Merge pull request #2882 from phantinuss/checkbaseline

workflow: add checks against Windows 11 baseline
2022-04-06 16:48:04 +02:00
parent 7ef4187875 c2c3fff071
commit b40b513d3f
13 changed files with 116 additions and 34 deletions
@@ -11,4 +11,14 @@ e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
 6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe
-00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4  Task: 0
+00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4  Task: 0
+162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe
+cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241
+bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223
+9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
+96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
+9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe
+81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
+6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
+43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
+c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
@@ -55,3 +55,21 @@ jobs:
        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json
    - name: Show findings excluding known FPs
      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+  check-baseline-win11:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
+    - name: Download and extract Windows 11 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz
+        tar xzf win11-client.tgz
+    - name: Remove deprecated rules
+      run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
@@ -1,7 +1,7 @@
 title: Deteled Rule in Windows Firewall with Advanced Security
 id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
 status: experimental
-description: DA rule has been deleted in the Windows Firewall exception list.
+description: A rule has been deleted in the Windows Firewall exception list.
 author: frack113
 date: 2022/02/19
 modified: 2022/02/22
@@ -13,9 +13,9 @@ logsource:
 # EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
 detection:
    selection:
-        EventID: 
+        EventID:
            - 2006
-            - 2033 #All rules 
+            - 2033 #All rules
    filter:
        - ModifyingApplication: 'C:\Windows\System32\svchost.exe'
        - ModifyingApplication|startswith:
@@ -7,7 +7,7 @@ references:
  - https://twitter.com/pabraeken/status/990717080805789697
  - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
 date: 2020/11/15
-modified: 2022/02/15
+modified: 2022/04/04
 logsource:
  product: windows
  category: registry_event
@@ -18,6 +18,11 @@ detection:
  filter_chrome:
    Details|startswith: '"C:\Program Files\Google\Chrome\Application\'
    Details|endswith: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level'
+  filter_edge:
+    Details|startswith:
+    - '"C:\Program Files (x86)\Microsoft\Edge\Application\'
+    - '"C:\Program Files\Microsoft\Edge\Application\'
+    Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
  condition: selection and not 1 of filter_*
 falsepositives:
  - Legitimate modification of the registry key by legitimate program
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2022/04/04
 logsource:
    category: registry_set
    product: windows
@@ -51,15 +51,19 @@ detection:
            - '{807583E5-5146-11D5-A672-00B0D022E945}'
    filter_chrome:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\'
+    filter_edge:
+        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\'
+    filter_IE:
+        TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\'
    filter_image:
-        Image: 
+        Image:
            - 'C:\Windows\System32\poqexec.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_office:
-        Image|startswith: 
+        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
-        Image|endswith: '\OfficeClickToRun.exe'        
+        Image|endswith: '\OfficeClickToRun.exe'
    condition: main_selection and not 1 of filter_*
 fields:
    - SecurityID
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2022/04/04
 logsource:
    category: registry_set
    product: windows
@@ -50,6 +50,13 @@ detection:
            - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
            - 'C:\Program Files\Everything\Everything.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+    filter_logonui:
+        Image: 'C:\Windows\system32\LogonUI.exe'
+        TargetObject|contains:
+            - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'  # PIN
+            - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'  # fingerprint
+            - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'  # facial recognizion
+            - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'  # Trusted Signal (Phone proximity, Network location)
    filter_edge:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
@@ -90,7 +97,7 @@ detection:
        Details|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python'
        Details|endswith: '.exe" /burn.runonce'
    filter_officeclicktorun:
-        Image|startswith: 
+        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2022/04/04
 logsource:
    category: registry_set
    product: windows
@@ -62,10 +62,12 @@ detection:
            - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-'
        Details|endswith: '.exe" /burn.runonce'
    filter_office:
-        Image|startswith: 
+        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
-        Image|endswith: '\OfficeClickToRun.exe'    
+        Image|endswith: '\OfficeClickToRun.exe'
+    filter_ms_win_desktop_runtime:
+        Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
    condition: wow_current_version_base and wow_current_version and not 1 of filter_*
 fields:
    - SecurityID
@@ -3,7 +3,7 @@ id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
 description: Hides the file extension through modification of the registry
 author: frack113
 date: 2022/01/22
-modified: 2022/03/26
+modified: 2022/04/04
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
@@ -19,7 +19,8 @@ detection:
        Details:
            - DWORD (0x00000000) # My Computer
            - DWORD (0x00000001) # Local Intranet Zone
-    condition: selection_domains
+            - '(Empty)'
+    condition: selection_domains and not filter
 falsepositives:
    - Administrative scripts
 level: medium
@@ -7,14 +7,14 @@ references:
    - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2022/03/26
+modified: 2022/04/04
 logsource:
    category: registry_set
    product: windows
 detection:
    selection: # Detect new COM servers in the user hive
        EventType: SetValue
-        TargetObject|startswith: 
+        TargetObject|startswith:
            - 'HKCR\CLSID\'
            - 'HKCU\Software\Classes\CLSID\'
        TargetObject|endswith: '\InprocServer32\(Default)'
@@ -23,7 +23,7 @@ detection:
            - '%%systemroot%%\system32\'
            - '%%systemroot%%\SysWow64\'
    filterOneDrive:
-        Details|contains: 
+        Details|contains:
            - '\AppData\Local\Microsoft\OneDrive\'
            - '\FileCoAuthLib64.dll'
            - '\FileSyncShell64.dll'
@@ -62,6 +62,8 @@ detection:
        Details:
            - 'C:\Windows\system32\dnssdX.dll'
            - 'C:\Windows\SysWOW64\dnssdX.dll'
+    filter_printextensionmanager:
+        Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
    filter_programfiles:
        Details|startswith:
            - 'C:\Program Files\'
@@ -3,7 +3,7 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6
 description: Detects the modification of a ServiceDLL value in the service settings
 author: frack113
 date: 2022/02/04
-modified: 2022/03/26
+modified: 2022/04/04
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
@@ -15,7 +15,9 @@ detection:
        EventType: SetValue
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Parameters\ServiceDll'
-    condition: selection
+    filter_printextensionmanger:
+        Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
+    condition: selection and not 1 of filter*
 falsepositives:
    - Administrative scripts
    - Installation of a service
@@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
 description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered
 status: experimental
 date: 2021/06/18
-modified: 2022/03/26
+modified: 2022/04/04
 references:
  - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 author: Syed Hasan (@syedhasan009)
@@ -29,6 +29,7 @@ detection:
      - '\TaskCache\Tree\Opera scheduled assistant Autoupdate'
      - '\TaskCache\Tree\OneDrive Reporting'
      - '\TaskCache\Tree\OneDrive Standalone Update Task'
+      - '\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\'
      - '\TaskCache\Tree\Mozilla\SD'
      - '\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework '
      - '\TaskCache\Tree\Microsoft\Office\OfficeOsfInstaller\'
@@ -42,6 +43,7 @@ detection:
      - '\TaskCache\Tree\Microsoft\Office\OfficeTelemetry' # *AgentLogOn and *AgentFallBack
      - '\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\'
      - '\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\'
+      - '\TaskCache\Tree\Microsoft\Office\Office Feature Updates'
      - '\TaskCache\Tree\klcp_update\'
      - '\TaskCache\Tree\Apple\SD'
      - '\TaskCache\Tree\Apple\AppleSoftwareUpdate\'
@@ -49,6 +51,12 @@ detection:
      - '\TaskCache\Tree\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance\'
      - '\TaskCache\Tree\Microsoft\Windows\Windows Defender\Windows Defender Cleanup\'
      - '\TaskCache\Tree\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan\'
+      - '\TaskCache\Tree\TVInstallRestore\'
+      - '\TaskCache\Tree\Microsoft\Windows\InstallService\SmartRetry\'
+      - '\TaskCache\Tree\Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePeriodic24\'
+      - '\TaskCache\Tree\Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceLocationRightsChange\'
+      - '\TaskCache\Tree\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser\'
+      - '\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachine' # *Core and *UA
  condition: selection and not 1 of filter*
 falsepositives:
  - Unknown
@@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon
 status: experimental
 author: frack113
 date: 2021/06/04
-modified: 2022/02/09
+modified: 2022/04/04
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
@@ -19,11 +19,15 @@ detection:
        Description|contains:
            - 'Failed to open service configuration with error'
            - 'Failed to connect to the driver to update configuration'
-    selection_filter:
+    filter_generic_english:
        Description|contains|all:
            - 'Failed to open service configuration with error'
            - 'Last error: The media is write protected.'
-    condition: selection_error and not selection_filter
+    filter_by_errorcode:
+        Description|contains:
+            - 'Failed to open service configuration with error 19'
+            - 'Failed to open service configuration with error 93'
+    condition: selection_error and not 1 of filter*
 falsepositives:
    - Legitimate administrative action
-level: high 
+level: high
@@ -51,27 +51,46 @@ echo
 echo "Copy rules from ${SIGMA} to ${TMP}"
 cp -r "${RULES}"/windows .
 echo
+echo "Remove deprecated rules"
+grep -ERl "^status: deprecated" windows | xargs -r rm -v
+echo
 echo "Download evtx-sigma-checker"
 if [[ "${OS}" == "Linux" ]]; then
    wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
 elif [[ "${OS}" == "Darwin" ]]; then
    wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker-darwin -O evtx-sigma-checker
 fi
+chmod +x evtx-sigma-checker
+
+# Windows 10
 echo
-echo "Download and extract Windows 10 baseline events"
+echo "Download Windows 10 baseline events"
 wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
+echo "Extract Windows 10 baseline events"
 tar xzf win10-client.tgz
 echo
-echo "Remove deprecated rules"
-grep -ERl "^status: deprecated" windows | xargs -r rm -v
+echo "Check for Sigma matches in Windows 10 baseline (this takes at least 2 minutes)"
+./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Client/ --rule-path windows/ > findings-win10.json
+
+# Windows 11
 echo
-echo "Check for Sigma matches in baseline (this takes at least 2 minutes)"
-chmod +x evtx-sigma-checker
-./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Client/ --rule-path windows/ > findings.json
+echo "Download Windows 11 baseline events"
+wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz
+echo "Extract Windows 11 baseline events"
+tar xzf win11-client.tgz
+echo
+echo "Check for Sigma matches in Windows 11 baseline (this takes at least 6 minutes)"
+./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ > findings-win11.json
+

 echo
-echo "Checking for matches:"
-"${SIGMA}"/.github/workflows/matchgrep.sh findings.json "${SIGMA}"/.github/workflows/known-FPs.csv
+echo "## MATCHES ##"
+echo
+echo "Windows 10:"
+"${SIGMA}"/.github/workflows/matchgrep.sh findings-win10.json "${SIGMA}"/.github/workflows/known-FPs.csv
+echo
+echo "Windows 11:"
+"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv

 echo
 read -p  "Removing temporary directory ${TMP}. Press Enter to continue." -s