Attack_monitor – Endpoint detection & Malware analysis software

Attack_monitor is Python application written to enhance security monitoring capabilities of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.

Current modes (mutually exclusive):

  • Endpoint detection (ED)
  • Malware analysis (on dedicated Virtual Machine)

Based on events from:

  • Windows event logs
  • Sysmon
  • Watchdog (Filesystem monitoring Python library)
  • TShark (only malware analysis mode)
Attack_monitor - Endpoint detection & Malware analysis software
Attack_monitor – Endpoint detection & Malware analysis software

The program compiles several tools and work as follows:

  1. Alert is coming from source (Windows Event Log, Sysmon, Filesystem change, TShark)
  2. Alert is checked against config\exceptions\exception.json which contains all alerts which should be ignored
    • A) For Endpoint Detection – Predefined set of ignored alerts is delivered with software
    • B) For Malware analysis – you need to add exceptions yourself on live system in clean state
  3. Alert is present in exception.json?
    • Yes) Is discared [Go to step 1]
    • No) Go to next step
  4. Is learning mode enabled? (Can be enabled in tray icon, or permanently in configuration file)
    • Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)
    • If you decided to add exception for this alert – Alert is added to exceptions [Go to step 1]
    • If you decided to skip exception window – Go to next step
    • No) Go to next step
  5. Alert user about capture event. Outputs:
    • System tray baloon notification (Only when you are moving mouse and computer isn’t locked)
    • Alert is saved to logs\.txt

The tool support the following system events:

  • Filesystem changes
  • Permitted network connections
  • PowerShell activity (detailed only with PowerShell 5)
  • Process creation
  • SMB activity
  • Scheduled tasks
  • Local accounts manipulations
  • Success/Failed logins
  • Drivers load
  • Raw disk access
  • Registry monitoring
  • Pipe events
  • Services
  • Audit log cleared
  • WMI monitoring of queries + WMI persistence
  • DNS requests capture (via Tshark)

You can read more and watch the demo over here:

Notify of
Inline Feedbacks
View all comments