Sysmon 事件模拟实用程序 —— SysmonSimulator
项目地址:https://github.com/ScarredMonk/SysmonSimulatorSysmonSimulator 是一个用 C 语言创建的开源 Windows 事件模拟实用程序,可用于模拟大多数使用 WINAPI 的攻击。Blue 团队可以使用它来测试 EDR 检测和关联规则,我创建了它来为相关的 Sysmon 事件 ID 生成攻击数据。
相关说明可参考这篇文章:https://bbs.decoyit.com/thread-161-1-1.html
针对重要 Windows 事件的攻击涵盖如下:
[*]流程事件:流程创建、流程终止、流程访问
[*]文件事件:文件创建、文件创建时间更改、文件流创建哈希、文件删除、检测到文件删除
[*]命名管道事件:命名管道创建、命名管道连接事件
[*]注册表操作:注册表对象创建和删除、值集、键和值重命名
[*]镜像加载
[*]网络连接
[*]创建远程线程
[*]原始访问读取
[*]DNS 查询
[*]WMI 事件
[*]剪贴板捕获
[*]过程图像篡改
__ __
(_ _ ._ _ _._ (_o ._ _ |_. _|__._
__) \/ _> | | | (_) | | __) | | | | |_| | (_||_ (_) |
/
by @ScarredMonk
Sysmon Simulator v0.1 - Sysmon event simulation utility
A Windows utility to simulate Sysmon event logs
Usage:
Run simulation : .\SysmonSimulator.exe -eid <event id>
Show help menu : .\SysmonSimulator.exe -help
Example:
SysmonSimulator.exe -eid 1
Parameters:
-eid 1: Process creation
-eid 2: A process changed a file creation time
-eid 3: Network connection
-eid 5: Process terminated
-eid 6: Driver loaded
-eid 7: Image loaded
-eid 8: CreateRemoteThread
-eid 9: RawAccessRead
-eid 10 : ProcessAccess
-eid 11 : FileCreate
-eid 12 : RegistryEvent - Object create and delete
-eid 13 : RegistryEvent - Value Set
-eid 14 : RegistryEvent - Key and Value Rename
-eid 15 : FileCreateStreamHash
-eid 16 : ServiceConfigurationChange
-eid 17 : PipeEvent - Pipe Created
-eid 18 : PipeEvent - Pipe Connected
-eid 19 : WmiEvent - WmiEventFilter activity detected
-eid 20 : WmiEvent - WmiEventConsumer activity detected
-eid 21 : WmiEvent - WmiEventConsumerToFilter activity detected
-eid 22 : DNSEvent - DNS query
-eid 24 : ClipboardChange - New content in the clipboard
-eid 25 : ProcessTampering - Process image change
-eid 26 : FileDeleteDetected - File Delete logged
Description:
Enter an event ID from the above parameters list and the related Windows API function is called
to simulate the attack and Sysmon event log will be generated which can be viewed in the Windows Event Viewer
Prerequisite:
Sysmon must be installed on the system
页:
[1]