in ransomware/artifact.lua [3092:3268]
function Ransomware.AbnormalExtensionCheck(eventData, processData)
local longExtension = eventData.fileName:match('%.(.*)')
if longExtension == nil or longExtension == eventData.fileExtension then
return
end
utils.DebugLog('fileExtension: ' .. eventData.fileExtension .. ' | longExtension: ' .. longExtension)
eventData.multipleExtension = true
for word in string.gmatch(longExtension, '([^%.]+)') do
utils.DebugLog('WORD FOUND IN LONG EXTENSION: ' .. word)
if word == eventData.fileExtension then
goto continue
end
if not utils.TableHasKey(processData.longExtensions, word) then
processData.longExtensions[word] = 1
else
processData.longExtensions[word] = processData.longExtensions[word] + 1
end
if utils.TableHasKey(globals.extensionMap, string.lower(word)) then
utils.DebugLog('SUBEXTENSION_KNOWN: ' .. word)
utils.DebugLog('ALERT_SCORE_CHANGE: SUBEXTENSION_KNOWN: ' .. globals.config.SUBEXTENSION_KNOWN['score'])
eventData.alertScore = eventData.alertScore + globals.config.SUBEXTENSION_KNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'SUBEXTENSION_KNOWN')
if globals.FILE_CREATE_NEW == eventData.operation and globals.EXTENSION_UNKNOWN ==
eventData.currentExtensionData.category then
utils.DebugLog('CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN: ' .. word)
utils.DebugLog('ALERT_SCORE_CHANGE: CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN: ' ..
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN['score'])
eventData.alertScore = eventData.alertScore +
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN')
if not utils.TableHasKey(processData.subExtensions, word) then
processData.subExtensions[word] = 0
utils.DebugLog('NEW subextension: ' .. word)
end
processData.subExtensions[word] = processData.subExtensions[word] + 1
local totalSubs = 0
local totalUniqueSubs = 0
for _, v in pairs(processData.subExtensions) do
totalSubs = totalSubs + v
totalUniqueSubs = totalUniqueSubs + 1
end
utils.DebugLog('Unique sub-extensions: ' .. totalUniqueSubs .. ' | total entries: ' .. totalSubs)
if 4 < totalUniqueSubs and 100 < totalSubs then
utils.DebugLog('ALERT_SCORE_CHANGE #2.1')
if globals.ENTROPY_STATUS_REALLY_HIGH == eventData.entropyStatus then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHEST: ' ..
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHEST['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHEST['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHEST')
elseif globals.ENTROPY_STATUS_VERY_HIGH == eventData.entropyStatus then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHER: ' ..
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHER['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHER['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGHER')
elseif globals.ENTROPY_STATUS_HIGH == eventData.entropyStatus then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGH: ' ..
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGH['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGH['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_HIGH')
else
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_AVERAGE: ' ..
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_AVERAGE['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_AVERAGE['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_THRESHOLD_ENTROPY_AVERAGE')
end
end
if utils.TableHasKey(processData.deleteExtensions, word) then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED: ' ..
globals.config.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_UNKNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED')
end
elseif globals.FILE_CREATE_NEW == eventData.operation then
utils.DebugLog('ALERT_SCORE_CHANGE: CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN: ' ..
globals.config.CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN['score'])
eventData.alertScore = eventData.alertScore +
globals.config.CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN')
if utils.TableHasKey(processData.deleteExtensions, word) then
utils.DebugLog(
'ALERT_SCORE_CHANGE: CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED: ' ..
globals.config.CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED['score'])
eventData.alertScore = eventData.alertScore +
globals.config
.CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED['score']
alert.RaiseFileAlertMetric(eventData,
'CREATE_EXTENSION_KNOWN_SUBEXTENSION_KNOWN_AND_PREVIOUSLY_DELETED')
end
elseif globals.EXTENSION_UNKNOWN == eventData.currentExtensionData.category then
utils.DebugLog('ALERT_SCORE_CHANGE: SUBEXTENSION_KNOWN_EXTENSION_UNKNOWN: ' ..
globals.config.SUBEXTENSION_KNOWN_EXTENSION_UNKNOWN['score'])
eventData.alertScore = eventData.alertScore +
globals.config.SUBEXTENSION_KNOWN_EXTENSION_UNKNOWN['score']
alert.RaiseFileAlertMetric(eventData, 'SUBEXTENSION_KNOWN_EXTENSION_UNKNOWN')
end
else
for k, _ in pairs(processData.deleteExtensions) do
if word == k then
utils.DebugLog('SUBEXTENSION_UNKNOWN_AND_PREVIOUSLY_DELETED' .. k)
utils.DebugLog('ALERT_SCORE_CHANGE: SUBEXTENSION_UNKNOWN_AND_PREVIOUSLY_DELETED: ' ..
globals.config.SUBEXTENSION_UNKNOWN_AND_PREVIOUSLY_DELETED['score'])
eventData.alertScore = eventData.alertScore +
globals.config.SUBEXTENSION_UNKNOWN_AND_PREVIOUSLY_DELETED['score']
alert.RaiseFileAlertMetric(eventData, 'SUBEXTENSION_UNKNOWN_AND_PREVIOUSLY_DELETED')
end
end
end
::continue::
end
end