Primary Use Case

This tool is primarily used by security professionals and system administrators to monitor Windows endpoints for suspicious activities and perform automated malware analysis on dedicated virtual machines. It helps detect intrusions, analyze malware behavior, and monitor various system events to improve endpoint security posture.

Key Features

Endpoint detection mode for real-time monitoring of Windows workstations and servers

Malware analysis mode using dedicated virtual machines with network traffic capture

Integration with Windows event logs, Sysmon, and filesystem monitoring via Watchdog

Support for monitoring a wide range of system events including process creation, PowerShell activity, SMB, scheduled tasks, and WMI queries

DNS request capture using TShark in malware analysis mode

Automated installation and configuration scripts for Sysmon and auditing policies

Configurable monitoring of specific directories and network interfaces

Support for Windows 7/2008 and later versions (x86 and x64)

Insights & Recommendations

The tool is in alpha version (0.9.0) and requires manual steps to enable WMI auditing due to complexity. It depends on external tools like Sysmon and TShark, which must be properly installed and configured. Recommended for use on supported Windows versions with PowerShell 5 and Python 3.6+ (64-bit). Monitoring specific directories and network interfaces requires manual configuration edits.

Installation

Download the newest release of Attack Monitor
Open cmd.exe as administrator
Run pip3 install -U -r requirements.txt to install dependencies
Run python installer.py sysmon and choose the desired mode (endpoint detection or malware analysis)
Run python installer.py psaudit to configure PowerShell auditing
Run python installer.py auditpol to configure audit policies
Run python installer.py install and select the appropriate mode
For endpoint detection mode, run python installer.py exceptions to configure exceptions
For malware analysis mode, install TShark from https://www.wireshark.org/download.html to the default location
Edit attack_monitor.cfg to select the network interface for malware listening

Usage

python installer.py sysmon

Installs and configures Sysmon; prompts to select endpoint detection or malware analysis mode

python installer.py psaudit

Configures PowerShell auditing settings

python installer.py auditpol

Configures Windows audit policies

python installer.py install

Performs main installation steps; prompts to select endpoint detection or malware analysis mode

python installer.py exceptions

Configures exceptions for endpoint detection mode

Smart Usage Notes

Integrate with SIEM solutions to enhance alert correlation and incident response workflows.

Leverage the malware analysis mode to automate sandboxing and dynamic analysis in virtual environments.

Use configurable monitoring to focus on high-risk directories and network interfaces for targeted detection.

Combine with threat intelligence feeds to enrich detection capabilities and reduce false positives.

Employ in purple team exercises to validate detection rules and improve adversary emulation scenarios.

Open Source Security Atlas

attack_monitor

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like