@sunatm69
Profile
Registered: 1 year, 9 months ago
GitHub - Pathtofile/siemcraft: Security Information And Event Management In Minecraft This project was inspired by Kubecraftadmin. It allows you to monitor your entire Windows domain and identify attacks, while also mining mad diamant. You can also watch this demo video of SIEMCRAFT VR. How it works Event Log Collecter SIGMA Rule detection engine Entity generator Player action responder Binary Controller Minecraft Addons Rules Controller Addons How it works SIEMCRAFT is a project that includes a standalone executable controller that is an Minecraft add-on that is designed to allow a user to manage and respond to security alerts within Minecraft. The project is comprised of a variety of elements: Event Log collecter RawSec's Win32 Library allows SIEMCraft to sign up to various Windows Event logs. This allows SIEMCraft to track events from - Microsoft Sysmon ETW (via Sealighter - Security, System and Applicaiton Logs Utilizing Windows Event Forwarding (WEF) You can make SIEMCRAFT run from the central machine and collect events from the entire Windows Domain SIGMA Rule detection engine SIEMCraft will then run the events through a user-supplied list of SIGMA detection rules, using Bradley Kemp's library, which can detect supsicious and malicious activity within the events in their raw form. Also supported is the use of SigmaHQ's ruleset Entity generator If an algorithm detects suspicious activity it triggers the creation of a new entity inside a person's Minecraft server, nearby to the player. The entity will display details regarding: The name of the rule triggered by the Machine name the rule was triggered on - The user accountable for the process that was the trigger for the rule - The Image, CommandLine, and PID of the Process The Image and the PID of the Parent Process - Other relevant information Different types of entities are created depending on the detection severity: Low: Chicken Player action responder SIEMCRAFT will kill the parent entity or process if the entity is killed by a player wielding the Diamond Sword. This is as long as the process image isn't one of - cmd.exe - pwsh.exe - powershell.exe - wword.exe If the entity is killed through any other means , the event is quietly dismissed. Diagram showing how it works Building The release page contains pre-built artifacts. There are two parts that can be constructed. Binary Controller Minecraft Addons There are three Minecraft add-ons: a 'behaviour pack' and an "entity pack. They are simply ZIP files that can be combined into one .mcaddon ZIP for extra portability: Rules You will also need some SIGMA rules for SIEMCRAFT to translate raw events to. Either use the ones in this repository's rules directory or use the SIGMA community rules. These rules might not work with SIEMCRAFT. Check out this discussion. Installing Place the Siemcraft binary wherever on the machine where event logs are being created (usually the same machine that hosts minecraft). To install the Minecraft addon, double-click on the .mcpack from the computer using the Minecraft client. Minecraft The pack should be installed, which you can confirm by clicking Settings in Minecraft: Running Controller Start the SIEMCRAFT controller from an elevated prompt, providing it with the path to the folder that contains the SIGMA rules: Siemcraft accepts the following commands: Addons First, if you run SIEMCRAFT on the same local host as the Minecraft client, you must to allow Minecraft to connect to your local network. Run this in an elevated PowerShell: Then, you can create a new Minecraft world using the following options: - All cheats and experiments enabled (including GameTest), and achievements disabled. the SIEMCRAFT "Resource" and "Behaviour packs have been activated Once the Map is created, open the console and enter this command to connect to the SIEMCRAFT controller By default by default, the IP Address and port are: You will see positive output in both the Minecraft UI and in the output of the Controller. What is the reason you would make this? You can see the blog post here. The reason I was bored is because I am a fool. This "work" was also presented at a local security meeting. You can see the slides here, but the blog post has more details and the presentation wasn't recorded.
Website: https://poehartmann44.livejournal.com/profile
Forums
Topics Started: 0
Replies Created: 0
Forum Role: Participant