GitHub - Pathtofile/siemcraft: Security Information And Event Management In Minecraft This project was inspired by Kubecraftadmin.

GitHub - Pathtofile/siemcraft: Security Information And Event Management In Minecraft

This project was inspired by Kubecraftadmin. It lets you monitor your entire Windows domain and spot threats, while mining for mad diamond.

Also check out this video demo of SIEMCRAFT in VR.

How it works Event log collector SIGMA Rule detection engine Entity generation player action responder

Binary Controller Minecraft Addons Rules

Controller Addons

How it works

SIEMCRAFT is an application that includes a standalone executable controller and an Minecraft addon, designed to enable a person to manage and respond to security alerts within Minecraft. The project is comprised of a variety of elements:

Event Log collecter

Utilizing RawSec''s Win32 library, SIEMCraft subscribes to various Windows Event logs, to extract events from

-- Microsoft Sysmon - ETW (via Sealighter) - Security System, Application, and Event logs

Windows Event Forwarding (WEF) allows you to have SIEMCRAFT run on a central machine , and gather events from the entire Windows Domain.

SIGMA Rule detection engine

SIEMCraft will then execute events with a set of user-supplied SIGMA detection rules using Bradley Kemp''s library. This can be used to detect malicious and supsicious activity within the events in their raw form. Also supported is the use of SigmaHQ''s ruleset

Entity generator

If an algorithm detects suspicious activity, it will trigger the creation of new entity on a player''s Minecraft server, which is located near the player. This entity will provide details about:

- Name of the rule that was activated and the trigger Machine name. The user responsible for the process that caused it Image, CommandLine and PID of Process Image and PID Parent Process Other relevant information

Depending on the level of detection, different types of entities can be made.

Low: Chicken

Player action responder

If the entity is killed by a player weilding the Diamond Sword, SIEMCRAFT will then kill the parent process or the process, so long as the process image is one of

- cmd.exe - pwsh.exe - powershell.exe - wword.exe

If the entity dies by any other means , the event is quietly dismissed.

Diagram showing how it works

Building

The releases page has pre-built artifacts.

There are two parts to the construction:

Binary Controller

Minecraft Addons

There are three Minecraft addons: a behaviour pack'' and an "entity pack. Packs are ZIPs that can be combined into a single .mcaddon ZIP for extra portability:

Rules

You''ll also need SIGMA rules for SIEMCRAFT to translate raw events to. lalalalal can either use the ones in the rule directory of this repository or the SIGMA community rules. These rules may not work with SIEMCRAFT. See this discussion.

Installing

Put the Siemcraft binary on the machine on which the event logs are generated (usually the same machine that hosts minecraft).

To install the Minecraft add-on, double-click the .mcpack from the computer using the Minecraft client. The pack should be installed, which you can confirm by clicking Settings in Minecraft:

Running

Controller

Start the SIEMCRAFT controller binary from an elevated prompt, giving it the path to the directory that contains the SIGMA rules:

Siemcraft accepts the following options for commandline:

Add-ons

First, if you run SIEMCRAFT on the same host that hosts the Minecraft client, you will need to allow Minecraft to talk to your local network. This can be accomplished using elevated PowerShell

The next step is to create a brand new Minecraft world by using the following options:

- All cheats and experiments enabled (including GameTest), achievements were turned off, as well as all SIEMCRAFT Resource and SIEMCRAFT® ''Behaviour'' packs have been activated

Once the Map is created, open the console and type this command to connect to the SIEMCRAFT controller

By default, the IP address and port are:

You should see positive output in both the Minecraft UI as well as in the output of the Controller.

Why would you do this?

You can see the blog post here. The reason I was bored was because I am a fool. I also gave this "work" at an event in the local security community you can see the slides here (but the blog has more details and the talk wasn''t recorded).