How to test KES Behavior Detection against encryption attempts [KES for Windows]

Antipova Anna · 2023-10-15T17:18:29+0000

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) aescrypt.zip and TestProgExp.zip can be found here. Remote encryption test This test requires two participating workstations: an Attacker PC and a Victim PC. Behavior Detection component has to be configured on a Victim PC to detect malware activity, protect shared folders and block connections on detection of external encryption. Step-by-step guide On a Victim PC create folder with regular office-like files: *.DOC, *.DOCX, *.XLX, *.JPG Share folder on the Victim PC, ensure that the account logged on to the Attacker PC has full access to the shared folder. Map the shared folder as a network drive on the Attacker PC. Add/unpack the aescrypt.zip archive to the Attacker PC. Add contents to the list.txt file, based on the files in a mapped folder. Since the folder is mapped, paths will look like local ones, eg. Z:\Book1.xlsx. Use the contents of file example-list.txt as an example: On an Attacker PC, launch test.bat file to start encrypting files from list.txt . Behavior Detection in KES on the Victim PC will detect the attempt and will try to perform a rollback. Full access to a share on Victim PC for an Attacker PC will be blocked (if specified in KES policy). File restoring event is logged on a protected workstation Access to a folder is blocked from an attacker's point of view Local encryption test Step-by-step guide Prepare a folder with files to get encrypted, perform tests on files *.DOC, *.DOCX, *.XLX, *.JPG. Add/unpack to this folder the attached TestProgExp.zip utility. Launch TestProgExp utility to start the encryption. Files will be encrypted in a folder with test utility Allow some time for Behavior Detection in KES to detect the attempt and perform the rollback, as well as get rid of the suspicious software: Files get restored

By Antipova Anna
October 15, 2023 in Advice and solutions for Kaspersky Endpoint Security for Business

Followers 1

Remote encryption test

This test requires two participating workstations: an Attacker PC and a Victim PC. Behavior Detection component has to be configured on a Victim PC to detect malware activity, protect shared folders and block connections on detection of external encryption.

Step-by-step guide

On a Victim PC create folder with regular office-like files: *.DOC, *.DOCX, *.XLX, *.JPG
Share folder on the Victim PC, ensure that the account logged on to the Attacker PC has full access to the shared folder. Map the shared folder as a network drive on the Attacker PC.
Add/unpack the aescrypt.zip archive to the Attacker PC.
Add contents to the list.txt file, based on the files in a mapped folder. Since the folder is mapped, paths will look like local ones, eg. Z:\Book1.xlsx. Use the contents of file example-list.txt as an example:

On an Attacker PC, launch test.bat file to start encrypting files from list.txt .
Behavior Detection in KES on the Victim PC will detect the attempt and will try to perform a rollback. Full access to a share on Victim PC for an Attacker PC will be blocked (if specified in KES policy).

File restoring event is logged on a protected workstation	Access to a folder is blocked from an attacker's point of view

Local encryption test

Step-by-step guide

Prepare a folder with files to get encrypted, perform tests on files *.DOC, *.DOCX, *.XLX, *.JPG.
Add/unpack to this folder the attached TestProgExp.zip utility.

Launch TestProgExp utility to start the encryption.
Files will be encrypted in a folder with test utility

Allow some time for Behavior Detection in KES to detect the attempt and perform the rollback, as well as get rid of the suspicious software:

Files get restored

How to test KES Behavior Detection against encryption attempts [KES for Windows]

Recommended Posts

Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Remote encryption test

Step-by-step guide

Local encryption test

Step-by-step guide

Link to comment

Share on other sites

Please sign in to comment

Forum

Products

Support

Personal Account