Stackhackr allows IT and security pros to test their endpoint security by creating a mock piece of malware that simulates real malware behavior.
This attack simulates behavior exhibited by a wide variety of prominent ransomware variants, including Locky, Dharma, and Spora. As part of the infection process, ransomware will often delete shadow volume copies, backup snapshots of files that can be saved even when those files are in use. By deleting shadow volume copies, ransomware authors can prevent victims from using them to recover encrypted files.
To simulate suspicious shadow volume deletion, the mock ransomware you make with stackhackr creates a script hidden in your temp directory. That script then launches an executable to simulate the shadow volume deletion.
Your security should be able to look at that chain, recognize that it’s a very sketchy string of behaviors, and block it.
Note: To keep this test safe, no shadow volume copies are actually deleted and no files are encrypted.
On Windows machines, the Local Security Authority Subsystem Service (LSASS.exe) stores credentials in memory so users in active Windows sessions don’t have to keep re-entering them to access various network resources. That unfortunately makes it a popular target for attackers using credential stealing tools like Mimikatz.
To keep this test safe, the mock malware created with stackhackr simply simulates accessing the credentials stored in LSASS without actually looking at them.
There are multiple tests available to determine whether your antivirus is up-to-date with the latest virus signatures, but few that allow you to test your endpoint protection against simulated malicious behavior.
That’s important to do because the majority of today’s malware can be modified to evade file-scanning tools. In fact, many modern attacks can simply avoid file-based infection by:
To prevent these fileless attacks from succeeding, security tools need to be able to identify and block malicious behavior during runtime.
If your current security can’t block the behaviors simulated in these tests then you are vulnerable to compromise from real attacks.
See how Barkly’s Runtime Malware Defense blocks ransomware, exploits, fileless malware, and other advanced attacks before any damage is done.See how it works