Skip to content

t3hbb/CortexCanary

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
CIA_IS_OK.ps1
CIA_IS_OK.ps1
 
 
DirectoryListingComparison.java
DirectoryListingComparison.java
 
 
Honeypot1.ps1
Honeypot1.ps1
 
 
README.md
README.md
 
 

Repository files navigation

CortexCanary

Tooling related to discovery of Cortex XDR canary files.

Cortex XDR Ransomware Protection, Chocolate Teapots and Inflatable Dartboards

Honeypot1.ps1 - Powershell script to search for canary files, determine the Cyvera\Ransomware folder location a display all of the files.

CIA_IS_OK.ps1 - Powershell script that does the same as Honeypot1 but also tests against a directory to see which files can be safely encrypted. This has been neutered in the script but if you comment out a few lines it will XOR the files with 0xBB. You may want to add a small delay to avoid behavioural detection when smashing loads of files.

DirectoryComparison.java - Java script to show the difference between what Java and CMD see for directory contents

Issue was reported to Palo Alto but it was deemed a non issue as the Confidentiality, Integrity and Availibility of the agent was not impacted.

image

CIA is OK :/

image

Code is pretty rough, it is just a prototype POC - please run the CIA_IS_OK with $ErrorActionPreference = 'SilentlyContinue'

[TODO] - add blog post links.

About

Tooling related to discovery of Cortex XDR canary files to avoid

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages