yarox24 / attack_monitor Goto Github PK

First, I installed the tool like this (correct me if some steps were not needed, basically I just wanted to make sure I have all the capabilities).

First I ran python installer.py sysmon to get proper sysmon config (was already there in my case):

Then I ran python installer.py install auditpol (python installer.py auditpol was returning an error, just wanted to be sure I have it installed with the extended audit).

Then I installed dependencies (by the way, I installed in the Endpoint Protection Mode, so pyshark and the reportlab should not really be required, should they?).

I also installed the pre-defined exceptions:

Then I tried to run it and got this issue:

So I dug a bit, added one print to the code to get some verbose output:

Tried to run again and got this:

So I figured out the culprit was the dummy FORCE_EMPTY_DIR file, which is not an actual JSON file:

So I removed it and ran the tool again, this time successfully :)

SOLUTION:
Remove that file while installing/avoid installing it in the first place.

I found a little bug in "installer.py", there are two choices which are the same, it should be different!

It would be nice to have some sort of customiseable (so it can be adjusted/disabled in config at user's will) alert suppression mechanism.

For example, if there was more than 3 alerts within the last 20-seconds, just display another one with a message like 'More alerts suppressed, please see the C:\Program Files\Attack Monitor\logs\2019-05-13.txt log file for more details'. And add an option for how long to ignore alerts from being displayed after such threshold is reached. This could help prevent situations when (I experience this especially after wakeup from sleep) bunch of alerts queue up and it takes several minutes to get rid of them by clicking one after another, which at the same time can impede GUI usage of other active windows (e.g. web browser, that's exactly the spot where my 'full screen' option is on youtube/netflix :P).

I do understand this is a part and parcel of the early stage of learning so should gradually be less of a problem once proper learning rules are added in learning mode, however I do realize every system is unique and therefore everyone needs to adjust their own normalcy rules individually, so more users will face this issue regardless to the maturity of the pre-defined exceptions.json file coming with the installation.

After following all of the steps for EDR and malware analysis , I am able to follow all the command but still the attack_monitor software keeps on crashing. How to solve this error??

Adding autostart entry to Menu Start Startup folder
Traceback (most recent call last):
File "installer.py", line 393, in
main()
File "installer.py", line 379, in main
action_install()
File "installer.py", line 212, in action_install
TEMPLATE_LINES = template.readlines()
File "C:\Python37\Scripts\lib\codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
File "C:\Python37\Scripts\lib\encodings\utf_16.py", line 67, in _buffer_decode
raise UnicodeError("UTF-16 stream does not start with BOM")
UnicodeError: UTF-16 stream does not start with BOM