User description

Inspired by Kubecraftadmin, this project lets you monitor and detect intrusions across the entire Windows domain, while still mining mad diamond. You can also see this demo video of SIEMCRAFT VR. How it works Event Log collecter SIGMA Rule detection engine Entity generator Player action responder Binary Controller Minecraft Addons Rules Controller Addons How it works SIEMCRAFT is an application that includes a standalone executable controller that is an Minecraft add-on that is designed to allow users to manage and respond to security alerts from within Minecraft. The project consists of a variety of components: Event Log collecter RawSec's Win32 Library allows SIEMCraft to subscribe to different Windows Event logs. This allows SIEMCraft to collect events from - Microsoft Sysmon ETW (via Sealighter) - Security System, Application, and Event logs Using Windows Event Forwarding (WEF), you can have SIEMCRAFT run from the central machine and gather events from an entire Windows Domain SIGMA Rule detection engine SIEMCraft will then run events through a user-supplied list of SIGMA detection rules using Bradley Kemp's library to identify malicious and supsicious activity in the raw events. Using SigmaHQ's ruleset is also available. Generator of entities If a rule detects suspicious behaviour, it will trigger the creation of a new entity within a person's Minecraft server, nearby to the player. The entity will display information about: Name of the rule that was activated – Machine name. The person responsible for the process that triggered it - Image, CommandLine and PID of Process Image and PID Parent Process Other relevant information Different types of entities are created depending on the degree of detection - Low: Chicken - Medium: Cow or Pig - High: Spider, Panda, or Bear Player action responder SIEMCRAFT will kill the parent entity or process if that entity is killed by a player wielding a Diamond Sword. This is when the process image is not one of - cmd.exe - pwsh.exe - powershell.exe - wword.exe If the entity is killed through any other method, the event is silently discarded. Diagram showing how it functions Building You can grab pre-built artefacts from the release page. There are two components that can be built. Binary Controller Minecraft Addons There are three Minecraft addons: a behaviour pack' and an 'entity pack. Packs are ZIPs and can be merged into a single .mcaddon ZIP file for additional portability: Rules You'll also require SIGMA rules for SIEMCRAFT to comapre raw events to. You can choose to use the ones in this repository's rule directory , or the SIGMA community rules. Note not all of these rules work with SIEMCRAFT (see this discussion). Installation Place the siemcraft binary anywhere on the machine where event logs are being created (usually the same machine that hosts minecraft). To install the Minecraft add-on, double-click the .mcpack on the machine using the Minecraft client. The pack should be installed, which you can confirm by clicking Settings in Minecraft: Running Controller Start the SIEMCRAFT controller binary at an elevated prompt. My cms Give it the path to the folder containing SIGMA rules. These command-line options are supported by Siemcraft: Add-ons First, if you are running SIEMCRAFT on the same host that hosts the Minecraft client, you must to allow Minecraft to connect to your local network. This can be run in elevated PowerShell: The next step is to create a brand new Minecraft world using the following options: - All cheats and tests enabled (including GameTest), achievements turned off, and all SIEMCRAFT Resource and SIEMCRAFT® 'Behaviour' packs are activated After the Map has been created, open the console and type in the following command to connect to the SIEMCRAFT controller. By default, the IP address and port are: You will see positive output in both the Minecraft UI as well as in the Controller's output. Why would you do this? You can see the blog post here. The reason I was bored was because I'm an idiot. I also presented this "work" at an event in the local security community You can view the slides here (but the blog has more info, and the talk wasn't recorded).