Nimran & Unnimran
Meet Nimran the file encryptor that locks up data like a pro. And here comes Unnimran, its trusty sidekick that’s always ready to crack the code and set your files free.
As a red team operator, my job is to simulate real-world attacks and stress-test security systems. During a recent engagement, I noticed that the EDR solution the client had wasn’t as effective as expected. So, I decided to test it further by creating a custom file-encrypting malware simulation using Nim.
This wasn’t just about exploiting vulnerabilities, I wanted to create a scenario that mirrored real-world file encryption attacks, one that could fly under the radar and challenge the EDR to see how well it detects such activities.
Why I Chose Nim for This Test
Nim is an incredibly efficient systems programming language, making it the perfect tool for this task. It’s fast, powerful, and lightweight exactly what I needed to create a stealthy encryptor that could mimic real-world ransomware behavior. With the help of AES encryption (using the nimAesCrypt library), I was able to build a tool that could encrypt files, delete originals, and leave behind only encrypted versions.
The Encryption Test
The plan was simple: I’d run the encryptor on the target machine and observe how the EDR would react. The tool takes all files in a specific directory, encrypts them with a password, and deletes the originals. This mimics how ransomware typically works encrypting important files and removing the originals to demand a ransom.
In the video below, you’ll see how I use the tool to encrypt files, test the EDR’s response, and check whether it’s capable of detecting this kind of behavior. Spoiler alert: it wasn’t.
Watch the Encryption in Action
Here’s where it gets interesting. In the video, you’ll see the nimrun.exe encrypting files one by one in a target directory. The original files are deleted after encryption, and only the .aes files are left behind. It’s a clean and effective way to simulate ransomware while putting the EDR solution to the test. Will it catch this? We’ll find out.
BoF added to DaBombC4
Proud to anounce that new BOF is added.
The EDR’s Response: Was It Enough? ️
As a red teamer, I often find that EDRs can miss some of the most common attack vectors. In this case, the EDR solution didn’t pick up on the file encryption or the deletion of the originals. This is a huge gap in its detection capability, especially considering how easy it was to create this attack simulation.
While some EDRs have improved, file-encrypting malware can still slip through if the detection algorithms aren’t fine-tuned to recognize such activity. This test reinforced the importance of continuously adapting security tools to detect advanced threats.
Last updated