Ransomware continues to be the most financially damaging type of cyberattack affecting organizations around the world. One of the most effective tools for monitoring in Windows is the minifilter driver.<\/p>\n
By sitting directly in the file system I\/O pipeline, a minifilter can observe, intercept, and even block malicious file operations in real time, providing a crucial early-warning layer for endpoint detection and response (EDR) systems<\/a>.<\/p>\n Security researcher 0xflux has unveiled a proof-of-concept (POC) Windows minifilter driver for real-time ransomware detection. It intercepts file system events to flag suspicious behaviors like rapid file writes and renames to known malicious extensions.<\/p>\n The\u00a0Filter Manager, a kernel-mode component, provides a rich API for minifilter drivers, eliminating the need to build legacy filter drivers from scratch.<\/p>\n Minifilter drivers register their I\/O operation callbacks <\/a>with the Filter Manager, which invokes them in order of altitude, ensuring deterministic layering when multiple filters are loaded.\u200b<\/p>\n A minifilter begins life like any kernel driver, with a\u00a0 PostOperationSetInformation handles renames, filtering for FileRenameInformation classes. It retrieves normalized file names via FltGetFileNameInformation and FltParseFileNameInformation, then scans extensions against a list like L\u201d.HLJkNskOq\u201d from LockBit IOCs.<\/p>\n A match triggers alerts to a user-mode engine for further checks, such as file entropy analysis, a hallmark of encrypted data. Process details, including PID via PsGetProcessId and image name via SeLocateProcessImageName, are logged for correlation.<\/a><\/p>\n For writes, PostOperationCreate filters access masks like FILE_WRITE_DATA or FILE_APPEND_DATA. This flags processes seeking mutable file access, signaling potential encryption prep. Pre-operation callbacks simply return FLT_PREOP_SUCCESS_WITH_CALLBACK to enable post-handling without blocking.<\/p>\n The C-based driver, hosted on GitHub under Sanctum\/fs_minifilter, includes safety checks for production use. A Rust simulator mimics ransomware: opens test.txt, writes junk bytes, and renames it to test.HLJkNskOq. When loaded, the driver detects and logs these events, proving efficacy against LockBit-like behavior<\/a>.<\/a><\/p>\n Beyond extensions, the approach tracks event volume: one process hitting multiple directories signals an outbreak. Inspection of file type correlations and entropy enhances fidelity.<\/p>\n Future enhancements include user-mode collectors for process trees, partial file reads, and rate-limiting detections (e.g., high-entropy changes per second). Freezing suspect threads could buy response time.<\/p>\n This POC from Flux aligns<\/a> with trends in behavioral EDR, outperforming signature-based AV against fileless or polymorphic threats.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Ransomware Detection With Windows Minifilter by Intercepting File Filter and Change Events<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nDriverEntry<\/code>\u00a0function. Instead of the typical driver setup, it uses the\u00a0Flt<\/code>\u00a0function family FltRegisterFilter<\/code>,\u00a0FltStartFiltering<\/code> to register itself and declare callback functions for specific I\/O request packets (IRPs).<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi6t18HRMJgbNkYraeMMug3YiCagkrjCx4Hd-bbmKaQaNX4eQuZ0NJsOajY1a75K9Qlec5JYbpFkFM6TrdUHYG5upxOCLyVCLxdmK95xkhNXFPh1vr4eQFJZeQ9ws5sQaovac0YCxbBa2Cpyu6xuwD8lp_4JFsf6Qm8beTxoSY0XVCMzc26ROcCaRKfZbJx\/s16000\/malware%2520write%2520events.png?ssl=1\")