{"id":13450140,"url":"https://github.com/yarox24/attack_monitor","last_synced_at":"2025-03-23T16:31:04.903Z","repository":{"id":46748614,"uuid":"179348131","full_name":"yarox24/attack_monitor","owner":"yarox24","description":"Endpoint detection \u0026 Malware analysis software","archived":false,"fork":false,"pushed_at":"2019-12-20T18:52:35.000Z","size":6075,"stargazers_count":226,"open_issues_count":4,"forks_count":60,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-10-28T17:39:07.093Z","etag":null,"topics":["endpoint-security","malware-analysis","security-tools","sysmon"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yarox24.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-04-03T18:33:49.000Z","updated_at":"2024-10-04T09:02:34.000Z","dependencies_parsed_at":"2022-08-28T11:20:50.456Z","dependency_job_id":null,"html_url":"https://github.com/yarox24/attack_monitor","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yarox24%2Fattack_monitor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yarox24%2Fattack_monitor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yarox24%2Fattack_monitor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yarox24%2Fattack_monitor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yarox24","download_url":"https://codeload.github.com/yarox24/attack_monitor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245130716,"owners_count":20565699,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["endpoint-security","malware-analysis","security-tools","sysmon"],"created_at":"2024-07-31T07:00:31.400Z","updated_at":"2025-03-23T16:31:00.912Z","avatar_url":"https://github.com/yarox24.png","language":"Python","funding_links":[],"categories":["Detector","Python","security-tools"],"sub_categories":[],"readme":"# Attack Monitor\r\n\r\nAttack Monitor is Python application written to enhance security monitoring capabilites of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware. \r\n\r\nCurrent modes (mutually exclusive):\r\n  - Endpoint detection (ED)\r\n  - Malware analysis (on dedicated Virtual Machine)\r\n \r\nBased on events from:\r\n - Windows event logs\r\n - Sysmon\r\n - Watchdog (Filesystem monitoring Python library)\r\n - TShark (only malware analysis mode)\r\n\r\n### Current version\r\n0.9.0 (Alpha)\r\n\r\n### Contact\r\nattack.monitor.github@gmail.com\r\n\r\n# Demo\r\n![demo/ed.gif](https://raw.githubusercontent.com/yarox24/attack_monitor/master/demo/ed.gif)\r\n\r\n\r\n# Supported OS\r\n\r\n* Windows 7, 8, 10 (x86 or x64)\r\n* Windows 2008, 2012, 2016 (x86 or x64)\r\n\r\n# Pre-requirements\r\n\r\n- Powershell 5\r\n- Sysmon (Downloaded, configured and installed by installer.py)\r\n- Python 3.6 (64-bit) - should work on Python 3.x \r\n- Tshark (Malware analysis only)\r\n- Various Python3 libraries (requirements.txt)\r\n- StoneEngine library (included, first time published, high level windows event log interface -  Alpha state)\r\n\r\n# Supported system events\r\n\u003e Some of the events are only supported in Malware Analysis Mode\r\n- Filesystem changes\r\n- Permitted network connections\r\n- PowerShell activity (detailed only with PowerShell 5)\r\n- Process creation\r\n- SMB activity\r\n- Scheduled tasks\r\n- Local accounts manipulations\r\n- Success/Failed logins\r\n- Drivers load\r\n- Raw disk access\r\n- Registry monitoring\r\n- Pipe events\r\n- Services\r\n- Audit log cleared\r\n- WMI monitoring of queries + WMI persistence\r\n- DNS requests capture (via Tshark)\r\n\r\n# Installation - Endpoint Detection Mode\r\n\u003e For Malware analysis mode - refer to next section\r\n```\r\nSTEPS:\r\n\u003cDownload newest release\u003e\r\ncmd.exe (Run as admin)\r\npip3 install -U -r requirements.txt\r\npython installer.py sysmon\r\n  =\u003e Choose endpoint detection mode\r\npython installer.py psaudit\r\npython installer.py auditpol\r\npython installer.py install\r\n  =\u003e Choose endpoint detection mode\r\npython installer.py exceptions\r\n[Apply section] Installation - How to enable WMI audit?\r\n```\r\n\r\n\r\n# Installation - Malware analysis Mode\r\n\u003e For Endpoint detection mode - refer to previous section\r\n```\r\nSTEPS:\r\n\u003cDownload newest release\u003e\r\ncmd.exe (Run as admin)\r\npip3 install -U -r requirements.txt\r\npython installer.py sysmon\r\n  =\u003e Choose malware analysis mode\r\npython installer.py psaudit\r\npython installer.py auditpol\r\npython installer.py install\r\n  =\u003e Choose malware analysis mode\r\n[Install tshark] https://www.wireshark.org/download.html // To default location\r\n[Apply section] Installation - How to choose network interface for malware listening? // (currently only DNS)\r\n[Apply section] Installation - How to enable WMI audit?\r\n[Apply section] Installation - How to monitor specific directories?\r\n```\r\n\r\n## Installation - How to enable WMI audit?\r\n```\r\ncompmgmt.msc\r\nServices and Applications -\u003e WMI Control -\u003e Properties\r\nSecurity -\u003e Security -\u003e Advanced -\u003e Auditing -\u003e Add\r\n\r\nSelect principal: Everyone\r\nType: All\r\nShow advanced permissions:\r\n  Select all (Execute Methods ... Edit Security)\r\n```\r\nWhy it's not in installer\u003cspan\u003e\u003c/span\u003e.py script? It's hard to do it programmatically\r\n\r\n## Installation - How to choose network interface for malware listening?\r\nEdit *C:\\Program Files\\Attack Monitor\\config\\attack_monitor.cfg*\r\n\r\nChange in section [feeder_network_tshark]:\r\nnetwork_interface=**PUT INTERFACE NAME HERE**           # without quotes\r\n\r\n#### How to  determine inteface name?\r\nTShark is using name from Control Panel\\Network and Internet\\Network Connections (Change adapter settings)\r\ne.g. name: **WiFi AC** =\u003e Custom name defined by user\r\ne.g. name: **Ethernet0**\r\n\r\n## Installation - How to monitor specific directories?\r\nEdit *C:\\Program Files\\Attack Monitor\\config\\monitored_directories.json*\r\n\r\nFor malware analysis it's recommended to monitor all events (except dir_modified) for directory C:\\ with recursive flag enabled. Please add also additional directories if relevant.\r\n\r\n\r\n# How it works?\r\n1. Alert is coming from source (Windows Event Log, Sysmon, Filesystem change, TShark)\r\n2. Alert is checked against *config\\exceptions\\exception.json* which contains all alerts which should be ignored\r\n    A) For Endpoint Detection - Predefined set of ignored alerts is delivered with software\r\n    B) For Malware analysis - you need to add exceptions yourself on live system in clean state\r\n3. Alert is present in *exception.json*?\r\n    Yes) Is discared [Go to step 1]\r\n    No) Go to next step\r\n4. Is learning mode enabled? *(Can be enabled in tray icon, or permanently in configuration file)*\r\n    Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)\r\n    \r\n   - If you decided to add exception for this alert - Alert is added to exceptions [Go to step 1]\r\n   - If you decided to skip exception window - Go to next step\r\n   \r\n    No) Go to next step\r\n5. Alert user about capture event. Outputs:\r\n    - System tray baloon notification (Only when you are moving mouse and computer isn't locked)\r\n    - Alert is saved to *logs\\\\\u003cYYYY-MM-DD\u003e.txt*\r\n\r\n\r\n## Known bugs\r\n- Exit isn't gracefull\r\n- Tray icon appears and disappears\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyarox24%2Fattack_monitor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyarox24%2Fattack_monitor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyarox24%2Fattack_monitor/lists"}