Published Paper Details:

This study has been undertaken to investigate a real time threat detection and response to a ransomware attack. For this, two different virtual machines i.e. Linux and Windows are setup, in which Linux will be an attacker and Windows will be the victim. In this paper, the victim will be able to detect the threat posed by the attacker and also respond to the attack by blocking it. The Sliver C2 payload will be delivered through SSH client on Linux VM towards Windows VM. On Windows VM, Lima Charlie EDR (Endpoint Detection & Response) software tool is used for log monitoring, threat detection and threat response. Then, Volume Shadow Copier software is employed to retrieve the system from the attack. This paper is divided into multiple modules in order to increase efficiency of execution of the attack. Firstly, organize all the tools and software's required for this setup. In the next module, the advanced Log monitoring is performed to detect any anomaly which is helpful to detect the threats. Then in the final module, the threat response is performed by blocking the attack after detecting it in the earlier module. For blocking an attack, craft a D&R rule to respond to the adversarial attack. So, in a ransomware attack the first criteria is that the Volume Shadow Copies will have to be deleted. This event will trigger the D&R rule due to which the attack will be blocked, and the ransomware payload will be terminated in this case.