Attack Monitor is Python application written to enhance security monitoring capabilities of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.
Current modes (mutually exclusive):
Based on events from:
Supported OS
Pre-requirements
Supported System Events
Some of the events are only supported in Malware Analysis Mode
Installation – Endpoint Detection Mode
For Malware analysis mode – refer to next section
STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
=> Choose endpoint detection mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
=> Choose endpoint detection mode
python installer.py exceptions
[Apply section] Installation – How to enable WMI audit?
Installation – Malware analysis Mode
For Endpoint detection mode – refer to previous section
STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
=> Choose malware analysis mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
=> Choose malware analysis mode
[Install tshark] https://www.wireshark.org/download.html // To default location
[Apply section] Installation – How to choose network interface for malware listening? // (currently only DNS)
[Apply section] Installation – How to enable WMI audit?
[Apply section] Installation – How to monitor specific directories?
Also Read – ATFuzzer : Dynamic Analysis of AT Interface For Android Smartphones
Installation – How to enable WMI audit?
compmgmt.msc
Services and Applications -> WMI Control -> Properties
Security -> Security -> Advanced -> Auditing -> Add
Select principal: Everyone
Type: All
Show advanced permissions:
Select all (Execute Methods … Edit Security)
Why it’s not in installer.py script? It’s hard to do it programmatically
Installation – How to choose network interface for malware listening?
Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg
Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes
How to determine interface name?
TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0
Installation – How to monitor specific directories?
Edit C:\Program Files\Attack Monitor\config\monitored_directories.json
For malware analysis it’s recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.
How it works?
Known bugs
Demo
This repository contains tools created by yogSahare0 while learning Python 3 for ethical hacking and penetration testing.…
"NetSecChallenger" provides a suite of automated tools designed for security professionals and network administrators to…
The essential tool for cybersecurity enthusiasts! This guide provides a detailed walkthrough on how to…
Meet "Poodone," the ultimate Python script designed for cybersecurity enthusiasts and professionals alike. Packed with…
The Linux version is no longer supported! The last Linux version is 6.0 that you…
Jin is a hacking command-line tools designed to make your scan port, gathering urls, check…