security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5901 from @phantinuss - bump evtx-baseline version to 0.8.4

Browse Source 
chore: bump evtx-baseline version to 0.8.4

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
This commit is contained in:
phantinuss
2026-03-13 15:04:24 +01:00
committed by GitHub
parent 3c2407864e
commit c2ba39f94b
4 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/goodlog-tests.yml
+1 -1
View File
@@ -6,7 +6,7 @@ name: Goodlog Tests
on: [push, pull_request, merge_group, workflow_dispatch]
env:
EVTX_BASELINE_VERSION: v0.8.3
EVTX_BASELINE_VERSION: v0.8.4
jobs:
check-baseline-win7:
.github/workflows/known-FPs.csv
+2 -1
View File
@@ -73,6 +73,7 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys
8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe
416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe
5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp
558eebe5-f2ba-4104-b339-36f7902bcc1a;File Creation Date Changed to Another Year;(\\target\.exe|thm\.wxl|\\AppData\\Local\\Temp\\)
5e993621-67d4-488a-b9ae-b420d08b96cb;Service Installation in Suspicious Folder;\\\\AppData\\\\Local\\\\Temp\\\\MBAMInstallerService\.exe
1 RuleId RuleName MatchString
73 8fbf3271-1ef6-4e94-8210-03c2317947f6 Cred Dump Tools Dropped Files Svchost\.exe
74 c7da8edc-49ae-45a2-9e61-9fd860e4e73d PUA - Sysinternals Tools Execution - Registry .*
75 dcff7e85-d01f-4eb5-badd-84e2e6be8294 Windows Default Domain GPO Modification via GPME Computer: WIN-FPV0DSIC9O6.sigma.fr
76 416bc4a2-7217-4519-8dc7-c3271817f1d5 Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location procexp64\.exe procexp64\.exe
77 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d Cmd Launched with Hidden Start Flags to Suspicious Targets xampp
78 558eebe5-f2ba-4104-b339-36f7902bcc1a File Creation Date Changed to Another Year (\\target\.exe|thm\.wxl|\\AppData\\Local\\Temp\\)
79 5e993621-67d4-488a-b9ae-b420d08b96cb Service Installation in Suspicious Folder \\\\AppData\\\\Local\\\\Temp\\\\MBAMInstallerService\.exe
.github/workflows/matchgrep.sh
+5 -5
View File
@@ -18,14 +18,14 @@ if [[ ! -f ${fps} || ! -r ${fps} ]]; then
fi
# Exclude all rules with level "low"
findings=$(grep -v '"RuleLevel":"low"' ${infile})
findings=$(grep -v '"RuleLevel":"low"' "${infile}")
{
read # Skip CSV header
while IFS=\; read -r id name fpstring; do
read -r # Skip CSV header
while IFS=\; read -r id _name fpstring; do
findings=$(echo "${findings}" | grep -iEv "\"RuleId\":\"${id}\".*${fpstring}")
done
} < ${fps}
} < "${fps}"
if [[ -z ${findings} ]]; then
echo "No matches found."
@@ -34,7 +34,7 @@ else
echo "${findings}"
>&2 echo
>&2 echo "Match overview:"
echo ${findings} | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2
echo "${findings}" | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2
>&2 echo
>&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv"
exit 3
.github/workflows/regression-tests.yml
+1 -1
View File
@@ -3,7 +3,7 @@ name: Regression Tests
on: [push, pull_request, workflow_dispatch]
env:
EVTX_BASELINE_VERSION: v0.8.3
EVTX_BASELINE_VERSION: v0.8.4
jobs:
true-positive-tests: