Dragon Ball Games Minecraft Games

Register, upload AVATAR, save SCORES, meet FRIENDS!
Register
  • Torres Dudley posted an update 5 months ago

    Inspired by Kubecraftadmin This project allows you to detect and monitor intrusions across your entire Windows domain, while mining for diamonds.

    Also check out this video demo of SIEMCRAFT in VR.

    How it works Event log collector SIGMA Rule detection engine Entity generation Player action responder

    Binary Controller Minecraft Addons Rules

    Controller Addons

    How does it work

    SIEMCRAFT is an application that integrates a standalone executable ‘controller’, with an Minecraft add-on designed to allow a user to monitor and respond to security alerts within Minecraft. The project is comprised of a variety of elements:

    Event Log collecter

    Using RawSec’s Win32 library, SIEMCraft subscribes to various Windows Event logs, to extract events from

    – Microsoft Sysmon ETW (via Sealighter – Security, System and Application Logs

    Windows Event Forwarding (WEF) allows the use of SIEMCRAFT on a central computer and collect events from an entire Windows Domain.

    SIGMA Rule detection engine

    SIEMCraft will then start running events using a user-supplied set of SIGMA detection Rules using Bradley Kemp’s library. This is used to detect fraudulent and supsicious activity within the events in their raw form. Also supported is the use of SigmaHQ’s ruleset

    Generator of entities

    If an application detects suspicious behavior, it will trigger the creation of a new entity on a player’s Minecraft server, close to the player. This entity will provide information about:

    – The name of the rule triggered – The Machine name that the rule was activated on – The user responsible for the process which triggered the rule The Image, CommandLine, and PID of the Process The Image and PID of the Parent Process Other pertinent information

    Different types of entities are developed based on the severity of detection:

    – Low: Chicken

    Player action responder

    SIEMCRAFT will kill the parent entity or process if that entity is killed by a character using a Diamond Sword. This is when the process image isn’t one of

    – cmd.exe – pwsh.exe – powershell.exe – wword.exe

    If the entity is killed by any other means, the event will be silently and discarded.

    Diagram showing how it works

    Building

    You can grab pre-built artefacts from the releases page.

    Otherwise, there are two parts to build:

    Binary Controller

    Minecraft Addons

    There are three Minecraft addons: a behaviour pack’ and an “entity pack. They are simply ZIP files and can be merged into a single .mcaddon ZIP for extra portability:

    Rules

    You’ll also require SIGMA rules for SIEMCRAFT to translate raw events. You can either use the rules in the rules directory of this repository, or use the SIGMA community rules. These rules may not work with SIEMCRAFT. See this discussion.

    Installing

    Put the Siemcraft binary on the machine on which the event logs are being generated (usually the same machine as minecraft).

    To install the Minecraft addon, double-click on the .mcpack on the machine using the Minecraft client. The pack should be installed, which you can confirm by clicking Settings in Minecraft:

    Running

    Controller

    Start the SIEMCRAFT controller binary from an elevated prompt, providing it with the path to the folder that contains the SIGMA rules:

    Siemcraft accepts the following options for commandline:

    Add-ons

    First, if you are running SIEMCRAFT on the same host that hosts the Minecraft client, you will need to allow Minecraft to connect to your local network. Run this in an elevated PowerShell:

    The next step is to create a brand new Minecraft world using the following options:

    – All cheats and experiments enabled (including GameTest), achievements disabled, and all SIEMCRAFT Resource’ and SIEMCRAFT® ‘Behaviour’ packs activated

    Once the Map is created, open up the console and enter this command to connect to the SIEMCRAFT controller.

    By default, the IP address and port are:

    You should see positive results in both the Minecraft UI and in the Controller’s output.

    Why would you make this?

    You can see the blog post here. The reason I was bored is because I am a fool. f-email.org was also presented at a local security conference. You can view the slides here, but the blog has more details and the talk wasn’t recorded.