From d323753abd7bf71c9501d6654cf8652a662cbfc2 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 6 Apr 2022 17:01:27 +0200 Subject: [PATCH] workflow: new baseline check against Windows 7 32-bit --- .github/workflows/known-FPs.csv | 8 +++++++- .github/workflows/sigma-test.yml | 18 ++++++++++++++++++ tests/check-baseline-local.sh | 13 +++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 86422b4e6..c260a206f 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -1,12 +1,13 @@ RuleId;RuleName;MatchString 8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.* -ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe +ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.* db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3 db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote @@ -22,3 +23,8 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223 6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe +69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: evtx-PC +ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote- +cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$ +7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ +1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index e438a369e..b86ff02ff 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -37,6 +37,24 @@ jobs: - uses: actions/checkout@v2 - name: yaml-lint uses: ibiqlik/action-yamllint@v3 + check-baseline-win7: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker + - name: Download and extract Windows 7 32-bit baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz + tar xzf win7-x86.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv check-baseline-win10: runs-on: ubuntu-latest steps: diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index c51fed48e..4aeb592fc 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -62,6 +62,16 @@ elif [[ "${OS}" == "Darwin" ]]; then fi chmod +x evtx-sigma-checker +# Windows 7 32-bit +echo +echo "Download Windows 7 32-bit baseline events" +wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz +echo "Extract Windows 7 32-bit baseline events" +tar xzf win7-x86.tgz +echo +echo "Check for Sigma matches in Windows 7 32-bit baseline (this takes at least 2 minutes)" +./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win7_x86/ --rule-path windows/ > findings-win7.json + # Windows 10 echo echo "Download Windows 10 baseline events" @@ -86,6 +96,9 @@ echo "Check for Sigma matches in Windows 11 baseline (this takes at least 6 minu echo echo "## MATCHES ##" echo +echo "Windows 7 32-bit:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win7.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo echo "Windows 10:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win10.json "${SIGMA}"/.github/workflows/known-FPs.csv echo