published 1970-01-01 00:00

updated 1970-01-01 00:00

Use a honeypot file to detect active ransomware and dump the process in hopes of finding the key, packaged with InnoSetup


Honeypot file touched/modified -> Sysmon event rule (modified to include pid as argument) -> Task scheduler -> Python process dump


Task scheduler is triggered from any Event11 Sysmon rule currently, needs to be specific to ransomware triggers

* need to add a name to the rule, and then filter in python to only trigger on that rule name

Package with InnoScript