Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator

SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.

Blogpost:

This tool has been explained in the blogpost: https://rootdse.org/posts/understanding-sysmon-events/

Attacks are covered for important Windows events as follows:

  • Process Events: Process Creation, Process Termination, Process Access
  • File Events: File Create, File Create Time Change, File Stream Creation Hash, File Delete, File Delete Detected
  • Named Pipes Events: Named Pipe Creation, Named Pipe Connect events
  • Registry Actions: Registry Object create and delete, Value Set, Key and Value Rename
  • Image Loading
  • Network Connections
  • Create Remote Thread
  • Raw Access Read
  • DNS Query
  • WMI Events
  • Clipboard Capture
  • Process Image Tampering
 __                        __
(_      _ ._ _   _  ._    (_  o ._ _      |  _. _|_  _  ._
__) \/ _> | | | (_) | |   __) | | | | |_| | (_|  |_ (_) |
    /
                                            by @ScarredMonk

Sysmon Simulator v0.1 - Sysmon event simulation utility
    A Windows utility to simulate Sysmon event logs

Usage:
Run simulation : .\SysmonSimulator.exe -eid <event id>
Show help menu : .\SysmonSimulator.exe -help

Example:
SysmonSimulator.exe -eid 1

Parameters:
-eid 1  : Process creation
-eid 2  : A process changed a file creation time
-eid 3  : Network connection
-eid 5  : Process terminated
-eid 6  : Driver loaded
-eid 7  : Image loaded
-eid 8  : CreateRemoteThread
-eid 9  : RawAccessRead
-eid 10 : ProcessAccess
-eid 11 : FileCreate
-eid 12 : RegistryEvent - Object create and delete
-eid 13 : RegistryEvent - Value Set
-eid 14 : RegistryEvent - Key and Value Rename
-eid 15 : FileCreateStreamHash
-eid 16 : ServiceConfigurationChange
-eid 17 : PipeEvent - Pipe Created
-eid 18 : PipeEvent - Pipe Connected
-eid 19 : WmiEvent - WmiEventFilter activity detected
-eid 20 : WmiEvent - WmiEventConsumer activity detected
-eid 21 : WmiEvent - WmiEventConsumerToFilter activity detected
-eid 22 : DNSEvent - DNS query
-eid 24 : ClipboardChange - New content in the clipboard
-eid 25 : ProcessTampering - Process image change
-eid 26 : FileDeleteDetected - File Delete logged

Description:
Enter an event ID from the above parameters list and the related Windows API function is called
to simulate the attack and Sysmon event log will be generated which can be viewed in the Windows Event Viewer

Prerequisite:
Sysmon must be installed on the system
Owner
Scarred Monk
Senior Security Researcher @Zscaler
Scarred Monk
Comments
  • Consider removing interactivity requirement for process terminate and process access events

    Consider removing interactivity requirement for process terminate and process access events

    Consider removing interactivity requirement for process terminate and process access events

    instead of prompting for ID of process to terminate or access just create a new and hidden notepad instance and operate on that instance.

    this code is super helpful not just for learning but also for load and unit testing new sysmon releases. Thank you!

  • sysmon logs do not show eid25

    sysmon logs do not show eid25

    upon running the command SysmonSimulator.exe -eid 25 I see 3 events logged:

    1. eid 1 for self
    2. eid 1 for Cmd.Exe &
    3. eid 5 to term self

    But no event ID 25 in the sysmon logs. If it helps, sysmon is running swiftonsecurity default config. Thank you in advance!

  • Source Code is missing for Version 0.2

    Source Code is missing for Version 0.2

    The source is missing for release 0.2 The blog show images of the release and there is a binary that says its release 0.2 but there is no source code for this release to edit or add to. Is there any chance anyone has the 0.2 code?

  • EID 14 - error starting from 2nd execution

    EID 14 - error starting from 2nd execution

    EID 14 After each run registry key "RegistrySysmonTestingRenamed" should be deleted otherwise at next run the key still exist and "NewRegistrySysmonTesting" can't be renamed to the same name, then don't produce Sysmon event ID 14.

    BR

  • Not able to generate eid 24 remotely

    Not able to generate eid 24 remotely

    I'm working on CI project where one of tasks is to generate all Sysmon EIDs Infrastructure is build automatically and events are to be generated automatically as well. Ansible is used, so winrm is used for communication and commands are executed in powershell. I was able to generate most of unique events but there is an issue with few.

    EID 24 is generated when commands are called locally (Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated. To replicate remote call, python code like this can be executed: ` import winrm

    host = '' domain = '' user = 'Administrator' password = ''

    session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm') result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw')

    print(result) print(result.std_out) print(result.std_err) Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly.

    I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output

  • Consider removal of interactivity for wmiactivity event

    Consider removal of interactivity for wmiactivity event

    See lines 920 to 967 in a similar a similar project of mine to fully automate each activity type. I'm jealous you were able to get things done with such concise code.

    Also, for convenience, here is a sample sysmon configuration file that attempts to tighten sysmon logging to only events produced by sysmonsimulator.

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Nov 27, 2022
Hidden Eye is an all in one tool that can be used to perform a variety of online attacks on user accounts

Hidden Eye is an all in one tool that can be used to perform a variety of online attacks on user accounts. It’s well loaded, therefore it can be used as keylogger (keystroke logging), phishing tool, information collector, social engineering tool, etc.

Jun 24, 2022
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".
 	Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Aug 21, 2022
Dec 19, 2021
The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-source and can be used with OpenOCD as a general-purpose programmer
The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-source and can be used with OpenOCD as a general-purpose programmer

pico-probe-programmer The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-sou

Oct 15, 2022
Flood is a tool which expolits some the most popular DDoS attacks
 Flood is a tool which expolits some the most popular DDoS attacks

FLOOD Flood is a DDoS(Destributed denail of service) tool which can exploit some of the most popular DoS/ DDoS attacks. Features flood v0.0.1 It Suppo

Sep 23, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

Nov 28, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Nov 27, 2022
Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

Dec 1, 2022
Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

Nov 15, 2022
Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Sep 7, 2022
a Blue Pill Neopixel Emulator

NeoPill a Blue Pill Neopixel Emulator, firmware for STM32F103C8T6. To build with STM32CubeMX (6.1.1), open bluepill_neoemu_clk.ioc, generate code in a

Aug 30, 2022
A kernel level driver for Windows built to configure the Blue Screen Of Death

BSODConfigure A kernel level driver for Windows built to configure the Blue Screen Of Death. Go see the writeup at https://www.phasetw0.com/configurin

Jun 30, 2022
Microsoft Teams presence report blocker.
Microsoft Teams presence report blocker.

AnonPresence Microsoft Teams presence report blocker. Introduction Microsoft Teams peroticially sends back telemetry and presence data on your activit

Aug 5, 2022
Quartz Arc codebase for STM32F103C6 Blue Pill development boards

QuartzArc_STM32F103C6_BluePill Quartz Arc codebase for STM32F103C6 Blue Pill development boards This codebase is covered by Creative Commons CC-BY-NC-

Dec 14, 2021
AngryWindows - Modifies the Blue Screen of Death for 1909/20h1/20h2/21h1.
AngryWindows - Modifies the Blue Screen of Death for 1909/20h1/20h2/21h1.

AngryWindows When you are trying to fuzz or exploit the kernel and your machine becomes sentient and starts building up saltiness from you bullying it

Nov 16, 2022
A fake AMSI Provider which can be used for persistence.
A fake AMSI Provider which can be used for persistence.

A fake AMSI Provider which can be used for persistence.

Nov 9, 2022
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

Sep 17, 2022