Simple update to support every new Sysmon version

Malwless-Modified-exe/conf/PowerShell.json

@@ -0,0 +1,10 @@
+{
+	"ContextInfo": "\tSeverity = Informational\n\tHost Name = ConsoleHost\n\tHost Version = 5.1.16299.431\n\tHost ID = ...\n\t...",
+	"UserData": "",
+	"Payload": "CommandInvocation(Get-ExecutionPolicy): \"Get-ExecutionPolicy\"",
+	"MessageNumber": 1,
+	"MessageTotal": 1,
+	"ScriptBlockText": "Write-Host \"Hello, World!\"",
+	"ScriptBlockId": "eee22606-aaaa-bbbb-cccc-ad5ae03adba7",
+	"Path": "",
+}

Malwless-Modified-exe/conf/Sysmon.json

@@ -0,0 +1,69 @@
+{
+	"Archived": "true",
+	"CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+a0784|C:\\WINDOWS\\System32\\KERNELBASE.dll+3df6d",
+	"ClientInfo": "user:DESKTOP-ABCDEF\\user",
+	"CommandLine": "calc.exe",
+	"Company": "Microsoft Corporation",
+	"Configuration": "C:\\Windows\\sysmon.xml",
+	"ConfigurationFileHash": "SHA1=E45082AEE50F9E89D40E03F54F2B360ECA9493F6",
+	"Consumer": "\"ActiveScriptEventConsumer.Name=\\\"Backdoor\\\"\"",
+	"Contents": "[ZoneTransfer]",
+	"CurrentDirectory": "C:\\Windows\\System32\\",
+	"Description": "Windows Calculator",
+	"Destination": "\"MsgBox(\"Hello, World!\")\"",
+	"DestinationHostname": "",
+	"DestinationIsIpv6": "false",
+	"DestinationPort": "80",
+	"DestinationPortName": "",
+	"Details": "Binary Data",
+	"Device": "\\Device\\HarddiskVolume1",
+	"EventNamespace": "\"ROOT\\\\cimv2\"",
+	"FileVersion": "10.0.16299.15 (WinBuild.160101.0800)",
+	"Filter": "\"__EventFilter.Name=\\\"Trigger\\\"\"",
+	"GrantedAccess": "0x2000",
+	"Hash": "SHA1=8236636F8344D2DC4EFE3AB0B277202DF58EAE84",
+	"Hashes": "SHA1=8236636F8344D2DC4EFE3AB0B277202DF58EAE84",
+	"Image": "C:\\Windows\\System32\\calc.exe",
+	"ImageLoaded": "C:\\Windows\\System32\\crypt32.dll",
+	"Initiated": "true",
+	"IntegrityLevel": "High",
+	"LogonId": "0x3E7",
+	"Name": "Trigger",
+	"NewName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run2",
+	"NewThreadId": "5000",
+	"Operation": "Created",
+	"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+	"ParentImage": "C:\\Windows\\System32\\cmd.exe",
+	"ParentProcessId": "4000",
+	"PipeName": "\\LSM_API_service",
+	"ProcessId": "4750",
+	"Product": "Microsoft® Windows® Operating System",
+	"Protocol": "tcp",
+	"Query": "\"SELECT * from Win32_ComputerSystem\"",
+	"QueryName": "contoso.com",
+	"QueryResults": "172.217.10.68",
+	"QueryStatus": "0",
+	"Session": 1,
+	"SchemaVersion": "4.00",
+	"Signature": "Microsoft Windows",
+	"SignatureStatus": "Valid",
+	"Signed": "true",
+	"SourceHostname": "",
+	"SourceImage": "C:\\Windows\\System32\\cmd.exe",
+	"SourceIsIpv6": "false",
+	"SourcePort": "50000",
+	"SourcePortName": "",
+	"SourceProcessId": "4015",
+	"SourceThreadId": "4500",
+	"StartAddress": "0xFFFF11AAA1C48C21",
+	"StartFunction": "",
+	"StartModule": "",
+	"State": "Stopped",
+	"TargetFilename": "C:\\Windows\\Temp\\blah.tmp",
+	"TargetImage": "C:\\Windows\\System32\\lsass.exe",
+	"TargetObject": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
+	"TargetProcessId": "4500",
+	"TerminalSessionId": "1",
+	"Type": "Script",
+	"Version": "7.01"
+}

Malwless-Modified-exe/rule_test.json

@@ -0,0 +1,39 @@
+{
+  "name": "MalwLess default",
+  "version": "0.3",
+  "author": "n0dec",
+  "description": "MalwLess default test pack.",
+  "rules": {
+    "vssadmin_delete_shadows": {
+      "enabled": true,
+      "source": "Sysmon",
+      "category": "Process Create",
+      "description": "Deleted shadows copies via vssadmin.",
+      "payload": {
+        "Image": "C:\\Windows\\System32\\vssadmin.exe",
+        "CommandLine": "vssadmin.exe delete shadows /all /quiet"
+      }
+    },
+    "certutil_network_activity": {
+      "enabled": true,
+      "source": "Sysmon",
+      "category": "Network connection detected",
+      "description": "Network activity from certutil tool.",
+      "payload": {
+        "Image": "C:\\Windows\\System32\\certutil.exe",
+        "DestinationIp": "151.101.132.133",
+        "DestinationPort": 443
+      }
+    },
+    "powershell_scriptblock": {
+      "enabled": true,
+      "source": "PowerShell",
+      "category": "4104",
+      "description": "Powershell 4104 event for Invoke-Mimikatz.",
+      "payload": {
+        "ScriptBlockText": "function Invoke-Mimikatz\n{\n<#\n.SYNOPSIS\n\nThis script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz...\nblablabla...",
+        "Path": ""
+      }
+    }
+  }
+}

README.md

@@ -1,4 +1,15 @@
-# MalwLess Simulation Tool (MST)
+# Modified MalwLess Simulation Tool (MST)
+***************************************************************************************************************************************************************************************
+
+<p align="center">
+
+<i>This is an altered version of Malwless software created by [n0dec](https://github.com/n0dec). It exists only because the main version is not supported any longer and doesn't work with the newest versions of Sysmon. 
+
+This version implements a simple workaround to fix this issue, it doesn't however improve the functionality in any other way. </i>
+</p>
+
+***************************************************************************************************************************************************************************************
+
 `MalwLess` is an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique or attack comes out you can write your own rules and share it a with the community.
 
 These rules can simulate [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) or [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell) events. `MalwLess` can parse the rules and write them directly to the Windows EventLog, then you can foward it to your event collector.
@@ -32,8 +43,9 @@ Site: https://github.com/n0dec/MalwLess
 
 ## Download
 You can download the latest release from website https://n0dec.github.io/#malwless
+or from releases section https://github.com/n0dec/MalwLess/releases - This release is however incompatible with the newest Sysmon versions (from Sysmon 13 upwards).
 
-or from releases section https://github.com/n0dec/MalwLess/releases
+Executable version of Malwless working with the newest Sysmon versions can be found in 'Malwless-Modified-exe' directory, inside this repository.
 
 ## Usage
 #### Requirements

src/Program.cs

@@ -113,7 +113,12 @@ public static void Main(string[] args)
 										case "12":
 											SysmonClass_v12.WriteSysmonEvent(properties["category"].ToString(), properties["payload"], sysmon_config);
 											break;
-										default:
+                                        default:
+                                            if (int.Parse(productMajorVersion) > 13)
+                                            {
+                                                SysmonClass_vInfinity.WriteSysmonEvent(properties["category"].ToString(), properties["payload"], sysmon_config);
+                                                break;
+                                            }
 											Console.WriteLine("[!] Error: Sysmon version not supported.");
 											break;
 									}