GitHub - Pathtofile/siemcraft: Security Information And Event Management In Mine

Expires in 9 months

24 June 2022

Views: 16

This project was inspired by Kubecraftadmin. extremecraft lets you monitor your entire Windows domain and identify intrusions, while still mining for diamonds.

Also see this demo video of SIEMCRAFT in VR.

How it works Event Log collecter SIGMA Rule detection engine Entity generator Player action responder

Binary Controller Minecraft Addons Rules

Controller Addons

How it works

SIEMCRAFT is an application that integrates a standalone executable 'controller and a Minecraft add-on designed to allow a user to manage and respond to security alerts from within Minecraft. The project is comprised of a variety of components:

Event Log collecter

Utilizing RawSec's Win32 library, SIEMCraft subscribes to various Windows Event logs, to gather events from

- Microsoft Sysmon - ETW (via Sealighter) - Security System, Application, and Event logs

Using Windows Event Forwarding (WEF), you can have SIEMCRAFT run from the central machine and gather events from an entire Windows Domain

SIGMA Rule detection engine

SIEMCraft will then start running events with a set of user-supplied SIGMA detection Rules using Bradley Kemp's library. This can be used to detect malicious and supsicious activity in the raw events. Also supported is the use of SigmaHQ's ruleset

Entity generator

If a rule detects suspicious behaviour it will trigger the creation of new entity within a person's Minecraft server, nearby to the player. This entity will display information regarding:

The name of the rule triggered by the Machine name the rule was activated on - The user accountable for the process that was the trigger for the rule - The Image, CommandLine, and PID of the Process The Image and the PID of the Parent Process - Other pertinent details

Based on the degree of detection, different kinds of entities may be created.

- Low: Chicken - Medium: Cow or Pig High: Spider, Panda, or Bear

Player action responder

If the entity is killed by a person using a Diamond Sword, SIEMCRAFT will then kill either the parent process or the procedure, as long as the image of the process is one of

- cmd.exe - pwsh.exe - powershell.exe - wword.exe

If the entity dies by any other means, the event will be silently disregarded.

Diagram showing how it works


The releases page has pre-built artifacts.

There are two components that can be constructed.

Binary Controller

Minecraft Addons

There are three Minecraft add-ons: a 'behaviour pack' and an "entity' pack. To make it easier to transfer the packs, they can be combined with one ZIP.mcaddon Zip.


SIGMA rules will be required to allow SIEMCRAFT to process raw events. You can apply the rules found in the rule directory of this repository or the SIGMA community rules. Not all of these rules are compatible with SIEMCRAFT (see this discussion).


Place the siemcraft binary anywhere on the machine where event logs are being created (usually the same machine as minecraft).

To install the Minecraft addon, double-click on the .mcpack from the computer using the Minecraft client. The pack should be installed and you can verify by clicking Settings in Minecraft:



Start the SIEMCRAFT controller from an elevated prompt providing it with the path to the folder that contains the SIGMA rules:

These command-line options are accepted by Siemcraft:


First, if you run SIEMCRAFT on the same local host as the Minecraft client, you will need to allow Minecraft to talk to your local network. This can be accomplished using elevated PowerShell

Then, you can create a new Minecraft world using the following options:

- All cheats and tests enabled (including GameTest), and achievements disabled. the SIEMCRAFT 'Resource' and 'Behaviour packs have been activated

Once the Map is created, open the console and enter this command to connect to the SIEMCRAFT controller.

By default, the IP Address and port are:

You will see positive output in both the Minecraft UI as well as in the output of the Controller.

Why would you make this?

You can read the blog post. The reason I was bored is because I am a fool. I also presented this "work" at an event in the local security community, you can see the slides here (but the blog post has more details and the talk wasn't recorded).