Attack Monitor is Python application written to enhance security monitoring capabilites of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.
Current modes (mutually exclusive):
Based on events from:
Some of the events are only supported in Malware Analysis Mode
- Filesystem changes
- Permitted network connections
- PowerShell activity (detailed only with PowerShell 5)
- Process creation
- SMB activity
- Scheduled tasks
- Local accounts manipulations
- Success/Failed logins
- Drivers load
- Raw disk access
- Registry monitoring
- Pipe events
- Audit log cleared
- WMI monitoring of queries + WMI persistence
- DNS requests capture (via Tshark)
For Malware analysis mode - refer to next section
STEPS: <Download newest release> cmd.exe (Run as admin) pip3 install -U -r requirements.txt python installer.py sysmon => Choose endpoint detection mode python installer.py psaudit python installer.py auditpol python installer.py install => Choose endpoint detection mode python installer.py exceptions [Apply section] Installation - How to enable WMI audit?
For Endpoint detection mode - refer to previous section
STEPS: <Download newest release> cmd.exe (Run as admin) pip3 install -U -r requirements.txt python installer.py sysmon => Choose malware analysis mode python installer.py psaudit python installer.py auditpol python installer.py install => Choose malware analysis mode [Install tshark] https://www.wireshark.org/download.html // To default location [Apply section] Installation - How to choose network interface for malware listening? // (currently only DNS) [Apply section] Installation - How to enable WMI audit? [Apply section] Installation - How to monitor specific directories?
compmgmt.msc Services and Applications -> WMI Control -> Properties Security -> Security -> Advanced -> Auditing -> Add Select principal: Everyone Type: All Show advanced permissions: Select all (Execute Methods ... Edit Security)
Why it's not in installer.py script? It's hard to do it programmatically
Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg
Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes
TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0
Edit C:\Program Files\Attack Monitor\config\monitored_directories.json
For malware analysis it's recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.
Is learning mode enabled? (Can be enabled in tray icon, or permanently in configuration file) Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)
No) Go to next step