Expires in 9 months
24 June 2022
This project was inspired by Kubecraftadmin. extremecraft lets you monitor your entire Windows domain and identify intrusions, while still mining for diamonds.
Also see this demo video of SIEMCRAFT in VR.
How it works Event Log collecter SIGMA Rule detection engine Entity generator Player action responder
Binary Controller Minecraft Addons Rules
How it works
SIEMCRAFT is an application that integrates a standalone executable 'controller and a Minecraft add-on designed to allow a user to manage and respond to security alerts from within Minecraft. The project is comprised of a variety of components:
Event Log collecter
Utilizing RawSec's Win32 library, SIEMCraft subscribes to various Windows Event logs, to gather events from
- Microsoft Sysmon - ETW (via Sealighter) - Security System, Application, and Event logs
Using Windows Event Forwarding (WEF), you can have SIEMCRAFT run from the central machine and gather events from an entire Windows Domain
SIGMA Rule detection engine
SIEMCraft will then start running events with a set of user-supplied SIGMA detection Rules using Bradley Kemp's library. This can be used to detect malicious and supsicious activity in the raw events. Also supported is the use of SigmaHQ's ruleset
If a rule detects suspicious behaviour it will trigger the creation of new entity within a person's Minecraft server, nearby to the player. This entity will display information regarding:
The name of the rule triggered by the Machine name the rule was activated on - The user accountable for the process that was the trigger for the rule - The Image, CommandLine, and PID of the Process The Image and the PID of the Parent Process - Other pertinent details
Based on the degree of detection, different kinds of entities may be created.
- Low: Chicken - Medium: Cow or Pig High: Spider, Panda, or Bear
Player action responder
If the entity is killed by a person using a Diamond Sword, SIEMCRAFT will then kill either the parent process or the procedure, as long as the image of the process is one of
- cmd.exe - pwsh.exe - powershell.exe - wword.exe
If the entity dies by any other means, the event will be silently disregarded.
Diagram showing how it works
The releases page has pre-built artifacts.
There are two components that can be constructed.
There are three Minecraft add-ons: a 'behaviour pack' and an "entity' pack. To make it easier to transfer the packs, they can be combined with one ZIP.mcaddon Zip.
SIGMA rules will be required to allow SIEMCRAFT to process raw events. You can apply the rules found in the rule directory of this repository or the SIGMA community rules. Not all of these rules are compatible with SIEMCRAFT (see this discussion).
Place the siemcraft binary anywhere on the machine where event logs are being created (usually the same machine as minecraft).
To install the Minecraft addon, double-click on the .mcpack from the computer using the Minecraft client. The pack should be installed and you can verify by clicking Settings in Minecraft:
Start the SIEMCRAFT controller from an elevated prompt providing it with the path to the folder that contains the SIGMA rules:
These command-line options are accepted by Siemcraft:
First, if you run SIEMCRAFT on the same local host as the Minecraft client, you will need to allow Minecraft to talk to your local network. This can be accomplished using elevated PowerShell
Then, you can create a new Minecraft world using the following options:
- All cheats and tests enabled (including GameTest), and achievements disabled. the SIEMCRAFT 'Resource' and 'Behaviour packs have been activated
Once the Map is created, open the console and enter this command to connect to the SIEMCRAFT controller.
By default, the IP Address and port are:
You will see positive output in both the Minecraft UI as well as in the output of the Controller.
Why would you make this?
You can read the blog post. The reason I was bored is because I am a fool. I also presented this "work" at an event in the local security community, you can see the slides here (but the blog post has more details and the talk wasn't recorded).