SysmonSimulator: simulate the attacks to generate the Sysmon Event logs
SysmonSimulator
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
Blogpost:
This tool has been explained in the blog post.
Attacks are covered for important Windows events as follows:
- Process Events: Process Creation, Process Termination, Process Access
- File Events: File Create, File Create Time Change, File Stream Creation Hash, File Delete, File Delete Detected
- Named Pipes Events: Named Pipe Creation, Named Pipe Connect events
- Registry Actions: Registry Object create and delete, Value Set, Key and Value Rename
- Image Loading
- Network Connections
- Create Remote Thread
- Raw Access Read
- DNS Query
- WMI Events
- Clipboard Capture
- Process Image Tampering
Use
__ __
(_ _ ._ _ _ ._ (_ o ._ _ | _. _|_ _ ._
__) \/ _> | | | (_) | | __) | | | | |_| | (_| |_ (_) |
/
by @ScarredMonkSysmon Simulator v0.1 – Sysmon event simulation utility
A Windows utility to simulate Sysmon event logsUsage:
Run simulation : .\SysmonSimulator.exe -eid <event id>
Show help menu : .\SysmonSimulator.exe -helpExample:
SysmonSimulator.exe -eid 1Parameters:
-eid 1 : Process creation
-eid 2 : A process changed a file creation time
-eid 3 : Network connection
-eid 5 : Process terminated
-eid 6 : Driver loaded
-eid 7 : Image loaded
-eid 8 : CreateRemoteThread
-eid 9 : RawAccessRead
-eid 10 : ProcessAccess
-eid 11 : FileCreate
-eid 12 : RegistryEvent – Object create and delete
-eid 13 : RegistryEvent – Value Set
-eid 14 : RegistryEvent – Key and Value Rename
-eid 15 : FileCreateStreamHash
-eid 16 : ServiceConfigurationChange
-eid 17 : PipeEvent – Pipe Created
-eid 18 : PipeEvent – Pipe Connected
-eid 19 : WmiEvent – WmiEventFilter activity detected
-eid 20 : WmiEvent – WmiEventConsumer activity detected
-eid 21 : WmiEvent – WmiEventConsumerToFilter activity detected
-eid 22 : DNSEvent – DNS query
-eid 24 : ClipboardChange – New content in the clipboard
-eid 25 : ProcessTampering – Process image change
-eid 26 : FileDeleteDetected – File Delete loggedDescription:
Enter an event ID from the above parameters list and the related Windows API function is called
to simulate the attack and Sysmon event log will be generated which can be viewed in the Windows Event ViewerPrerequisite:
Sysmon must be installed on the system
Download
Copyright (C) 2022 ScarredMonk