Merge pull request #2717 from phantinuss/checkbaseline

New workflow action: Check sigma rules against baseline evtx files

.github/workflows/known-FPs.csv

@@ -0,0 +1,12 @@
+RuleId;RuleName;MatchString
+8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*
+ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe
+db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
+db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
+96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient
+96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen
+e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
+8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml
+4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
+36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
+73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote

.github/workflows/matchgrep.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+infile=$1
+fps=$2
+
+if [[ -z ${infile} || -z ${fps} ]]; then
+    >&2 echo "usage: $0 [json-file] [FPs.csv]" 
+    exit 1
+fi
+
+if [[ ! -f ${infile}  || ! -r ${infile} ]]; then
+    >&2 echo "${infile} is not a valid, readable file"
+    exit 2
+fi
+if [[ ! -f ${fps}  || ! -r ${fps} ]]; then
+    >&2 echo "${fps} is not a valid, readable file"
+    exit 2
+fi
+
+# Exclude all rules with level "low"
+findings=$(grep -v '"RuleLevel":"low"' ${infile})
+
+{
+    read # Skip CSV header
+    while IFS=\; read -r id name fpstring; do
+        findings=$(echo "${findings}" | grep -Ev "\"RuleId\":\"${id}\".*${fpstring}")
+    done
+} < ${fps}
+
+if [[ -z ${findings} ]]; then
+    echo "No matches found."
+else
+    >&2 echo "Found matches:"
+    >&2 echo "${findings}"
+    >&2 echo
+    >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv"
+    exit 3
+fi

.github/workflows/sigma-test.yml

@@ -39,3 +39,21 @@ jobs:
     - uses: actions/checkout@v2
     - name: yaml-lint
       uses: ibiqlik/action-yamllint@v3
+  check-baseline-win10:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
+    - name: Download and extract Windows 10 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
+        tar xzf win10-client.tgz
+    - name: Remove deprecated rules
+      run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml

@@ -6,6 +6,7 @@ references:
     - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
 author: frack113
 date: 2022/02/16
+modified: 2022/02/21
 logsource:
     category: process_creation
     product: windows
@@ -19,7 +20,9 @@ detection:
             - '-m '
             - '-a '
             - '-u '
-    condition: selection
+    filter:
+        ParentImage: 'C:\Windows\System32\winlogon.exe'
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: medium