public static void honeyPotFileMonDetection() { Logger.getPoCRansomware(); Thread.Sleep(1000); Logger.postPoCFetched(); while (!Logger.getHasFetched()) { Thread.Sleep(500); } Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH); ActionTaker.setBackingName(BACKINGNAME); ActionTaker.setPathToBackingFile(pathToBackingFile); ProcMon.setPathToProcMon(ProcMonPath); BACKINGNAME = BACKINGNAME + 0; var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME)); t.Start(); Console.WriteLine(Logger.getNAMEONTEST()); Logger.LogWriter(PATH); Logger.postPoCTested(); Logger.postPoCPosted(); Thread.Sleep(30000); }
//Event handeler if an object is changed private static void OnChanged(object source, FileSystemEventArgs e) { Console.WriteLine("File: " + e.FullPath + " has been " + e.ChangeType); threshold.Add(DateTime.Now); List <DateTime> temp = new List <DateTime>(); DateTime now = DateTime.Now; foreach (DateTime t in threshold) { if (60 < (now.Subtract(t).Seconds)) { temp.Add(t); } } foreach (DateTime t in temp) { threshold.Remove(t); } if (threshold.Count > thresholdNum) { Console.WriteLine("Threshold reached. It's killing time"); if (!hasMadeFirstDetection) { firstDetectionTime = DateTime.Now; hasMadeFirstDetection = true; } if (eventNameAndTime.ContainsKey(e.FullPath)) { Console.WriteLine("File: " + e.FullPath + " has been " + e.ChangeType); if (MONITORTIMEOUT < (DateTime.Now.Subtract((DateTime)eventNameAndTime[e.FullPath])).TotalSeconds) { Console.WriteLine("Stopping the process f*****g with MY honeypot!"); //Report it has been changed eventNameAndTime[e.FullPath] = DateTime.Now; ActionTaker.honeypotChange(e.FullPath); } } else { Console.WriteLine("File: " + e.FullPath + " has been " + e.ChangeType); eventNameAndTime.Add(e.FullPath, DateTime.Now); //Report it has been changed ActionTaker.honeypotChange(e.FullPath); } } }