creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 14:44:58 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-ransomware-kill-switch-detection/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

220 lines
9.1 KiB
Markdown
Raw Blame History

---
name: implementing-ransomware-kill-switch-detection
description: 'Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based
kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring
to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination,
WannaCry-style domain kill switches, or malware execution guard detection.
'
domain: cybersecurity
subdomain: ransomware-defense
tags:
- ransomware
- kill-switch
- mutex
- detection
- WannaCry
- malware-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- PR.DS-11
- RS.MA-01
- RC.RP-01
- PR.IR-01
---
# Implementing Ransomware Kill Switch Detection
## When to Use
- Analyzing a ransomware sample to determine if it contains a kill switch mechanism (mutex, domain, registry)
- Deploying proactive mutex vaccination across endpoints to prevent known ransomware families from executing
- Monitoring DNS for kill switch domain lookups that indicate ransomware attempting to check before encrypting
- During incident response to quickly determine if a ransomware variant can be stopped by activating its kill switch
- Building detection signatures for ransomware mutex creation events using Sysmon or EDR telemetry
**Do not use** kill switch vaccination as a primary defense. Not all ransomware families implement kill switches, and those that do may remove them in newer versions. This is a supplementary detection and prevention layer.
## Prerequisites
- Python 3.8+ with `ctypes` (Windows) for mutex creation and enumeration
- Sysmon installed with Event ID 1 (process creation) and Event ID 17/18 (pipe/mutex events) configured
- Access to malware analysis sandbox for identifying kill switch mechanisms in samples
- DNS monitoring capability for detecting kill switch domain resolution attempts
- Familiarity with Windows internals: mutexes (mutants), kernel objects, named pipes
- Reference database of known ransomware mutexes (github.com/albertzsigovits/malware-mutex)
## Workflow
### Step 1: Identify Kill Switch Mechanisms in Ransomware
Analyze samples for common kill switch patterns:
```
Kill Switch Types Found in Ransomware:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. MUTEX-BASED (most common):
- Ransomware creates a named mutex at startup
- If mutex already exists → another instance is running → exit
- Defense: Pre-create the mutex to prevent execution
- Examples:
WannaCry: Global\MsWinZonesCacheCounterMutexA
Conti: kasKDJSAFJauisiudUASIIQWUA82
REvil: Global\{GUID-based-on-machine}
Ryuk: Global\YOURPRODUCT_MUTEX
2. DOMAIN-BASED:
- Ransomware resolves a hardcoded domain before executing
- If domain resolves → security sandbox detected → exit
- Defense: Register/sinkhole the domain to activate kill switch
- Examples:
WannaCry v1: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
WannaCry v1: fferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
3. REGISTRY-BASED:
- Check for specific registry key/value before executing
- If key exists → exit (anti-analysis or kill switch)
- Defense: Create the registry key proactively
4. FILE-BASED:
- Check for existence of specific file or directory
- If marker file exists → exit
- Defense: Create the marker file on all endpoints
5. LANGUAGE-BASED:
- Check system language/keyboard layout
- Exit if Russian/CIS country keyboard detected
- Common in Eastern European ransomware groups
```
### Step 2: Deploy Mutex Vaccination
Pre-create known ransomware mutexes on endpoints to prevent execution:
```python
# Windows mutex vaccination using ctypes
import ctypes
from ctypes import wintypes
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
def create_mutex(name):
"""Create a named mutex to vaccinate against ransomware."""
handle = kernel32.CreateMutexW(None, False, name)
error = ctypes.get_last_error()
if handle == 0:
return False, f"Failed to create mutex: error {error}"
if error == 183: # ERROR_ALREADY_EXISTS
return True, f"Mutex already exists (already vaccinated): {name}"
return True, f"Mutex created successfully: {name}"
KNOWN_RANSOMWARE_MUTEXES = [
"Global\\MsWinZonesCacheCounterMutexA", # WannaCry
"Global\\kasKDJSAFJauisiudUASIIQWUA82", # Conti
"Global\\YOURPRODUCT_MUTEX", # Ryuk variant
"Global\\JhbGjhBsSQjz", # Maze
"Global\\sdjfhksjdhfsd", # Generic ransomware
]
```
### Step 3: Monitor for Mutex Creation Events
Use Sysmon to detect when ransomware creates its characteristic mutexes:
```xml
<!-- Sysmon configuration for mutex monitoring -->
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Event ID 1: Process creation with mutex indicators -->
<ProcessCreate onmatch="include">
<CommandLine condition="contains">mutex</CommandLine>
<CommandLine condition="contains">CreateMutex</CommandLine>
</ProcessCreate>
</EventFiltering>
</Sysmon>
```
```
Detection via Event Logs:
━━━━━━━━━━━━━━━━━━━━━━━━
Windows Security Log:
Event ID 4688: Process creation (enable command line logging)
Sysmon:
Event ID 1: Process create (includes command line and hashes)
Event ID 17: Pipe created (named pipes, similar to mutexes)
PowerShell detection:
Event ID 4104: Script block logging (detect mutex creation in scripts)
Velociraptor artifact:
Windows.Detection.Mutants - Enumerates all named mutant objects
```
### Step 4: Monitor DNS for Kill Switch Domains
Detect ransomware domain-based kill switch resolution attempts:
```
DNS Monitoring for Kill Switch Domains:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Monitor DNS queries for known kill switch domains
2. High-entropy domain names (>4.0 entropy in domain label) may indicate
ransomware kill switch domains or DGA-generated C2 domains
3. Queries to newly registered domains from endpoints that typically
only access well-established domains
Indicators:
- Domain with no prior resolution history
- Domain registered in last 24-72 hours
- High character entropy in domain name
- Resolution attempt followed by either mass encryption (kill switch failed)
or process termination (kill switch activated)
```
### Step 5: Enumerate Active Mutexes for Incident Response
During an active incident, scan endpoints for ransomware-associated mutexes:
```powershell
# PowerShell: List all named mutant objects using Sysinternals Handle
# handle.exe -a -p <PID> | findstr "Mutant"
# Velociraptor query for mutex hunting:
# SELECT * FROM glob(globs="\\BaseNamedObjects\\*") WHERE Name =~ "mutex_pattern"
# Python-based enumeration (requires pywin32):
# import win32event
# handle = win32event.OpenMutex(0x00100000, False, "Global\\MutexName")
```
## Verification
- Verify mutex vaccination by attempting to create the same mutex (should get ERROR_ALREADY_EXISTS)
- Test that vaccinated mutexes survive system reboot (they do not; re-apply at startup via scheduled task)
- Confirm DNS monitoring detects test queries for known kill switch domains
- Validate Sysmon event generation for mutex creation by running a test script
- Check that vaccination does not interfere with legitimate applications using similar mutex names
- Test against actual ransomware samples in an isolated sandbox to confirm kill switch activation
## Key Concepts
| Term | Definition |
|------|------------|
| **Mutex (Mutant)** | A Windows kernel synchronization object used to ensure only one instance of a program runs; ransomware uses named mutexes to prevent re-infection |
| **Kill Switch** | A mechanism in ransomware that causes it to terminate without encrypting if a specific condition is met (mutex exists, domain resolves, file present) |
| **Mutex Vaccination** | Proactively creating named mutexes on endpoints that match known ransomware mutex names, preventing the ransomware from executing |
| **Domain Sinkhole** | Registering or redirecting a malicious domain to a controlled server; used to activate domain-based kill switches |
| **DGA (Domain Generation Algorithm)** | Algorithm used by malware to generate pseudo-random domain names for C2 communication, sometimes incorporating kill switch checks |
## Tools & Systems
- **Sysmon**: Microsoft system monitor providing Event ID 17/18 for named pipe and mutex creation monitoring
- **Velociraptor**: Endpoint visibility tool with built-in artifacts for enumerating mutant (mutex) objects on Windows
- **Sysinternals Handle**: Command-line tool for listing open handles including named mutexes per process
- **malware-mutex (GitHub)**: Community-maintained database of mutexes used by known malware families
- **ANY.RUN**: Interactive malware sandbox that reports mutex creation during dynamic analysis
- **PassiveDNS**: DNS monitoring infrastructure for detecting kill switch domain resolution attempts
Reference in New Issue View Git Blame Copy Permalink