scarredmonk / sysmonsimulator Goto Github PK

I 'm getting the above compilation error. Can you please guide to resolve this please.

See lines 920 to 967 in a similar a similar project of mine to fully automate each activity type. I'm jealous you were able to get things done with such concise code.

Also, for convenience, here is a sample sysmon configuration file that attempts to tighten sysmon logging to only events produced by sysmonsimulator.

upon running the command SysmonSimulator.exe -eid 25 I see 3 events logged:

1. eid 1 for self
2. eid 1 for Cmd.Exe &
3. eid 5 to term self

But no event ID 25 in the sysmon logs. If it helps, sysmon is running swiftonsecurity default config. Thank you in advance!

The source is missing for release 0.2 The blog show images of the release and there is a binary that says its release 0.2 but there is no source code for this release to edit or add to. Is there any chance anyone has the 0.2 code?

Hi how do i run the simulator file ? c file ?

Hey,

there is a plan to upload SysmonSimulator.exe again?

thanks

A few days ago, I found that this SysmonSimulator doesn't work anymore because the System Monitor doesn't log the simulator's artificial behavior that was supposed to generate a specific ID of the log.

For example, I wanted to create an EID 8 log, so I hit the command

"C:\Users\3NR1QUE\Desktop\DivePortal\Sysmon\SysmonSimulator.exe" -eid 8

And I received the log that occurred by that command

Process Create:
RuleName: -
UtcTime: 2024-02-27 08:43:23.928
ProcessGuid: {0b7407af-a0ab-65dd-0b23-00000000c301}
ProcessId: 35296
Image: C:\Users\3NR1QUE\Desktop\DivePortal\Sysmon\SysmonSimulator.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\Users\3NR1QUE\Desktop\DivePortal\Sysmon\SysmonSimulator.exe" -eid 8
CurrentDirectory: C:\Users\3NR1QUE\Desktop\DivePortal\Sysmon\
User: KLOJURE\LUEX
LogonGuid: {0b7407af-71bb-65dd-9385-060000000000}
LogonId: 0x68593
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=BF7A223831887EF706140007CCF00D6C6069DEDE7335E84040EC114C09DEC343
ParentProcessGuid: {0b7407af-8a87-65dd-f21f-00000000c301}
ParentProcessId: 46488
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
ParentUser: KLOJURE\LUEX

It means Sysmon logged SysmonSimulator.exe's EID 8 event generation process as a process creation of SysmonSimulator.exe -eid 8, instead of the real event whose EID is 8(and that was what SysmonSimulator has expected.).

The other tries with different EID values resulted in the same log(Process creation/termination of SysmonSimulator.exe.). It seems that the internal logic of Sysmon has changed.

I found that this repository hasn't been maintained for around 2 years now. I wonder if this unavailability issue will be taken care of in the future(Or, just make my version of SysmonSimulator instead?).

Consider removing interactivity requirement for process terminate and process access events

instead of prompting for ID of process to terminate or access just create a new and hidden notepad instance and operate on that instance.

this code is super helpful not just for learning but also for load and unit testing new sysmon releases. Thank you!

I'm working on CI project where one of tasks is to generate all Sysmon EIDs
Infrastructure is build automatically and events are to be generated automatically as well.
Ansible is used, so winrm is used for communication and commands are executed in powershell.
I was able to generate most of unique events but there is an issue with few.

EID 24 is generated when commands are called locally (Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated.
To replicate remote call, python code like this can be executed:
`
import winrm

host = ''
domain = ''
user = 'Administrator'
password = ''

session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm')
result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw')

print(result)
print(result.std_out)
print(result.std_err)
Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly.

I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output

seems like sysmonsimulator should take care of killing child processes after verifying successful creation. not doing so makes use of sysmonsimular stdout as a component of automated performance/regression testing unnecessarily complicated. process creation summary data is not accessible to processes which call sysmon simulator until the wmic process created by sysmonsimulator is killed.

EID 14
After each run registry key "RegistrySysmonTestingRenamed" should be deleted otherwise at next run the key still exist and "NewRegistrySysmonTesting" can't be renamed to the same name, then don't produce Sysmon event ID 14.

BR

there is "\n" after "SysmonCreateFileTime.txt" in sysmon config file that causes no-working of Event2.

	<!-- -eid 2 is Working -->
	<FileCreateTime onmatch="include">
		<Image name="SysmonSimulator FileCreateTime modification Simulation for SysmonCreateFileTime.txt" condition="end with">SysmonSimulator.exe</Image>
		<TargetFilename condition="end with">SysmonCreateFileTime.txt
		</TargetFilename>

	</FileCreateTime>