# Ransomware Detection Lab

## Step 1: Import Python Packages

In [28]:
import boto3                     # Amazon Python SDK
from datetime import datetime    # DateTime package for time conversions
import json                      # Needed to JSONify data for pandas
import pandas as pd              # Used to manipulate data
import time                      # Used to wait for query to finish

## Step 2: Query for Downloaded Files

In [114]:
# Get current time
end_time = datetime.now().timestamp()

# Get 24 hours prior
start_time = end_time - 86400

# Create CloudWatch Logs client and get S3 data
client = boto3.client('logs')
response = client.start_query(
    queryLanguage='CWLI',
    logGroupName='/baker221b/cloudtrail',
    startTime=int(start_time),
    endTime=int(end_time),
    queryString='fields @message | filter eventSource == "s3.amazonaws.com"'
)
time.sleep(5)
query_id = response['queryId']
response = client.get_query_results(
    queryId = query_id
)
results = response['results']

# Shove data into a pandas DataFrame
results_with_message = []
for result in results:
    results_with_message.append(result[0]['value'])
data = [json.loads(item) for item in results_with_message]
df = pd.read_json(json.dumps(data), orient='records')
expanded_request = pd.json_normalize(df['requestParameters'])
expanded_user_identity = pd.json_normalize(df['userIdentity'])
df = pd.concat([df, expanded_request, expanded_user_identity], axis=1)
df

Unnamed: 0,eventVersion,userIdentity,eventTime,eventSource,eventName,awsRegion,sourceIPAddress,userAgent,requestParameters,responseElements,...,sessionContext.sessionIssuer.type,sessionContext.sessionIssuer.principalId,sessionContext.sessionIssuer.arn,sessionContext.sessionIssuer.accountId,sessionContext.sessionIssuer.userName,sessionContext.attributes.creationDate,sessionContext.attributes.mfaAuthenticated,invokedBy,userName,sessionContext.ec2RoleDelivery
0,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-14T19:58:43Z,s3.amazonaws.com,ListBuckets,us-east-2,52.15.183.176,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-14T19:53:37Z,false,,,
1,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-14T19:58:50Z,s3.amazonaws.com,ListBuckets,us-east-2,52.15.183.176,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-14T19:53:37Z,false,,,
2,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-14T19:59:50Z,s3.amazonaws.com,ListBuckets,us-east-2,52.15.183.176,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-14T19:53:37Z,false,,,
3,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-14T19:59:57Z,s3.amazonaws.com,ListBuckets,us-east-2,52.15.183.176,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-14T19:53:37Z,false,,,
4,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-14T19:57:13Z,s3.amazonaws.com,ListBuckets,us-east-2,52.15.183.176,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-14T19:53:37Z,false,,,
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
4283,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-13T20:04:56Z,s3.amazonaws.com,ListBuckets,us-east-2,3.16.68.192,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-13T18:42:35Z,false,,,
4284,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-13T20:05:02Z,s3.amazonaws.com,ListBuckets,us-east-2,3.16.68.192,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-13T18:42:35Z,false,,,
4285,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-13T20:02:38Z,s3.amazonaws.com,GetAccountPublicAccessBlock,ap-southeast-2,config.amazonaws.com,config.amazonaws.com,{'Host': '502579121406.s3-control.ap-southeast...,,...,Role,AROAXKBAMZT7EISOZXJDE,arn:aws:iam::502579121406:role/aws-controltowe...,502579121406,aws-controltower-ConfigRecorderRole,2025-03-13T20:02:38Z,false,config.amazonaws.com,,
4286,1.11,"{'type': 'AssumedRole', 'principalId': 'AROAXK...",2025-03-13T20:02:03Z,s3.amazonaws.com,ListBuckets,us-east-2,3.16.68.192,[Boto3/1.35.92 md/Botocore#1.35.92 ua/2.0 os/l...,{'Host': 's3.us-east-2.amazonaws.com'},,...,Role,AROAXKBAMZT7KWSG6S6OB,arn:aws:iam::502579121406:role/LambdaUAAnomaly,502579121406,LambdaUAAnomaly,2025-03-13T18:42:35Z,false,,,


## Step 3: Detect Ransomware

In [130]:
def analyze_cloudtrail_data(df):
    """Function to discover ransomware"""
    
    # Store GetObject events into a separate DataFrame
    get_objects = df[df['eventName'] == 'GetObject']
    get_objects = get_objects.copy()
    get_objects['eventTime'] = get_objects['eventTime'].apply(lambda x: datetime.strptime(x, '%Y-%m-%dT%H:%M:%SZ'))
    
    # Store PutObject events into a separate DataFrame
    put_objects = df[df['eventName'] == 'PutObject']
    put_objects = put_objects.copy()
    put_objects['eventTime'] = put_objects['eventTime'].apply(lambda x: datetime.strptime(x, '%Y-%m-%dT%H:%M:%SZ'))
    
    # Store DeleteObject events into a separate DataFrame
    delete_objects = df[df['eventName'] == 'DeleteObject']
    delete_objects = delete_objects.copy()
    delete_objects['eventTime'] = delete_objects['eventTime'].apply(lambda x: datetime.strptime(x, '%Y-%m-%dT%H:%M:%SZ'))
    
    # Create empty results list
    results = []
    
    # Iterate through every GetObject record
    for _, get_row in get_objects.iterrows():
        """
        Iterate through each row in get_objects and extract relevant details
          (key, bucketName, eventTime)
        """
        file_key = get_row['key']
        bucket_name = get_row['bucketName']
        event_time = get_row['eventTime']
        
        """
        Filters put_objects to find operations by the same account where the
          object name starts with but does not end with the file_key and
          occurred after the extracted event_time
        """
        put_candidates = put_objects[
            (put_objects['bucketName'] == bucket_name) &
            (~put_objects['key'].str.endswith(file_key)) &
            (put_objects['key'].str.startswith(file_key)) &
            (put_objects['eventTime'] > event_time)
        ]
        
        """
        Filters the delete_objects DataFrame to find operations by the same
          account where the object key matches file_key and the operation
          occurred after the extracted event_time
        """
        delete_candidates = delete_objects[
            (delete_objects['bucketName'] == bucket_name) &
            (delete_objects['key'] == file_key) &
            (delete_objects['eventTime'] > event_time)
        ]
        
        """
        Checks if there are both upload (put_candidates) and delete
          (delete_candidates) operations, and if so, appends details about
          the original file, the bucket involved, the download time, the
          uploaded files, and a deletion confirmation to the results list
        """
        if not put_candidates.empty and not delete_candidates.empty:
            results.append({
                'OriginalFile': file_key,
                'BucketName': bucket_name,
                'DownloadedAt': event_time,
                'UploadedFiles': list(put_candidates['key']),
                'Deleted': True
            })
    return pd.DataFrame(results)
analyze_cloudtrail_data(df)

Unnamed: 0,OriginalFile,BucketName,DownloadedAt,UploadedFiles,Deleted
0,Smith.pdf,baker221b-proprietary-rmj8ck9rdnlmft3g,2025-03-14 14:45:28,[Smith.pdf.enc],True
1,Magnussen.pdf,baker221b-proprietary-rmj8ck9rdnlmft3g,2025-03-14 14:45:27,[Magnussen.pdf.enc],True
2,Eurus.pdf,baker221b-proprietary-rmj8ck9rdnlmft3g,2025-03-14 14:45:27,[Eurus.pdf.enc],True
3,Moriarty.pdf,baker221b-proprietary-rmj8ck9rdnlmft3g,2025-03-14 14:45:28,[Moriarty.pdf.enc],True
4,Adler.pdf,baker221b-proprietary-rmj8ck9rdnlmft3g,2025-03-14 14:45:27,[Adler.pdf.enc],True
