Re: Registry and File Monitoring Programs for Windows Honeypots

["Randy Welborn" <randy () securecomp net>]

----- Original Message ----- 
From: "Chris Brenton" <cbrenton () chrisbrenton org>
To: <honeypots () securityfocus com>
Sent: Sunday, August 31, 2003 10:49 AM
Subject: Re: Registry and File Monitoring Programs for Windows Honeypots


> Mark E. Donaldson wrote:
> > Although it was made for cloning Windows systems, the W2K Resource
Kit
> > Utility "Sysdiff" is excellent for detecting "any" change that
occurs in a
> > Windows machine.
>
> There has been some cool tool ideas suggested, but I guess it really
> comes down to what you are using the honeypot for. If its to see what
a
> specific worm or rootkit does to a system, the tools mentioned are
cool
> as you can easily do a before and after snapshot (one caveat, the tool
> should always do an MD5 and/or SHA-1 check of the file).
>
> If its for a honeypot that will be hanging on the wire however, you
> typically want to see these things live as they happen. Some criteria
I
> look for:
>
> Monitor file system changes
> Monitor new processes that get launched in memory
> Little to no extra software on the system to suggest its a honeypot
> Some way to record all this data off to a remote (secured) system

Ummm, "grr" will do all the above and is a small little utility that
I've used for years with windows systems. Well written, stable, small
footprint. And No, I don't know the author but Do recommend it highly.

http://www.greyware.com/software/grr/index.asp

> There are plenty of tools to do all this on the UNIX side. I'm not
> exactly sure how you would pull it off on the Windows side, but maybe
> Lance and others more savvy can chime in here.
>
> Cheers all,
> Chris

Best,
®andy