MalwLessis an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique or attack comes out you can write your own rules and share it a with the community.
These rules can simulate Sysmon or PowerShell events.
MalwLesscan parse the rules and write them directly to the Windows EventLog, then you can foward it to your event collector.
MalwLess Simulation Tool v1.1
[Rule test file]: rule_test.json
[Rule test name]: MalwLess default
[Rule test version]: 0.3
[Rule test author]: n0dec
[Rule test description]: MalwLess default test pack.
[>] Detected rule: rules.vssadmin_delete_shadows
... Source: Sysmon
... Category: Process Create
... Description: Deleted shadows copies via vssadmin.
[>] Detected rule: rules.certutil_network_activity
... Source: Sysmon
... Category: Network connection detected
... Description: Network activity from certutil tool.
[>] Detected rule: rules.powershell_scriptblock
... Source: PowerShell
... Category: 4104
... Description: Powershell 4104 event for Invoke-Mimikatz.
You can download the latest release on https://github.com/n0dec/MalwLess/releases
It is necessary to have
sysmoninstalled in your system. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
When you have downloaded the latest
releaseversion you can run it directly from an elevated command prompt.
To test the default
rule setwhich is on
rule_test.jsonjust download it and run:
If you want to test a different
rule setfile, use the
To write a custom
> malwless.exe -r your_pack.json
rule setcheck the writing sets section.
Anyone can create a rule. These are written in
jsonwith an easy format.
| ||If the value is set to |
| ||The source of the events. (Working on more supported sources...) |
| ||For each source there are a list of different categories that can be specified.|
| ||A simple rule description.|
| ||These are the values that will be added to the event. If you don't indicate a specific payload the event will contain the values of the default configuration files located on |
Awesome gists sets
- Windows oneliners
APTSimulator setref: https://github.com/NextronSystems/APTSimulator
Endgame RTA setref: https://github.com/endgameinc/RTA
WinPwnage setref: https://github.com/rootm0s/WinPwnage
For any issue or suggestions contact on twitter @n0dec.