workflow: new baseline check against Windows 2022
This commit is contained in:
phantinuss
@@ -12,6 +12,9 @@ on: # yamllint disable-line rule:truthy
|
||||
- master
|
||||
- oscd
|
||||
|
||||
env:
|
||||
EVTX_BASELINE_VERSION: v0.5
|
||||
|
||||
jobs:
|
||||
test-sigma:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -42,10 +45,10 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Download evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
|
||||
- name: Download and extract Windows 7 32-bit baseline
|
||||
run: |
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
|
||||
tar xzf win7-x86.tgz
|
||||
- name: Remove deprecated rules
|
||||
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
|
||||
@@ -60,10 +63,10 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Download evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
|
||||
- name: Download and extract Windows 10 baseline
|
||||
run: |
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
|
||||
tar xzf win10-client.tgz
|
||||
- name: Remove deprecated rules
|
||||
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
|
||||
@@ -78,10 +81,10 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Download evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
|
||||
- name: Download and extract Windows 11 baseline
|
||||
run: |
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
|
||||
tar xzf win11-client.tgz
|
||||
- name: Remove deprecated rules
|
||||
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
|
||||
@@ -91,3 +94,21 @@ jobs:
|
||||
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ > findings.json
|
||||
- name: Show findings excluding known FPs
|
||||
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
|
||||
check-baseline-win2022:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Download evtx-sigma-checker
|
||||
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
|
||||
- name: Download and extract Windows 2022 baseline
|
||||
run: |
|
||||
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
|
||||
tar xzf win2022-evtx.tgz
|
||||
- name: Remove deprecated rules
|
||||
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
|
||||
- name: Check for Sigma matches in baseline
|
||||
run: |
|
||||
chmod +x evtx-sigma-checker
|
||||
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ > findings.json
|
||||
- name: Show findings excluding known FPs
|
||||
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
|
||||
|
||||
@@ -69,7 +69,7 @@ wget --no-verbose --progress=bar --show-progress https://github.com/NextronSyste
|
||||
echo "Extract Windows 7 32-bit baseline events"
|
||||
tar xzf win7-x86.tgz
|
||||
echo
|
||||
echo "Check for Sigma matches in Windows 7 32-bit baseline (this takes at least 2 minutes)"
|
||||
echo "Check for Sigma matches in Windows 7 32-bit baseline"
|
||||
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win7_x86/ --rule-path windows/ > findings-win7.json
|
||||
|
||||
# Windows 10
|
||||
@@ -91,6 +91,15 @@ tar xzf win11-client.tgz
|
||||
echo
|
||||
echo "Check for Sigma matches in Windows 11 baseline (this takes at least 6 minutes)"
|
||||
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ > findings-win11.json
|
||||
Windows 2022
|
||||
echo
|
||||
echo "Download Windows 2022 baseline events"
|
||||
wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-evtx.tgz
|
||||
echo "Extract Windows 2022 baseline events"
|
||||
tar xzf win2022-evtx.tgz
|
||||
echo
|
||||
echo "Check for Sigma matches in Windows 2022 baseline (this takes around 1 minute)"
|
||||
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ > findings-win2022.json
|
||||
|
||||
|
||||
echo
|
||||
@@ -104,6 +113,9 @@ echo "Windows 10:"
|
||||
echo
|
||||
echo "Windows 11:"
|
||||
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv
|
||||
echo
|
||||
echo "Windows 2022:"
|
||||
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022.json "${SIGMA}"/.github/workflows/known-FPs.csv
|
||||
|
||||
echo
|
||||
read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s
|
||||
|
||||
Reference in New Issue
Block a user