Inspired by Kubecraftadmin This project allows you to monitor and detect intrusions across the entire Windows domain, while still mining a mad diamond.
Also see this demo video of SIEMCRAFT in VR.
How it works Event log collector SIGMA Rule detection engine Entity generation Player action responder
Binary Controller Minecraft Addons Rules
Controller Addons
How does it work
SIEMCRAFT is an application that integrates a standalone executable 'controller and an Minecraft add-on designed to enable a person to manage and respond to security alerts from within Minecraft. There are many elements to the project:
Event Log collecter
RawSec's Win32 Library allows SIEMCraft to sign up to various Windows Event logs. This allows SIEMCraft to collect events from
-- Microsoft Sysmon - ETW (via Sealighter) - Security Systems, Applications, and System Event logs
Windows Event Forwarding (WEF) allows you to have SIEMCRAFT run on a central machine , and collect events from an entire Windows Domain.
SIGMA Rule detection engine
SIEMCraft will then execute events using a user-supplied set SIGMA detection Rules using Bradley Kemp's library. This is used to detect fraudulent and supsicious activities within the events in their raw form. Also supported is the use of SigmaHQ's ruleset
Generator of entities
If a rule detects suspicious behaviour it will trigger the creation of new entity inside a person's Minecraft server, which is located near the player. This entity will provide information about:
Name of the rule that was activated – Machine name. - User responsible for the process that triggered it Image, CommandLine and PID of Process Image and PID Parent Process Other relevant details
Different types of entities are created depending on the detection severity:
- Low: Chicken - Medium: Pig or Cow - High: Spider, Panda, or Bear
Player action responder
SIEMCRAFT will end the parent entity or process if that entity is killed by a character who wields a Diamond Sword. This is when the process image isn't one of
- cmd.exe - pwsh.exe - powershell.exe - wword.exe
If the entity is killed through any other means the event is silently dismissed.
How it works How it works
Building
The page for releases contains pre-built artifacts.
There are two parts to build:
Binary Controller
Minecraft Addons
There are three Minecraft addons: a behaviour pack' and an 'entity pack. To make them more portable, packs can be combined into a single ZIP.mcaddon Zip.
Rules
SIGMA rules will be required for SIEMCRAFT to process raw events. Use the rules found in this repository's rules directory or use SIGMA's community rules. These rules might not work with SIEMCRAFT. Read Email .
Installation
Place the siemcraft binary anywhere on the machine where the event logs are generated (usually the same machine as minecraft).
To install the Minecraft add-on, double-click the .mcpack on the machine using the Minecraft client. This should install all packs, which you can confirm by clicking Settings in Minecraft:
Running
Controller
Start the SIEMCRAFT controller binary from an elevated prompt providing it with the path to the folder that contains the SIGMA rules:
These command-line options are accepted by Siemcraft:
Add-ons
First, if you are running SIEMCRAFT on the same local host as the Minecraft client, you need to allow Minecraft to connect to your local network. This can be run in elevated PowerShell:
Then, you can create a new Minecraft world using the following options:
- All cheats and experimentation enabled (including GameTest), and achievements turned off - All the SIEMCRAFT 'Resource' and 'Behaviour packs have been activated
Once the Map is created, open the console and enter this command to connect to the SIEMCRAFT controller.
By default, the IP address and port are:
You should see positive output in both the Minecraft UI as well as in the Controller's output.
Why would you do this?
See the blog post, but tl;dr is that I'm an idiot and was bored. This "work" was also presented at a local security conference. You can see the slides here, however the blog has more details and the talk wasn’t recorded.
Log in to comment