Shulou(Shulou.com)05/31 Report--

This article mainly introduces what kind of software Attack Monitor is, which is very detailed and has a certain reference value. Friends who are interested must finish reading it!

Tool introduction

Attack Monitor is a Python application that helps security researchers enhance the security monitoring capabilities of Windows 7 hand 2008 (and all later) workstations or servers and automatically dynamically analyze malware.

Current mode

1. Terminal detection (ED)

2. Malware analysis (to be performed in a specific virtual machine environment)

Support event

1. Windows event log

2 、 Sysmon

3. Watchdog (file system monitoring Python library)

4. TShark (only malware analysis mode is supported)

Current version

Attack Monitor:v0.9.0 (Alpha version)

Tool demonstrates supported operating systems

1. Windows 7, 8, 10 (x86 bit or x64 bit)

2. Windows 2008, 2012, 2016 (x86 bit or x64 bit)

Tool dependent component

1 、 Powershell 5

2. Sysmon (download, configure and install via installer.py)

3. Python 3.6( 64-bit)-theoretical support for Python 3.x

4. Tshark (malware analysis only)

5. Various Python3 libraries (requirements.txt)

6. StoneEngine library (released for the first time, advanced Windows event log interface)

Supported system events

Note: some of these events only support malware analysis mode.

File system modification

Allowed network connections

PowerShell activity

Process creation

SMB activity

Schedule a task

Local account modification

Drive load

Meta disk access

Registry monitoring

Pipeline event

Service monitoring

Log audit

WMI monitoring

DNS request capture (via Tshark)

Tool installation-terminal detection mode

First, clone the project source code locally from the GitHub library of the project:

Git clone https://github.com/yarox24/attack_monitor.git

Change to the local project directory and run the following command:

Cmd.exe (Run as admin) pip3 install-U-r requirements.txtpython installer.py sysmon = > Choose endpoint detection modepython installer.py psauditpython installer.py auditpolpython installer.py install = > Choose endpoint detection modepython installer.py exceptions [Apply section] Installation-How to enable WMI audit? Tool installation-malware analysis mode cmd.exe (Run as admin) pip3 install-U-r requirements.txtpython installer.py sysmon = > Choose malware analysis modepython installer.py psauditpython installer.py auditpolpython installer.py install = > Choose malware analysis mode [Install tshark] https://www.wireshark.org/download.html / / To default location [Apply section] Installation-How to choose network interface for malware listening? / / (currently only DNS) [Apply section] Installation-How to enable WMI audit? [Apply section] Installation-How to monitor specific directories? How to enable WMI audit function compmgmt.mscServices and Applications-> WMI Control-> PropertiesSecurity-> Security-> Advanced-> Auditing-> AddSelect principal: EveryoneType: AllShow advanced permissions: Select all (Execute Methods. Edit Security) how to choose the interface that listens for malware?

Edit the "C:\ Program Files\ Attack Monitor\ config\ attack_monitor.cfg" file and modify the "C:\ Program Files\ Attack Monitor\ config\ attack_monitor.cfg" parameter in the file.

How to determine the interface name?

The name used by TShark comes from Control Panel\ Network and Internet\ Network connections, and the default name is Ethernet0.

How do I specify a monitoring directory?

Edit the file "C:\ Program Files\ Attack Monitor\ config\ monitored_directories.json". For malware analysis, we recommend that researchers monitor all events in the directory "C:\" and add additional related directories.

Working mechanism

1. Send warnings by listening on event sources (Windows event log, Sysmon, file system modification, and TShark)

2. Alert detection is performed according to the configuration of "config\ exceptions\ exception.json", which contains all alert information. For terminal detection, you need to customize the alerts to ignore. For malware analysis, you need to add exceptions to the target system.

3. If there is a warning in the exception.json file, return to the first step, otherwise proceed to the next step.

4. Is the learning mode enabled? If enabled, the tool pops up a warning asking if you need to ignore the alert, depending on the regular expression.

5. Warn the user to capture the event and output the result:

System tray bubble reminder.

The alert information is saved in the logs\ .txt file.

The above is all the content of this article "what is Attack Monitor?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.