Wiki Pascal pour palier aux problèmes de mémoire liès a l'age

Articles de dépannage Informatique


Peut-être vous intéressez-vous à l’univers Linux, Cisco … Si tel est le cas, vous pourriez avoir envie de jeter un œil à mon nouveau blog. Allez y jeter un œil si le cœur vous en dit. Il est encore tout jeune et encore un peu pauvre en contenu, mais j’y travaille 😉 Ci-dessous, mon dernier article publié
------------------------------------------------------------------------------------------------------------------------------------------------------

Posted

Ransomware Remediation — How to Create a Honeypot
I wrote this as a response to this thread and it was suggested I create a new post so here goes.

This is how to create a ‘honeypot’ that should stop ransomware attacks from spreading to your entire server. Please review and apply only after your comfortable doing so.

Requirements

You’ll need FSRM installed on the file server, this is an incredible tool. Once installed you can get super crazy with file permissions and actions. For example you can set rules that wont allow an .mp3 file to be saved to a users home directory and send a nasty-gram if they try.

You also need a small file share with a hundred files or so, I did a test page from a PDF printer and copied it 100 times (PS script FTW). I then shared the drive as the ‘B:’ drive. I named it ‘DoNotUse’ and made it very clear to my users that even looking at this would be bad. The idea here is that you have a sacrificial share with files in it so that when the ransomware bot does it’s thing it attacks this share first.

Steps

Install FSRM on the file server

Powershell: Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools (likely requires a reboot)

Create your share with files, share it via Group Policy and allow Domain Users Full Control

In FSRM (you can find this in Administrative Tools) under ‘File Screen Management’ create a File Screen Template and name it something obvious “RansomewareHoneypot” and set it to passively screen.

There is a ‘Maintain File Groups’ button, click the ‘Create’ button and then create your group. Call it ‘HoneypotExtensions’ and include all file types ., save this and verify it’s checked in the prior window.

Now click on the ‘Command’ tab

Check the ‘Run this command…’ and set it to/browse to: C:\Windows\System32\cmd.exe

In the ‘Command arguments’ box enter: /c net stop lanmanserver /y

In the ‘Command Security’ section click to run as Local System

Now you create a File Screen, select the Honeypot share and select your template in the ‘Derive properties…’ dropdown.

That’s it. So if any of the files in the Honeypot are touched at all the server service is stopped halting the ransomware attack from spreading past this share.

Hope that helps someone.

Author
Categories Securite