Raccine
fibratus
Raccine | fibratus | |
---|---|---|
6 | 46 | |
941 | 2,100 | |
- | - | |
3.5 | 9.0 | |
7 months ago | 4 days ago | |
C++ | Go | |
The Unlicense | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Raccine
-
Did anyone ever consider montoring Windows server vss snapshot quotas for ransomware purposes?
Shout out to Raccine https://github.com/Neo23x0/Raccine
-
Security Cadence: Ransomware Part 2 - Actions on Objectives
There's a clever little utility for that called Raccine: https://github.com/Neo23x0/Raccine.
However, a more useful control would be to detect the process responsible for deleting shadow copies and to kill it. There's a clever little utility for that called Raccine: https://github.com/Neo23x0/Raccine Just note that if you have some sort of legitimate process that deletes shadow copies, Raccine will not discriminate in killing it. However, if you don't have anything preventing you from doing something like this, you can potentially kill a ransomware infection right at the start with a simple free utility. Neato.
-
BullWall Ransomcare
If you're looking at a ransomware-specific endpoint protection tool, consider Raccine. https://github.com/Neo23x0/Raccine
-
Alert for ransomware that bypassed endpoint protection
Back to your original question, assuming a conventional AD-centric Windows environment, I would recommend starting with AppLocker to whitelist approved apps and host-based firewall to whitelist approved connections, enable detailed powershell logging, monitor for east-west wmic/SMB/RDP connections (monitor at host level and at network level), and use a tool like RITA to detect beaconing activity. Also consider blocking DOH, retaining DNS logs, and if you don't have a well-tuned EDR/XDR and SIEM, deploy sysmon and use WEF/WEC to centralize logs (SwiftOnSecurity and Olaf Hartong on github have very good starting points for sysmon configs and Microsoft's MSLab github repo has a good scenario for testing sysmon/WEF/WEC with alert recommendations from NSA and Palantir). If you have no centralized logging/analysis/alerting in place AND a managed solution like SecureWorks or a guided deployment of Defender are not realistic, consider starting with Security Onion. If your organization is in a critical infrastructure sector, you should definitely look into the risk and vulnerability assessment and no-cost cyber hygiene services offered by CISA (see https://www.cisa.gov/cyber-resource-hub). Also, have you considered testing/deploying Raccine? https://github.com/Neo23x0/Raccine
-
methodologies for detecting ransomware
checking for shadow volume copy deletion and certain other ransomware-specific commands (see, e.g., Raccine but beware that it is NOT a vaccine but a generic detection method, the name is really just wrong)
fibratus
- Announcing Fibratus 2.0.0
-
Announcing Fibratus 1.10.0 - a modern Windows kernel tracing and threat detection engine
I'm thrilled to announce the availability of Fibratus 1.10.0. This release brings a set of interesting features , such as the Yara function for combining signature and behavior-based detections, expanded detection rules catalog, native grammar for sequence rules, etc.
-
Fibratus 1.10.0 - a modern Windows kernel tracing and threat detection engine built in Go
I'm happy to announce the availability of Fibratus 1.10.0. Fibratus aims at providing a high-performance engine for capturing Windows system events and asserting them against a ruleset for the purpose of detecting adversary kill chain. All rules are built on top of the prominent MITRE security framework.
- Release v1.10.0 · Fibratus
- Announcing fibratus 1.10.0 - a modern Windows kernel tracing and threat detection engine
- Announcing Fibratus 1.8.0 - a modern tool for Windows kernel tracing with a focus on security
-
Fibratus - a modern tool for Windows kernel tracing with a focus on threat detection and prevention
You can check the full changelog here.
- Fibratus: Open-source threat detection and prevention solution
What are some alternatives?
awesome-threat-detection - ✨ A curated list of awesome threat detection and hunting resources 🕵️♂️
androguard - Reverse engineering and pentesting for Android applications
space-cloud - Open source Firebase + Heroku to develop, scale and secure serverless apps on Kubernetes
go-financial - A go port of numpy-financial functions and more.
OpenDiablo2 - An open source re-implementation of Diablo 2
Project-Lightspeed - A self contained OBS -> FTL -> WebRTC live streaming server. Comprised of 3 parts once configured anyone can achieve sub-second OBS to the browser livestreaming
core - Backend server API handling user mgmt, database, storage and real-time component
attack-stix-data - STIX data representing MITRE ATT&CK
lrpc - Simple, lightweight, multi-codec RPC library for Go.
ziti - The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
golive - ⚡ Live views for GoLang with reactive HTML over WebSockets 🔌
jadx - Dex to Java decompiler