예제 #1
0
        public static void honeyPotFileMonDetection()
        {
            Logger.getPoCRansomware();

            Thread.Sleep(1000);

            Logger.postPoCFetched();

            while (!Logger.getHasFetched())
            {
                Thread.Sleep(500);
            }

            Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);

            ActionTaker.setBackingName(BACKINGNAME);
            ActionTaker.setPathToBackingFile(pathToBackingFile);

            ProcMon.setPathToProcMon(ProcMonPath);
            BACKINGNAME = BACKINGNAME + 0;
            var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));

            t.Start();

            Console.WriteLine(Logger.getNAMEONTEST());
            Logger.LogWriter(PATH);
            Logger.postPoCTested();
            Logger.postPoCPosted();

            Thread.Sleep(30000);
        }
예제 #2
0
        //Event handeler if an object is changed
        private static void OnChanged(object source, FileSystemEventArgs e)
        {
            Console.WriteLine("File: " + e.FullPath + " has been " + e.ChangeType);
            threshold.Add(DateTime.Now);
            List <DateTime> temp = new List <DateTime>();
            DateTime        now  = DateTime.Now;

            foreach (DateTime t in threshold)
            {
                if (60 < (now.Subtract(t).Seconds))
                {
                    temp.Add(t);
                }
            }

            foreach (DateTime t in temp)
            {
                threshold.Remove(t);
            }


            if (threshold.Count > thresholdNum)
            {
                Console.WriteLine("Threshold reached. It's killing time");
                if (!hasMadeFirstDetection)
                {
                    firstDetectionTime    = DateTime.Now;
                    hasMadeFirstDetection = true;
                }
                if (eventNameAndTime.ContainsKey(e.FullPath))
                {
                    Console.WriteLine("File: " + e.FullPath + " has been " + e.ChangeType);
                    if (MONITORTIMEOUT < (DateTime.Now.Subtract((DateTime)eventNameAndTime[e.FullPath])).TotalSeconds)
                    {
                        Console.WriteLine("Stopping the process f*****g with MY honeypot!");
                        //Report it has been changed
                        eventNameAndTime[e.FullPath] = DateTime.Now;
                        ActionTaker.honeypotChange(e.FullPath);
                    }
                }
                else
                {
                    Console.WriteLine("File: " + e.FullPath + " has been " + e.ChangeType);
                    eventNameAndTime.Add(e.FullPath, DateTime.Now);
                    //Report it has been changed
                    ActionTaker.honeypotChange(e.FullPath);
                }
            }
        }