Differences

This shows you the differences between two versions of the page.

--- create_a_purely_technical_test_with_the_malware_testing_suite [2019/01/21 13:09] – lucy
+++ create_a_purely_technical_test_with_the_malware_testing_suite [2019/02/08 15:41] – lucy
@@ Line 3: / Line 3: @@
 {{ 85.jpg?600 }}
-==== The idea behind LHCF: testing your defenses ====
+==== The idea behind LHFC: testing your defenses ====
-You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility. This is where LUCY's LHCF comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:
+You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility. This is where LUCY's LHFC comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:
   * **Firewalls** (unfortunately, the larger the network, the more difficult it can be to track down a host and determine the functionality of the host. Knowing the functionality can be instrumental in determining if the traffic is normal or suspicious)
@@ Line 179: / Line 179: @@
 ===== Malware Testing Templates =====
-Beside single checks LHCF is also able to perform tests based on a template (please note that it is not possible to run single checks and a template at the same time). Currently there are two templates implemented which are described in detail.
+Beside single checks LHFC is also able to perform tests based on a template (please note that it is not possible to run single checks and a template at the same time). Currently there are two templates implemented which are described in detail.
 {{ templateslhcf.png?400 }}
@@ Line 205: / Line 205: @@
   * Set an option to leave a copy of data on PC/Share or delete it after running. When the ransomware works with dummy data, it deletes the files right after the creation even if "Delete data" is unchecked. (it should not delete any data when it works with real data). This setting is necessary because the ransomware creates many files with relatively big sizes. By default it creates 1000 files with 512 kb size each, so it will be 0.5 Gb overall.
-When started the tool will create a separate executable (example: C:\Users\Test\Desktop\2afbaff8-f048-445c-bcf3-05b7d8d33133\rnsmw.exe) which will try to discover local and remote share drives (as an anonymous and an authenticated user). LHCF will then make read/write tests on the discovered dives. If the setting "work with real data" is selected LHCF will search recent docs to get a file list as well. If a write right on a share drives exist, LHCF will place a folder "LUCY RANSOMWARE SIMULATION" there. If no write right exists, LHCF will create a folder locally based on the path specified in the settings. In real data mode LHCF will make a COPY of files which were previously enumerated (the original files will not be touched by tge tool) and then encrypt the COPY and place in that new folder. If you selected "leave data" you can look at the harvested information using the SimpleXorEncrypter.exe. All harvested files can be decypted with the tool. So in order to unencrypt a file you should use this {{:simplexorencrypter.zip|unencrypter}}. It is a command line tool. For example, command "SimpleXorEncrypter.exe -u avdata.txt avdata_unencrypted.txt" will unencrypt the file avdata.txt.
+When started the tool will create a separate executable (example: C:\Users\Test\Desktop\2afbaff8-f048-445c-bcf3-05b7d8d33133\rnsmw.exe) which will try to discover local and remote share drives (as an anonymous and an authenticated user). LHFC will then make read/write tests on the discovered dives. If the setting "work with real data" is selected LHFC will search recent docs to get a file list as well. If a write right on a share drives exist, LHFC will place a folder "LUCY RANSOMWARE SIMULATION" there. If no write right exists, LHFC will create a folder locally based on the path specified in the settings. In real data mode LHFC will make a COPY of files which were previously enumerated (the original files will not be touched by tge tool) and then encrypt the COPY and place in that new folder. If you selected "leave data" you can look at the harvested information using the SimpleXorEncrypter.exe. All harvested files can be decypted with the tool. So in order to unencrypt a file you should use this {{:simplexorencrypter.zip|unencrypter}}. It is a command line tool. For example, command "SimpleXorEncrypter.exe -u avdata.txt avdata_unencrypted.txt" will unencrypt the file avdata.txt.
 {{ xor.png?600 }}