Attack Monitor is Python application written to enhance security monitoring capabilities of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.
Current modes (mutually exclusive):
Based on events from:
Supported OS
Pre-requirements
Supported System Events
Some of the events are only supported in Malware Analysis Mode
Installation – Endpoint Detection Mode
For Malware analysis mode – refer to next section
STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
=> Choose endpoint detection mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
=> Choose endpoint detection mode
python installer.py exceptions
[Apply section] Installation – How to enable WMI audit?
Installation – Malware analysis Mode
For Endpoint detection mode – refer to previous section
STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
=> Choose malware analysis mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
=> Choose malware analysis mode
[Install tshark] https://www.wireshark.org/download.html // To default location
[Apply section] Installation – How to choose network interface for malware listening? // (currently only DNS)
[Apply section] Installation – How to enable WMI audit?
[Apply section] Installation – How to monitor specific directories?
Also Read – ATFuzzer : Dynamic Analysis of AT Interface For Android Smartphones
Installation – How to enable WMI audit?
compmgmt.msc
Services and Applications -> WMI Control -> Properties
Security -> Security -> Advanced -> Auditing -> Add
Select principal: Everyone
Type: All
Show advanced permissions:
Select all (Execute Methods … Edit Security)
Why it’s not in installer.py script? It’s hard to do it programmatically
Installation – How to choose network interface for malware listening?
Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg
Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes
How to determine interface name?
TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0
Installation – How to monitor specific directories?
Edit C:\Program Files\Attack Monitor\config\monitored_directories.json
For malware analysis it’s recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.
How it works?
Known bugs
Demo
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…