About

HEG is designed to act as a log generation tool for logging verification, logging validation, detection validation etc

As an event generator, as opposed to an attack simulator, you may notice HEG execute the same step repeatedly but using a different technique. It may also execute numerous steps that achieve overlapping outcomes, which would be unnecessary if performed by an actual attacker. This is specifically so a defender can see how various tracks to the same outcome might look like.

Usage

Although HEG is not designed as an attack simulation tool (and caution has been taken to defang it where possible), it is still recommended to use HEG only on non-critical infrastructure. Careful consideration should be given before deploying HEG on any production systems.

Getting Started

1. To get the most out of HEG read this Medium Post  

2. For quick start, with minimal fuss:

   • Download and extract repo
   • Launch PowerShell as admin
   • Locate and run HEG.ps1
   • After it completes, check the Logs directory

Mitre Navigator

Mapping coming soon!

Companion Tools

HEG - PA: Will run a pre-assessment on the local system to determine what the logging levels look like. See which EventIDs are logging, which ones arent. Run this before running HEG so you know what to expect.

HEG - AA: Runs an automated analysis on the logs generated from HEG. Highlights and annotates the various IOCs which HEG generated that should be picked up by SOC.

HEG - BeefEater: This edition of HEG doesnt look pretty, but it generates a ton more events than standard HEG. BeefEater is more suited to people in the detection field. If you want ALL the logs - this is the one.

Contribution

Contributions are welcome. Especially tests that will generate new events not already covered. The entire HEG project is designed to be community focused. Send PR will review and accept.