Rurik
commented
5 years ago Thanks! This should be something that's possible but I'll have to do some testing to check. And, if it currently can't be, get that functionality in.
Closed juliaebner closed 4 years ago
Rurik
commented
5 years ago Thanks! This should be something that's possible but I'll have to do some testing to check. And, if it currently can't be, get that functionality in.
juliaebner
commented
5 years ago Hi Rurik, I have just found a way to do it, at least for a workaround. All lines containing System:4 will be skipped and therefore not appended to the report. After line 949 (in the original file), just after "try:", I have added the following:
try:
if (field[1] == 'System' and field[2] == '4'):
continueThanks! My only worry is for malware that may be reflective loading and inject back into System.
There's variants of Chimera ransomware that do this. Rare, but a dramatic thing to potentially overlook.
It may be best to exclude from procmon while it is running, before it gets to parsing the output. However, I will look into ways to optionally add it as a filter.
Hash: 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
juliaebner
commented
5 years ago Thanks, that is good to know! I have just added WriteFile operation to Noriben by copy-pasting the "elif field[3] == 'CreateFile' and field[5] == 'SUCCESS':" section and replacing all instances of Create with Write, to see what happens. Since System:4 seems to have many legitimate uses of WriteFile as well, I think I will just use my original approach for now and keep an eye out for unusual activities in ProcMon.
I can add any processes to the whitelist (I normally just use the global one), but how do I add the process System:4 specifically? I wasn't able to use "System:4" in the normal regex and can't see how to include the specific process number (4) otherwise.