Skip to content
/ purrsom-watch Public

Ransomware detection service with Windows event logging for SIEM Integration

License

MIT license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

buu-huu/purrsom-watch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

110 Commits
.github/workflows
.github/workflows
 
 
.run
.run
 
 
cmd
cmd
 
 
configs
configs
 
 
data/decoy
data/decoy
 
 
docs
docs
 
 
internal
internal
 
 
pkg/util
pkg/util
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

🐱 PurrsomWatch: Early Ransomware Detection for Windows

Welcome to PurrsomWatch, a Golang-based software designed to detect ransomware activity on your Windows systems by using decoy files and advanced logging techniques. This project aims to provide early detection of ransomware attacks, allowing cybersecurity teams to take immediate action.

Disclaimer

This repository is work in progress. Development is ongoing but will take some time. Releases will be made and tagged, when a certain set of features is implemented and tested.

Since development is in a very early stage and architecture changes a lot, the Readme and build scripts may NOT be up-to-date.

📜 Table of Contents

🌟 Features

  • Decoy File Detection: Places a decoy file in specified directories to detect ransomware activity.
  • Event Logging: Logs ransomware detection events into the Windows Event Log with custom logs for easy SIEM integration.
  • Real-Time Monitoring: Monitors decoy files for read and modification (encryption) activities.
  • Future Enhancements: Planned entropy-based detection to enhance ransomware detection capabilities.

🛠️ Installation

To install PurrsomWatch, follow these steps:

  1. Clone the repository:

    git clone https://github.com/buu-huu/purrsom-watch.git
cd purrsom-watch/cmd/watch/

  2. Build the project:

    go build -o purrsomwatch.exe

  3. Run the executable:

    ./purrsomwatch.exe <CONFIG_FILE>

🚀 Usage

Edit the configuration file to specify directories to monitor. The provided config file template gets updated continuously.

{
  "purrEngine": {
    "purrInterval": "10",
    "decoyFile": {
      "fileName": "purrguard",
      "fileExtension": "docx",
      "location": {
        "fileDir": "%userdir%/Documents/purr",
        "username": "user"
      }
    }
  },
  "winEventProvider": {
    "eventId": "7700"
  }
}

PurrsomWatch will begin monitoring the specified directories and log any ransomware activity detected.

🛤️ Roadmap

  • Windows Event Logging: Add custom windows event logging for SIEM based use cases
  • Entropy-Based Detection: Implement entropy-based detection for enhanced ransomware identification.
  • Improved Logging: Add more detailed logging and reporting features.
  • User Interface: Optional windows systray icon with notification system.

🤝 Contributing

Contributions from the community are appreciated! If you have ideas for improvements or want to help with development, please fork the repository and submit a pull request or open an issue.

📄 License

This project is licensed under the MIT License. See the LICENSE file for details.

For any questions or support, please open an issue.

Stay safe and secure! 🛡️

About

Ransomware detection service with Windows event logging for SIEM Integration

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages