Malware Simulator

We all are seeing from times to times a new malware flavor that is causing impact and putting business down. Ransomwares are the ones that we hear more often since they can cause a lot of damage ($$) by encrypting a lot of files on the local system and/or in the network.

About 1 year ago I wrote an article (below) discussing a different approach to reduce the attack surface (File Integrity and Least Privilege) where I was able to produce evidence on how bad the attack surface is if you have users running with local admin rights vs standard users and get hit by one of the Ransomwares flavors that I analyzed (Cerberos, Kryptolocker, and others) at that time.

However, what will happen if different types of users get hit by a Ransomware that will be developed tomorrow or in a couple of months since we don't know how this new threat will behave? Also how you can understand your own attack surface since you have a custom security baseline or different sets of permissions applied to your environment?

Another question that came to me is how can you tell that users are not receiving more access than they need? For instance, let's say you hire a new employee and then you add a new user account for him in Active Directory. So far, this user is just member of the "Authenticated Users" security group. What resources in your network this user will be able to read/write by just being member of the "Authenticated Users" group? How about other users who are member of other security groups?

While there are commercial tools available to assist with permission entitlement across your infrastructure like the BeyondTrust Privilege Explorer for File System, I thought would be cool to have a tool that would pretend a malware infection in the local system or in the network and then instead of asking for money like a ransomware it would just provide a report showing all accessible areas that were "infected" by this simulation. With that in mind, I developed a tool that I'm calling a "Malware Simulator". This tool will create and delete a file called MalwareSimulator.txt in all accessible areas (in the local system or in the network depending on your selection).

By default, it will create an evidence file called MalwareSimulator.txt and then will delete it right after that. While you are not suppose to see anything different in your network shares or in your local system, you should see the "Vulnerable folder found" message in the log file highlighting the 'vulnerable' folder:

If you run the tool using the "evidence" mode, an evidence file called Malware_Simulator.txt will be left in all accessible folders:

At the end of the execution it will give you a summary showing the total number of vulnerable/protected folders and also their respective %:

It will also generate log files containing all activities that can be used for a deep review. It will be MalwareSimulatorLocalSystem.LOG if you invoked the -localsystem parameter or MalwareSimulatorNetwork.LOG if you invoked the -network parameter:

The Malware Simulator is a portable executable (does NOT require installation or admin rights to run). Just download the Malware Simulator folder from my github repository and then run MalwareSimulator.exe -h for the available parameters.

Note: IMHO, the way that most permissions are set today on Windows is too vague and weak according to the existing threat's levels. Instead of just specifying that the user "Jeff" has access to the folder "C:\Reports" (two personas approach), I really believe that in order to get better results we all should be using the three personas approach, for instance: The user "Jeff" has access to the folder "C:\Reports" only through the application "Adobe and Winword" for instance. This is something completely possible today (on the local system) using commercial tools such as the PowerBroker for Windows. Hopefully the Malware Simulator can help IT Admins at least to provide visibility on weak areas on local system that are using the two personas approach and also open shares in the network.

Demonstration video:

Download Malware Simulator here .

Note: I would love your feedback! Please spend 1 min of your time to leave a comment if you tried this tool and if it was useful for you. Also feel free to suggest any enhancement that could be beneficial for the "Malware Simulator" tool. thank you!