File Event Monitor - gnh1201/welsonjs GitHub Wiki
From WelsonJS version 0.2.7.36, complete support for handling system events (mainly events related to file activities) is provided. This is implemented using Sysinternals Sysmon (microsoft.com).
The events that can be handled are as follows:
- File creations
- Network connections (TCP, UDP)
- Registry modifications
Note: While this feature utilizes many tools popular among security analysts, it was not designed with security functionality in mind. It was developed to recommend and promote appropriate software to users based on file types in scenarios where documents are exchanged via email, messenger, etc.
The methods onFileCreated
, onNetworkConnected
, and onRegistryModified
are available to implement an event listener. You can find examples in defaultService.example.js
.
function onFileCreated(args) {
return "onFileCreated recevied. " + args.join(', ');
}
function onNetworkConnected(args) {
return "onNetworkConnected recevied. " + args.join(', ');
}
function onRegistryModified(args) {
return "onRegistryModified recevied. " + args.join(', ');
}
Once all implementations and configurations are complete, you should see the following console message:
2024-09-10 μ€ν 2:22:08: > Detected the registry modification: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2045960190-3833789326-3828594115-1001\\Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2024-09-10 μ€ν 2:22:08: onRegistryModified recevied. -, 5796, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, SetValue, HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2045960190-3833789326-3828594115-1001\\Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2024-09-10 μ€ν 2:22:14: > Detected the network connection: udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 μ€ν 2:22:14: onNetworkConnected recevied. technique_id=T1571,technique_name=Non-Standard Port, 1996, C:\Windows\System32\svchost.exe, udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 μ€ν 2:22:14: > Detected the network connection: udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 μ€ν 2:22:14: onNetworkConnected recevied. technique_id=T1571,technique_name=Non-Standard Port, 33248, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 μ€ν 2:43:47: > Detected the file creation: C:\Users\<USERNAME>\Downloads\μ ν
μ€νΈ λ¬Έμ.txt
2024-09-10 μ€ν 2:43:47: onFileCreated recevied. -, 7640, C:\WINDOWS\Explorer.EXE, C:\Users\<USERNAME>\Downloads\μ ν
μ€νΈ λ¬Έμ.txt
WelsonJS can be utilized in conjunction with MITRE ATT&CK (attack.mitre.org). Please follow the steps below:
-
Download Sysinternals Sysmon (microsoft.com).
-
Download and apply the sysmon configuration (github.com/olafhartong/sysmon-modular). The configuration installation will be performed along with the sysmon installation using the command below.
sysmon.exe -accepteula -i sysmonconfig.xml
-
In the WelsonJS configuration file (
settings.ini
), set theDISABLE_FILE_MONITOR
(in theService
section) value to false.[Service] DISABLE_FILE_MONITOR=false
-
Install and start the WelsonJS Service (Refer to
services.msc
for instructions on how to start and manage the service.)installService.bat
If you want to debug it, start the Interactive Service.
startInteractiveService.bat
-
Check the log in the
WelsonJS.Service.Log.txt
file. The log file can be found in one of the following directories:- C:\Windows\SystemTemp
- C:\User\
<YOUR USERNAME>
\AppData\Local\Temp
Starting from WelsonJS version 0.2.7.37, ClamAV (www.clamav.net) integration will be supported.
- YARA Signature Matching: WelsonJS will include a YARA signature matching feature for file events. The code will be available soon. For more information, visit YARA on GitHub.
- Packer Identification: We plan to integrate a tool for identifying file formats. While software like PEiD is well-known for this purpose, the current leading candidate is Detect-It-Easy.
- Integration with Intelligence Services: Details are available in issue #142 on GitHub.