All Projects → n0dec → Malwless

n0dec / Malwless

Licence: gpl-3.0
Test Blue Team detections without running any attack.

Programming Languages

powershell
5483 projects

Projects that are alternatives of or similar to Malwless

Attackdatamap
A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
Stars: ✭ 264 (+22.79%)
Mutual labels:  dfir, mitre-attack, siem
Sysmon Modular
A repository of sysmon configuration modules
Stars: ✭ 1,229 (+471.63%)
Mutual labels:  dfir, mitre-attack, sysmon
Lolbas
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Stars: ✭ 3,810 (+1672.09%)
Mutual labels:  dfir, redteam, blueteam
Lolbas
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Stars: ✭ 1,506 (+600.47%)
Mutual labels:  dfir, redteam, blueteam
Sentinel Attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Stars: ✭ 676 (+214.42%)
Mutual labels:  mitre-attack, siem, sysmon
Evtx Attack Samples
Windows Events Attack Samples
Stars: ✭ 1,243 (+478.14%)
Mutual labels:  dfir, mitre-attack
Atomic Red Team Intelligence C2
ARTi-C2 is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR.
Stars: ✭ 87 (-59.53%)
Mutual labels:  redteam, mitre-attack
Malwarepersistencescripts
A collection of scripts I've written to help red and blue teams with malware persistence techniques.
Stars: ✭ 103 (-52.09%)
Mutual labels:  redteam, blueteam
Deploy Deception
A PowerShell module to deploy active directory decoy objects.
Stars: ✭ 109 (-49.3%)
Mutual labels:  redteam, blueteam
Snoop
Snoop — инструмент разведки на основе открытых данных (OSINT world)
Stars: ✭ 886 (+312.09%)
Mutual labels:  redteam, blueteam
Information Security Tasks
This repository is created only for infosec professionals whom work day to day basis to equip ourself with uptodate skillset, We can daily contribute daily one hour for day to day tasks and work on problem statements daily, Please contribute by providing problem statements and solutions
Stars: ✭ 108 (-49.77%)
Mutual labels:  redteam, blueteam
Macos Attack Dataset
JSON DataSet for macOS mapped to MITRE ATT&CK Tactics.
Stars: ✭ 116 (-46.05%)
Mutual labels:  blueteam, mitre-attack
Ultimateapplockerbypasslist
The goal of this repository is to document the most common techniques to bypass AppLocker.
Stars: ✭ 1,186 (+451.63%)
Mutual labels:  redteam, blueteam
Threathunt
ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
Stars: ✭ 92 (-57.21%)
Mutual labels:  dfir, blueteam
Hacker ezines
A collection of electronic hacker magazines carefully curated over the years from multiple sources
Stars: ✭ 72 (-66.51%)
Mutual labels:  redteam, blueteam
Slack Watchman
Monitoring your Slack workspaces for sensitive information
Stars: ✭ 159 (-26.05%)
Mutual labels:  redteam, blueteam
Logontracer
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Stars: ✭ 1,914 (+790.23%)
Mutual labels:  dfir, blueteam
Invoke Apex
A PowerShell-based toolkit and framework consisting of a collection of techniques and tradecraft for use in red team, post-exploitation, adversary simulation, or other offensive security tasks.
Stars: ✭ 162 (-24.65%)
Mutual labels:  redteam, mitre-attack
Cypheroth
Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
Stars: ✭ 179 (-16.74%)
Mutual labels:  redteam, blueteam
1earn
个人维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup
Stars: ✭ 776 (+260.93%)
Mutual labels:  redteam, blueteam

MalwLess Simulation Tool (MST)

MalwLess is an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique or attack comes out you can write your own rules and share it a with the community.

These rules can simulate Sysmon or PowerShell events. MalwLess can parse the rules and write them directly to the Windows EventLog, then you can foward it to your event collector.

MalwLess Simulation Tool v1.1
Author: @n0dec
Site: https://github.com/n0dec/MalwLess

[Rule test file]: rule_test.json
[Rule test name]: MalwLess default
[Rule test version]: 0.3
[Rule test author]: n0dec
[Rule test description]: MalwLess default test pack.

[>] Detected rule: rules.vssadmin_delete_shadows
... Source: Sysmon
... Category: Process Create
... Description: Deleted shadows copies via vssadmin.
[>] Detected rule: rules.certutil_network_activity
... Source: Sysmon
... Category: Network connection detected
... Description: Network activity from certutil tool.
[>] Detected rule: rules.powershell_scriptblock
... Source: PowerShell
... Category: 4104
... Description: Powershell 4104 event for Invoke-Mimikatz.

schema

Download

You can download the latest release from website https://n0dec.github.io/#malwless

or from releases section https://github.com/n0dec/MalwLess/releases

Usage

Requirements

It is necessary to have sysmon installed in your system. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Commands

When you have downloaded the latest release version you can run it directly from an elevated command prompt.

To test the default rule set which is on rule_test.json just download it and run:

> malwless.exe

If you want to test a different rule set file, use the -r parameter:

> malwless.exe -r your_pack.json

To write a custom rule set check the writing sets section.

Creating rules

Anyone can create a rule. These are written in json with an easy format. Additionally you can parse raw events and convert it to rule using converter

key values
enabled If the value is set to true the event will be written. If it's set to false just ignore the rule.
source Sysmon
PowerShell
category For each source there are a list of different categories that can be specified.
description A simple rule description.
payload These are the values that will be added to the event. If you don't indicate a specific payload the event will contain the values of the default configuration files located on conf.
Rule example
  "process_create_rule": {
    "enabled": true,
    "source": "Sysmon",
    "category": "Process Create",
    "description": "Activity event based on Process Create category.",
    "payload": {
      "Image": "process.exe",
      "CommandLine": "process.exe --help"
    }
  }

Sets

Contact

For any issue or suggestions contact me on twitter @n0dec.

Website: https://n0dec.github.io

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].