Skip to content
/ NotARobot Public

Emulate user activity randomly opening apps through Explorer to generate "legit noise" for EDR and any other log-type collection technology.

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f4llc0nn/NotARobot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
gifs
gifs
 
 
source
source
 
 
.DS_Store
.DS_Store
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

NotARobot

Emulate user activity randomly opening apps through Explorer to generate "legit noise" for EDR and any other log-type collection technology. The goal is to be solid, feature-rich and a more "natural"* alternative to Sheepl, Invoke-UserSimulator and others.
* meaning it uses Explorer navigation instead of launchers and/or powershell.

It probably still need some adjustments to avoid weird parent-child process events.
This is a working in progress. Please check README and Release Notes.

Description

Randomly opens explorer and navigate into a binary directory, then hit enters to open it (child process of explorer.exe, as natural as possible). Then, it waits a random window of time and run another program (or kill one of the previously opened processes).

Also, each interaction has a 10% chance of finishing the program altogether.

Current software included (Expand to see a Demo and TODO):

1) MS Edge

Edge Demo

2) MS Office365 (Outlook, Word, Excel)

Edge Word

3) Notepad

Notepad Demo

4) Calc

Calc Demo

5) Snipping Tool

SnipTool Demo

Requirements:

• OS: Win10
• Win10: Power & Sleep settings: Never/Never
• MS Edge: Page Layout: Custom: Disable both checkboxes. Background: Disabled; Content: Disabled.
• MS Office365's Outlook: E-mail pre-configured. Otherwise read and send e-mails will fail.
• MS Office365's Excel, MS Office365's Word: Nothing specific. It must open without any warnings or prompts and able to edit files (obviously don't use with read-only MS Office version)
• Notepad, Calc, SnippingTool: Native

Install

Download compiled version from here or download AutoIT v3, do your changes and compile yourself into a binary file.

Usage

Just run the compiled app. It will randomly close after a while (Exit Status = 0).
If you want to force closing it, you can:

  1. (Recommended) : Hit the UI close button (Exit Status = 1)
  2. (Experimental) : Hit SHIFT+ESC hotkey (Exit Status = 2)

The hotkey is NOT reliable since this project does a LOT of typing emulation and it can fail triggering the hotkey function.

CURRENT TODO (DEC/2021):

• Outlook sending random e-mail to itself and/or to a disposable e-mail (e.g. temp-mail.org, 10minutemail.com)
• Outlook opening random e-mail and attachments
• Edge downloading random files
• Redo the gifs with better resolution
• Test pointing the apps to a folder with .lnk files

About

Emulate user activity randomly opening apps through Explorer to generate "legit noise" for EDR and any other log-type collection technology.

Topics

simulation logging forensics autoit edr user-simulation

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v0.94-beta Latest
Dec 20, 2021
+ 3 releases

Packages

No packages published

Languages