By rssfeeds-admin 
Called “Sanctum,” this project is part of a larger Endpoint Detection and Response (EDR) strategy. It shows how defenders can use Windows Minifilters special software hooks to spot and block file encryption attempts before data is lost forever.
At its core, Sanctum taps into a Windows feature known as a “filter driver.” Think of it like a security checkpoint stacked between your apps (running in user mode) and your hard drive (handled by core drivers). Researcher 0xflux calls this spot a “chokepoint.”
Every file action, creating, writing, or renaming, must pass through it, giving the driver full visibility to catch threats early.
Originally planned in Rust for safety, the driver ended up in C due to missing Rust bindings for Windows filters. It works by setting up “callbacks”, alerts that trigger on key file events.
Sanctum zeroes in on two:
- IRP_MJ_CREATE: Fires when a process opens a file. The driver watches for rapid requests to write or delete many files, a red flag for ransomware prepping to encrypt.
- IRP_MJ_SET_INFORMATION: The star detector. It activates on file metadata changes, like renames. Ransomware loves these attackers often tack on extensions like .HLJkNskOq (tied to LockBit) after locking files.
When a suspicious rename hits, the driver calls FltGetFileNameInformation to grab the full filename. It scans against a list of known bad extensions.
A match? It doesn’t just block it IDs the culprit. Using IoThreadToProcess, it pulls the Process ID (PID) and program name, delivering precise alerts: “PID 1234 from suspicious.exe is trying to rename your docs!”
Right now, Sanctum logs these events as a telemetry tool, helping security teams respond fast. But 0xflux has big plans: future versions will check file “entropy” (a measure of randomness) to detect encryption live. It could even freeze malicious threads, halting attacks instantly.
This kernel-level approach beats traditional antivirus software by acting at machine speed with perfect file visibility.
As ransomware evolves, tools like Sanctum prove custom kernel defenses can outpace user-space scanners.
Check the GitHub repo and fluxsec.red for code and demos perfect for red-teamers or blue-team builders pushing EDR boundaries.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Researchers Use Windows Minifilter Drivers to Detect Ransomware in Real Time appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.