Not able to generate eid 24 remotely #5
Comments
|
I wonder if there is simply not a clipboard to write to in that context type (session).
From: hsekowski ***@***.***>
Sent: Thursday, April 7, 2022 3:37 PM
To: ScarredMonk/SysmonSimulator ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [ScarredMonk/SysmonSimulator] Not able to generate eid 24 remotely (Issue #5)
I'm working on CI project where one of tasks is to generate all Sysmon EIDs
Infrastructure is build automatically and events are to be generated automatically as well.
Ansible is used, so winrm is used for communication and commands are executed in powershell.
I was able to generate most of unique events but there is an issue with few.
EID 24 is generated when commands are called locally (Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated.
To replicate remote call, python code like this can be executed:
`
import winrm
host = ''
domain = ''
user = 'Administrator'
password = ''
session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm')
result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw')
print(result)
print(result.std_out)
print(result.std_err)
Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly.
I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output
—
Reply to this email directly, view it on GitHub<#5>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABUC7WUZI3X5SRWGJORQD6TVD42PRANCNFSM5S2M2N7Q>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>
|
|
Can you please provide us the compiled version of the sysmonsimulator c file. Had some difficulties in resolve the errors throwing by c compilers. Will be helpful to learn the source code and its concepts in testing EDR's in our environment. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm working on CI project where one of tasks is to generate all Sysmon EIDs
Infrastructure is build automatically and events are to be generated automatically as well.
Ansible is used, so winrm is used for communication and commands are executed in powershell.
I was able to generate most of unique events but there is an issue with few.
EID 24 is generated when commands are called locally (
Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated.To replicate remote call, python code like this can be executed:
`
import winrm
host = ''
domain = ''
user = 'Administrator'
password = ''
session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm')
result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw')
print(result)
print(result.std_out)
print(result.std_err)
Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly.I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output
The text was updated successfully, but these errors were encountered: