This code run as a service and monitoring all sysmon event logs and take action based on events generated by attacker's activities. Upload all dropped and created malwares, files on server for further analysis. This captures all commands executed by attacker on a system. This can be deployed in production as well in high-interaction honeypot systems to monitor attack activities. I have connected this service with two telegram bots which is monitoring all logs, contextual threat intelligence and RDP connections. Also APIGEOLOCATION API is using to get the location of attacker in order to correlate attacks.
-
Runs as a Windows service, ensuring continuous and unobtrusive monitoring without user intervention. Operates silently in the background, making it difficult for attackers to detect.
-
Continuously monitors Sysmon event logs to detect suspicious activities and attacks. Captures a wide range of events, including process creations, network connections, file modifications, and more. Uses predefined rules to identify malicious activities and respond accordingly.
-
Executes predefined actions based on the type of Sysmon events detected. Actions can include terminating malicious processes, quarantining suspicious files, and alerting administrators.
-
Automatically uploads all detected and created malware files to a secure location for further analysis. Captures and stores all files dropped or created by attackers for forensic investigation.
-
Records all commands executed by attackers on the system. Provides detailed logs of attacker activities, including command-line arguments and execution context.
-
Connects to two Telegram bots to provide real-time alerts and updates. Telegram bots monitor all logs and RDP connections, ensuring administrators are promptly informed of suspicious activities. Provides instant notifications for critical events, enabling quick response.
-
Utilizes the APIGEOLOCATION API to determine the geographical location of attackers. Correlates attacker locations with attack patterns to enhance threat intelligence. Provides context-aware responses based on the geographical origin of attacks.
- File Creation Event 11
- Process Creation Event 1
- Network Connection Event 3
- FileStreamCreation Event 15
- DNS Query Event 22
- You can add any event id in array defined in code to monitor.
- Sysmon should be installed on high interaction honeypots (Windows Systems).
- Create Telegram bots to get alerts for all attacker activities. To create chatbot follow this guide https://sendpulse.com/knowledge-base/chatbot/telegram/create-telegram-chatbot
- Create account on https://ipgeolocation.io/ for getting locations and IP's of attacker. Just need API and put it in code.
- Open .sln file in visual studio and compile the code.
- Install sysmon before starting the service by using command (sysmon64.exe -accepteula -i sysmonconfig.xml).
- After installing the sysmon create the service by using command (sc create scsv binPath= "[Full Path of compiled EXE" DisplayName= "scsv" start= auto).
- Start the created service by using command (sc start scsv).