does anyone know how we can detect the ransomware related activity using osquery for macos or linux . Like identify any spike in file creation, renaming or deletions by a specific user or process.. ofcourse it requires good amount of baselining .. but would like to start with some basic query structure ?
10/12/2020, 5:35 PM
Honestly, I’d just alert on a process_event for
disktuil apfs addVolume
. It should be quite rare for most users.
10/13/2020, 2:25 AM
if you detect ascii skulls I'd think that would work too