GitHub Pathtofilesiemcraft Security Information And Event Management In Minecraft

From Wifi Adapters DB
Jump to: navigation, search

This project was inspired by Kubecraftadmin. It allows you to monitor your entire Windows domain and identify threats, while mining for diamonds.



You can also watch this demo video of SIEMCRAFT VR.



How it works Event log collector SIGMA Rule detection engine Entity generation Player action responder



Binary Controller Minecraft Addons Rules



Controller Addons



How it works



SIEMCRAFT is a project which integrates a standalone executable 'controller that is an Minecraft add-on that is designed to allow users to monitor and respond to security alerts within Minecraft. The project is comprised of a variety of components:



Event Log collecter



Utilizing RawSec's Win32 library, SIEMCraft subscribes to various Windows Event logs, to gather events from



-- Microsoft Sysmon ETW (via Sealighter) - Security System, Application, and Event logs



By using Windows Event Forwarding (WEF) You can make SIEMCRAFT run from the central machine and gather events from the entire Windows Domain



SIGMA Rule detection engine



SIEMCraft will then run events through a user-supplied list of SIGMA detection rules, using Bradley Kemp's library, which can detect malicious and supsicious activities in the raw events. Also supported is the use of SigmaHQ's ruleset



Generator of entities



If an application detects suspicious behavior it triggers the creation of new entity inside a person's Minecraft server, close to the player. Extremecraft This entity will display information regarding:



Name of the rule that was activated – Machine name. - User responsible for the event that caused it Image, CommandLine and PID of Process - Image and PID Parent Process - Other pertinent details



Different types of entities are created depending on the degree of detection



Low: Chicken Medium: Pig or Cow High: Spider, Panda, or Bear



Player action responder



SIEMCRAFT will kill the parent entity or process if the entity is killed by a player wielding the Diamond Sword. This is when the process image isn't one of



- cmd.exe - pwsh.exe - powershell.exe - wword.exe



If the entity is killed using any other means, the event will be silently dismissed.



How it works How it works



Building



You can download pre-built artefacts on the releases page.



There are two components that can be built.



Binary Controller



Minecraft Addons



There are three Minecraft add-ons: a 'behaviour pack' and an "entity pack. To make them more portable, packs can be combined into a single ZIP.mcaddon Zip.



Rules



SIGMA rules will be required for SIEMCRAFT to process raw events. Use the rules found in the rules directory of this repository, or use SIGMA's community rules. Note not all of these rules are compatible with SIEMCRAFT (see this discussion).



Installing



Place the siemcraft binary anywhere on the machine on which the event logs are generated (usually the same machine as minecraft).



To install the Minecraft addon, double-click on the .mcpack from the machine with the Minecraft client. This should install all packs and you can verify by clicking Settings in Minecraft:



Running



Controller



Start the SIEMCRAFT controller at an elevated prompt, providing it with the path to the folder that contains the SIGMA rules:



Siemcraft accepts the following commandline options:



Add-ons



First, if you run SIEMCRAFT on the same host that hosts the Minecraft client, you must to allow Minecraft to talk to your local network. Run this on an elevated PowerShell:



Next, create a new Minecraft world by using the following options:



- All cheats and experiments enabled (including GameTest), and achievements disabled. the SIEMCRAFT "Resource" and "Behaviour packs are activated



After the Map has been created, open the console and type in the following command to connect to the SIEMCRAFT controller.



By default the IP address and port are:



You should see positive results in both the Minecraft UI as well as in the output of the Controller.



Why would you do this?



You can read the blog post here. The reason I was bored was because I'm an idiot. I also presented this "work" at an event in the local security community you can see the slides here (but the blog has more info, and the talk wasn't recorded).