Feature Request - Ransomware Simulate Report

[securekomodo]

This tool does an excellent job of enumerating shares, permissions, and directory listings. Using that information it seems there might be an opportunity to explore what a "Ransomware Blast Radius" could be.

I started something like this a few years back: https://github.com/securekomodo/RansomwareSimulator but not nearly the sophistication level of this utilities enumeration. Essentially just need to identify how many files are writable by the given account the script is running as, count of them, organize by types (xls,ppt, etc..), sum of the size of all writable files, and number of systems that would be impacted. This might be a good additional bonus report to add as it seems the data is already collected for this.

Thoughts?

[nullbind]

Hey @securekomodo ,

I think that is a really cool idea. Below are my initial thoughts, but I'll noodle on it some more and try to follow up.

Ask/Response

1. Identify writable files on shares available to domain user executing script I really do like the idea of pulling full recursive files listings with their associated meta data, but when testing that in large environments I've seen it dramatically increase the collection time (which is why i didn't initially include it in the released PoC). For example, something that takes 10 min normally, can take 2 hours depending on the number of files/recursion levels etc. I think I just need to come up with a more efficient way of pulling the list. I'll play around and circle back.
2. Count of writable files Should be easy once collection is modified.
3. Count of writable files by extension and size Should be easy once collection is modified. Assuming this is to identify likely password and data leakage.
4. Determine number of affected shares Should be easy once collection is modified.
5. Determine number of affected systems Should be easy once collection is modified.