Skip to content

File Event Monitor

Namhyeon, Go edited this page Sep 10, 2024 · 30 revisions

File Event Monitor

From WelsonJS version 0.2.7.36, complete support for handling system events (mainly events related to file activities) is provided. This is implemented using Sysinternals Sysmon (microsoft.com).

The events that can be handled are as follows:

  • File creations
  • Network connections (TCP, UDP)
  • Registry modifications

Implement an event listener

The methods onFileCreated, onNetworkConnected, and onRegistryModified are available to implement an event listener. You can find examples in defaultService.js.

function onFileCreated(args) {
    return "onFileCreated recevied. " + args.join(', ');
}

function onNetworkConnected(args) {
    return "onNetworkConnected recevied. " + args.join(', ');
}

function onRegistryModified(args) {
    return "onRegistryModified recevied. " + args.join(', ');
}

Once all implementations and configurations are complete, you should see the following console message:

2024-09-10 오후 2:22:08: > Detected the registry modification: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2045960190-3833789326-3828594115-1001\\Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2024-09-10 오후 2:22:08: onRegistryModified recevied. -, 5796, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, SetValue, HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2045960190-3833789326-3828594115-1001\\Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2024-09-10 오후 2:22:14: > Detected the network connection: udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 오후 2:22:14: onNetworkConnected recevied. technique_id=T1571,technique_name=Non-Standard Port, 1996, C:\Windows\System32\svchost.exe, udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 오후 2:22:14: > Detected the network connection: udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 오후 2:22:14: onNetworkConnected recevied. technique_id=T1571,technique_name=Non-Standard Port, 33248, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
2024-09-10 오후 2:43:47: > Detected the file creation: C:\Users\<USERNAME>\Downloads\새 텍스트 문서.txt
2024-09-10 오후 2:43:47: onFileCreated recevied. -, 7640, C:\WINDOWS\Explorer.EXE, C:\Users\<USERNAME>\Downloads\새 텍스트  문서.txt

For System Administrators or Security Analysts

MITRE ATT&CK (MITRE attack)

WelsonJS can be utilized in conjunction with MITRE ATT&CK (attack.mitre.org). Please follow the steps below:

  1. Download Sysinternals Sysmon (microsoft.com).

  2. Download and apply the sysmon configuration (github.com/olafhartong/sysmon-modular). The configuration installation will be performed along with the sysmon installation using the command below.

    sysmon.exe -accepteula -i sysmonconfig.xml
    
  3. In the WelsonJS configuration file (settings.ini), set the DISABLE_FILE_MONITOR (in the Service section) value to false.

    [Service]
    DISABLE_FILE_MONITOR=false
  4. Install and start the WelsonJS Service (Refer to services.msc for instructions on how to start and manage the service.)

    installService.bat
    

    If you want to debug it, start the Interactive Service.

    startInteractiveService.bat
    
  5. Check the log in the WelsonJS.Service.Log.txt file. The log file can be found in one of the following directories:

    • C:\Windows\SystemTemp
    • C:\User<USERNAME>\AppData\Local\Temp

YARA signature matching

WelsonJS has a YARA signature matching (github.com/VirusTotal/yara) scenario for file events. The code will be released soon.

Contact me

Clone this wiki locally