
eventData.numAbnormalExtensionCharacters)
alert.RaiseFileAlertMetric(eventData, 'ABNORMAL_EXTENSION_CHARACTERS')
end
end