Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

Overview

SysmonSimulator

SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.

Blogpost:

This tool has been explained in the blogpost: https://rootdse.org/posts/understanding-sysmon-events/

Attacks are covered for important Windows events as follows:

  • Process Events: Process Creation, Process Termination, Process Access
  • File Events: File Create, File Create Time Change, File Stream Creation Hash, File Delete, File Delete Detected
  • Named Pipes Events: Named Pipe Creation, Named Pipe Connect events
  • Registry Actions: Registry Object create and delete, Value Set, Key and Value Rename
  • Image Loading
  • Network Connections
  • Create Remote Thread
  • Raw Access Read
  • DNS Query
  • WMI Events
  • Clipboard Capture
  • Process Image Tampering
 __                        __
(_      _ ._ _   _  ._    (_  o ._ _      |  _. _|_  _  ._
__) \/ _> | | | (_) | |   __) | | | | |_| | (_|  |_ (_) |
    /
                                            by @ScarredMonk

Sysmon Simulator v0.1 - Sysmon event simulation utility
    A Windows utility to simulate Sysmon event logs

Usage:
Run simulation : .\SysmonSimulator.exe -eid <event id>
Show help menu : .\SysmonSimulator.exe -help

Example:
SysmonSimulator.exe -eid 1

Parameters:
-eid 1  : Process creation
-eid 2  : A process changed a file creation time
-eid 3  : Network connection
-eid 5  : Process terminated
-eid 6  : Driver loaded
-eid 7  : Image loaded
-eid 8  : CreateRemoteThread
-eid 9  : RawAccessRead
-eid 10 : ProcessAccess
-eid 11 : FileCreate
-eid 12 : RegistryEvent - Object create and delete
-eid 13 : RegistryEvent - Value Set
-eid 14 : RegistryEvent - Key and Value Rename
-eid 15 : FileCreateStreamHash
-eid 16 : ServiceConfigurationChange
-eid 17 : PipeEvent - Pipe Created
-eid 18 : PipeEvent - Pipe Connected
-eid 19 : WmiEvent - WmiEventFilter activity detected
-eid 20 : WmiEvent - WmiEventConsumer activity detected
-eid 21 : WmiEvent - WmiEventConsumerToFilter activity detected
-eid 22 : DNSEvent - DNS query
-eid 24 : ClipboardChange - New content in the clipboard
-eid 25 : ProcessTampering - Process image change
-eid 26 : FileDeleteDetected - File Delete logged

Description:
Enter an event ID from the above parameters list and the related Windows API function is called
to simulate the attack and Sysmon event log will be generated which can be viewed in the Windows Event Viewer

Prerequisite:
Sysmon must be installed on the system
Issues
  • Consider removing interactivity requirement for process terminate and process access events

    Consider removing interactivity requirement for process terminate and process access events

    Consider removing interactivity requirement for process terminate and process access events

    instead of prompting for ID of process to terminate or access just create a new and hidden notepad instance and operate on that instance.

    this code is super helpful not just for learning but also for load and unit testing new sysmon releases. Thank you!

    opened by dstaulcu 1
  • Not able to generate eid 24 remotely

    Not able to generate eid 24 remotely

    I'm working on CI project where one of tasks is to generate all Sysmon EIDs Infrastructure is build automatically and events are to be generated automatically as well. Ansible is used, so winrm is used for communication and commands are executed in powershell. I was able to generate most of unique events but there is an issue with few.

    EID 24 is generated when commands are called locally (Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated. To replicate remote call, python code like this can be executed: ` import winrm

    host = '' domain = '' user = 'Administrator' password = ''

    session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm') result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw')

    print(result) print(result.std_out) print(result.std_err) Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly.

    I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output

    opened by hsekowski 1
  • Consider removal of interactivity for wmiactivity event

    Consider removal of interactivity for wmiactivity event

    See lines 920 to 967 in a similar a similar project of mine to fully automate each activity type. I'm jealous you were able to get things done with such concise code.

    Also, for convenience, here is a sample sysmon configuration file that attempts to tighten sysmon logging to only events produced by sysmonsimulator.

    opened by dstaulcu 0
Releases(0.2)
Owner
Scarred Monk
Senior Security Researcher @Zscaler
Scarred Monk
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 564 Jun 26, 2022
Hidden Eye is an all in one tool that can be used to perform a variety of online attacks on user accounts

Hidden Eye is an all in one tool that can be used to perform a variety of online attacks on user accounts. It’s well loaded, therefore it can be used as keylogger (keystroke logging), phishing tool, information collector, social engineering tool, etc.

Muhammad Qazi 0 Jun 24, 2022
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 81 Jun 19, 2022
Harsh Badwaik 1 Dec 19, 2021
Flood is a tool which expolits some the most popular DDoS attacks

FLOOD Flood is a DDoS(Destributed denail of service) tool which can exploit some of the most popular DoS/ DDoS attacks. Features flood v0.0.1 It Suppo

null 17 May 23, 2022
Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

null 195 Jun 19, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 354 Jun 25, 2022
The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-source and can be used with OpenOCD as a general-purpose programmer

pico-probe-programmer The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-sou

martijn 20 Jan 27, 2022
Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

null 142 Jun 24, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

null 13 May 21, 2022
Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Chris Humphries 33 Jun 29, 2022
a Blue Pill Neopixel Emulator

NeoPill a Blue Pill Neopixel Emulator, firmware for STM32F103C8T6. To build with STM32CubeMX (6.1.1), open bluepill_neoemu_clk.ioc, generate code in a

null 20 Dec 13, 2021
A kernel level driver for Windows built to configure the Blue Screen Of Death

BSODConfigure A kernel level driver for Windows built to configure the Blue Screen Of Death. Go see the writeup at https://www.phasetw0.com/configurin

phasetw0 12 Dec 23, 2021
Microsoft Teams presence report blocker.

AnonPresence Microsoft Teams presence report blocker. Introduction Microsoft Teams peroticially sends back telemetry and presence data on your activit

Cra0 52 May 30, 2022
Quartz Arc codebase for STM32F103C6 Blue Pill development boards

QuartzArc_STM32F103C6_BluePill Quartz Arc codebase for STM32F103C6 Blue Pill development boards This codebase is covered by Creative Commons CC-BY-NC-

1s and 0s 2 Dec 14, 2021
AngryWindows - Modifies the Blue Screen of Death for 1909/20h1/20h2/21h1.

AngryWindows When you are trying to fuzz or exploit the kernel and your machine becomes sentient and starts building up saltiness from you bullying it

Jon 94 Jun 20, 2022
multi-sdr-gps-sim generates a IQ data stream on-the-fly to simulate a GPS L1 baseband signal using a SDR platform like HackRF or ADLAM-Pluto.

multi-sdr-gps-sim generates a GPS L1 baseband signal IQ data stream, which is then transmitted by a software-defined radio (SDR) platform. Supported at the moment are HackRF, ADLAM-Pluto and binary IQ file output. The software interacts with the user through a curses based text user interface (TUI) in terminal.

null 57 Jun 20, 2022
Simulate Linux Completely Fair Scheduler (CFS) using POSIX Threads

Linux CFS Simulator Simulate Linux Completely Fair Scheduler (CFS) using POSIX Threads. Build and Run $ make $ ./cfs-sim Note: The process status tabl

null 19 May 4, 2022