community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Location of SMaster64.exe?

Open xme opened this issue 1 year ago • 1 comments
trafficstars

In sysmon.py, I read this:

       # First figure out what architecture the system in running (x64 or x86)
        bin_path = os.path.join(os.getcwd(), "bin")

        if "Windows" in platform.uname():
            if "AMD64" in platform.uname():
                sysmon = os.path.join(bin_path, "SMaster64.exe")
            else:
                sysmon = os.path.join(bin_path, "SMaster32.exe")
        # TODO: Platform is Linux, add support for https://github.com/Sysinternals/SysmonForLinux
        else:
            self.enabled = False
            return False

        config_file = os.path.join(bin_path, "sysmonconfig-export.xml")
        if not os.path.exists(sysmon) or not os.path.exists(config_file):
            raise CuckooPackageError(
                "In order to use the Sysmon functionality, it "
                "is required to have the SMaster(64|32).exe file and "
                "sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are "
                "just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques."
            )

Where do I need to store the files? os.getcwd() is based on the agent.py location on the guest?

xme avatar May 15 '24 09:05 xme

i would say here analyzer/windows/bin

doomedraven avatar May 15 '24 10:05 doomedraven

did it work?

doomedraven avatar May 24 '24 06:05 doomedraven

Sorry, I forgot to give feedback. Yes, it works. Sysmon is not always returning data but it was a few times.

xme avatar May 24 '24 19:05 xme