Attack Monitor - Endpoint Detection And Malware Analysis Software


Attack Monitor is Python application written to enhance security monitoring capabilities of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.

Current modes (mutually exclusive):

  • Endpoint detection (ED)
  • Malware analysis (on dedicated Virtual Machine)

Based on events from:

  • Windows event logs
  • Sysmon
  • Watchdog (Filesystem monitoring Python library)
  • TShark (only malware analysis mode)

Current version

0.9.0 (Alpha)


[email protected]


Supported OS

  • Windows 7, 8, 10 (x86 or x64)
  • Windows 2008, 2012, 2016 (x86 or x64)


  • Powershell 5
  • Sysmon (Downloaded, configured and installed by
  • Python 3.6 (64-bit) - should work on Python 3.x
  • Tshark (Malware analysis only)
  • Various Python3 libraries (requirements.txt)
  • StoneEngine library (included, first time published, high level windows event log interface - Alpha state)

Supported system events

Some of the events are only supported in Malware Analysis Mode

  • Filesystem changes
  • Permitted network connections
  • PowerShell activity (detailed only with PowerShell 5)
  • Process creation
  • SMB activity
  • Scheduled tasks
  • Local accounts manipulations
  • Success/Failed logins
  • Drivers load
  • Raw disk access
  • Registry monitoring
  • Pipe events
  • Services
  • Audit log cleared
  • WMI monitoring of queries + WMI persistence
  • DNS requests capture (via Tshark)

Installation - Endpoint Detection Mode

For Malware analysis mode - refer to next section


cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python sysmon
  => Choose endpoint detection mode
python psaudit
python auditpol
python install
  => Choose endpoint detection mode
python exceptions
[Apply section] Installation - How to enable WMI audit?

Installation - Malware analysis Mode

For Endpoint detection mode - refer to previous section:


cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python sysmon
  => Choose malware analysis mode
python psaudit
python auditpol
python install
  => Choose malware analysis mode
[Install tshark] // To default location
[Apply section] Installation - How to choose network interface for malware listening? // (currently only DNS)
[Apply section] Installation - How to enable WMI audit?
[Apply section] Installation - How to monitor specific directories?

Installation - How to enable WMI audit?

Services and Applications -> WMI Control -> Properties
Security -> Security -> Advanced -> Auditing -> Add

Select principal: Everyone
Type: All
Show advanced permissions:
  Select all (Execute Methods ... Edit Security)

Why it's not in script? It's hard to do it programmatically.

Installation - How to choose network interface for malware listening?

Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg

Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes

How to determine inteface name?

TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0

Installation - How to monitor specific directories?

Edit C:\Program Files\Attack Monitor\config\monitored_directories.json

For malware analysis it's recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.

How it works?

  • Alert is coming from source (Windows Event Log, Sysmon, Filesystem change, TShark)
  • Alert is checked against config\exceptions\exception.json which contains all alerts which should be ignored A) For Endpoint Detection - Predefined set of ignored alerts is delivered with software B) For Malware analysis - you need to add exceptions yourself on live system in clean state
  • Alert is present in exception.json? Yes) Is discared [Go to step 1] No) Go to next step
  • Is learning mode enabled? (Can be enabled in tray icon, or permanently in configuration file) Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)
    • If you decided to add exception for this alert - Alert is added to exceptions [Go to step 1]
    • If you decided to skip exception window - Go to next step

    Now go to the next step:

  • Alert user about capture event. Outputs:
    • System tray baloon notification (Only when you are moving mouse and computer isn't locked)
    • Alert is saved to logs\.txt

Known bugs

  • Exit isn't gracefull
  • Tray icon appears and disappears

Download tool and support author:

December 5, 2019


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023