Not able to generate eid 24 remotely

[hsekowski]

I'm working on CI project where one of tasks is to generate all Sysmon EIDs
Infrastructure is build automatically and events are to be generated automatically as well.
Ansible is used, so winrm is used for communication and commands are executed in powershell.
I was able to generate most of unique events but there is an issue with few.

EID 24 is generated when commands are called locally (Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated.
To replicate remote call, python code like this can be executed:
`
import winrm

host = ''
domain = ''
user = 'Administrator'
password = ''

session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm')
result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw')

print(result)
print(result.std_out)
print(result.std_err)
Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly.

I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output

[dstaulcu]

I wonder if there is simply not a clipboard to write to in that context type (session). From: hsekowski ***@***.***> Sent: Thursday, April 7, 2022 3:37 PM To: ScarredMonk/SysmonSimulator ***@***.***> Cc: Subscribed ***@***.***> Subject: [ScarredMonk/SysmonSimulator] Not able to generate eid 24 remotely (Issue #5) I'm working on CI project where one of tasks is to generate all Sysmon EIDs Infrastructure is build automatically and events are to be generated automatically as well. Ansible is used, so winrm is used for communication and commands are executed in powershell. I was able to generate most of unique events but there is an issue with few. EID 24 is generated when commands are called locally (Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw), but when calling the same remotely, event is not generated. To replicate remote call, python code like this can be executed: ` import winrm host = '' domain = '' user = 'Administrator' password = '' session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm') result = session.run_ps('Set-Clipboard Hello ; Set-Clipboard 123 -Append ; Get-Clipboard -Raw') print(result) print(result.std_out) print(result.std_err) Surprising thing is that output from the remote call isb'Hello\r\n123\r\n'`, that suggests clipboard was set correctly. I tried SysmonSimulator locally and remotely with exactly the same result. EID 24 was generate when run locally, but did not appear when called remotely, despite exactly the same output — Reply to this email directly, view it on GitHub<#5>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABUC7WUZI3X5SRWGJORQD6TVD42PRANCNFSM5S2M2N7Q>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>

[elagrija]

Can you please provide us the compiled version of the sysmonsimulator c file. Had some difficulties in resolve the errors throwing by c compilers. Will be helpful to learn the source code and its concepts in testing EDR's in our environment.