security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

workflow: new baseline check against Windows 7 32-bit

Browse Source
This commit is contained in:
phantinuss
2022-04-06 17:01:27 +02:00
parent 7cbfc7f16a
commit d323753abd
3 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/known-FPs.csv
+7 -1
View File
@@ -1,12 +1,13 @@
RuleId;RuleName;MatchString
8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*
ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe
ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.*
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen
e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC
4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
@@ -22,3 +23,8 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223
6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: evtx-PC
ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote-
cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$
7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
1 RuleId RuleName MatchString
2 8e5e38e4-5350-4c0b-895a-e872ce0dd54f Msiexec Initiated Connection .*
3 ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 Suspicious WSMAN Provider Image Loads svchost\.exe .*
4 db809f10-56ce-4420-8c86-d6a7d793c79c Raw Disk Access Using Illegitimate Tools python-3
5 db809f10-56ce-4420-8c86-d6a7d793c79c Raw Disk Access Using Illegitimate Tools target\.exe
6 96f697b0-b499-4e5d-9908-a67bec11cdb6 Removal of Potential COM Hijacking Registry Keys sharepointclient
7 96f697b0-b499-4e5d-9908-a67bec11cdb6 Removal of Potential COM Hijacking Registry Keys odopen
8 e28a5a99-da44-436d-b7a0-2afc20a5f413 Whoami Execution WindowsPowerShell
9 8ac03a65-6c84-4116-acad-dc1558ff7a77 Sysmon Configuration Change sysmon-intense\.xml
10 8ac03a65-6c84-4116-acad-dc1558ff7a77 Sysmon Configuration Change Computer: evtx-PC
11 4358e5a5-7542-4dcb-b9f3-87667371839b ISO or Image Mount Indicator in Recent Files _Office_Professional_Plus_
12 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 Renamed Binary WinRAR
13 73bba97f-a82d-42ce-b315-9182e76c57b1 Imports Registry Key From a File Evernote
23 6ea3bf32-9680-422d-9f50-e90716b12a66 UAC Bypass Via Wsreset EventType: DeleteKey
24 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 Suspicious Add Scheduled Task From User AppData Temp TVInstallRestore
25 c187c075-bb3e-4c62-b4fa-beae0ffc211f Deteled Rule in Windows Firewall with Advanced Security Dropbox.*\\netsh\.exe
26 69aeb277-f15f-4d2d-b32a-55e883609563 Disabling Windows Event Auditing Computer: evtx-PC
27 ac175779-025a-4f12-98b0-acdaeb77ea85 PowerShell Script Run in AppData \\Evernote-
28 cfeed607-6aa4-4bbd-9627-b637deb723c8 New or Renamed User Account with '$' in Attribute 'SamAccountName' HomeGroupUser\$
29 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 Hidden Local User Creation HomeGroupUser\$
30 1f2b5353-573f-4880-8e33-7d04dcf97744 Sysmon Configuration Modification Computer: evtx-PC
.github/workflows/sigma-test.yml
+18
View File
@@ -37,6 +37,24 @@ jobs:
- uses: actions/checkout@v2
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
check-baseline-win7:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
- name: Download and extract Windows 7 32-bit baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz
tar xzf win7-x86.tgz
- name: Remove deprecated rules
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win10:
runs-on: ubuntu-latest
steps: