diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv new file mode 100644 index 000000000..092277629 --- /dev/null +++ b/.github/workflows/known-FPs.csv @@ -0,0 +1,12 @@ +RuleId;RuleName;MatchString +8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.* +ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3 +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml +4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ +36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR +73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh new file mode 100755 index 000000000..49baf8473 --- /dev/null +++ b/.github/workflows/matchgrep.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +infile=$1 +fps=$2 + +if [[ -z ${infile} || -z ${fps} ]]; then + >&2 echo "usage: $0 [json-file] [FPs.csv]" + exit 1 +fi + +if [[ ! -f ${infile} || ! -r ${infile} ]]; then + >&2 echo "${infile} is not a valid, readable file" + exit 2 +fi +if [[ ! -f ${fps} || ! -r ${fps} ]]; then + >&2 echo "${fps} is not a valid, readable file" + exit 2 +fi + +# Exclude all rules with level "low" +findings=$(grep -v '"RuleLevel":"low"' ${infile}) + +{ + read # Skip CSV header + while IFS=\; read -r id name fpstring; do + findings=$(echo "${findings}" | grep -Ev "\"RuleId\":\"${id}\".*${fpstring}") + done +} < ${fps} + +if [[ -z ${findings} ]]; then + echo "No matches found." +else + >&2 echo "Found matches:" + >&2 echo "${findings}" + >&2 echo + >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv" + exit 3 +fi diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 88c6d0502..64a6ed7f2 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -39,3 +39,21 @@ jobs: - uses: actions/checkout@v2 - name: yaml-lint uses: ibiqlik/action-yamllint@v3 + check-baseline-win10: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker + - name: Download and extract Windows 10 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz + tar xzf win10-client.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml index bd0590851..7582d89b3 100644 --- a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 date: 2022/02/16 +modified: 2022/02/21 logsource: category: process_creation product: windows @@ -19,7 +20,9 @@ detection: - '-m ' - '-a ' - '-u ' - condition: selection + filter: + ParentImage: 'C:\Windows\System32\winlogon.exe' + condition: selection and not filter falsepositives: - Unknown level: medium