From e6fe8fdeddf95165915ec9a6dcecdc7a9d12e008 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:33:29 +0100 Subject: [PATCH 01/12] workflow: execute evtx-sigma-checker --- .github/workflows/sigma-test.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 88c6d0502..8c0171a21 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -39,3 +39,20 @@ jobs: - uses: actions/checkout@v2 - name: yaml-lint uses: ibiqlik/action-yamllint@v3 + check-baseline-win10: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/evtx-sigma-checker + - name: Download and extract Windows 10 baseline + run: | + wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz + tar xzf win10-client-v0.1.tgz + - name: Remove deprecated rules + run: grep -ER "^status: deprecated" rules | xargs -r rm + - name: Run evtx-sigma-checker + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings-client.json + cat findings-client.json From d3397929b400acbe249c9b3aa8febf7d02debceb Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:35:19 +0100 Subject: [PATCH 02/12] workflow: fix: quote command with pipe --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8c0171a21..ecea4b2cc 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -50,7 +50,7 @@ jobs: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz tar xzf win10-client-v0.1.tgz - name: Remove deprecated rules - run: grep -ER "^status: deprecated" rules | xargs -r rm + run: 'grep -ER "^status: deprecated" rules | xargs -r rm' - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker From 00f1f561dd9727d949d0a3453bbae0068aa4e8c0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:37:13 +0100 Subject: [PATCH 03/12] workflow: fix: missing -l grep flag --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ecea4b2cc..efd38bf10 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -50,7 +50,7 @@ jobs: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz tar xzf win10-client-v0.1.tgz - name: Remove deprecated rules - run: 'grep -ER "^status: deprecated" rules | xargs -r rm' + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm' - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker From 48eefe29f705f8a652b1a0f9f8f28c32dfa21d0c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 13:43:58 +0100 Subject: [PATCH 04/12] workflow: verbose remove of deprecated rules --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index efd38bf10..8092ba0fe 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -50,7 +50,7 @@ jobs: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz tar xzf win10-client-v0.1.tgz - name: Remove deprecated rules - run: 'grep -ERl "^status: deprecated" rules | xargs -r rm' + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker From 20761d03325692d9a0690ae888d70304473ee508 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 18 Feb 2022 16:01:37 +0100 Subject: [PATCH 05/12] workflow: link to latest release --- .github/workflows/sigma-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8092ba0fe..e73de6ed1 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -44,11 +44,11 @@ jobs: steps: - uses: actions/checkout@v2 - name: Download evtx-sigma-checker - run: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/evtx-sigma-checker + run: wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker - name: Download and extract Windows 10 baseline run: | - wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz - tar xzf win10-client-v0.1.tgz + wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz + tar xzf win10-client.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - name: Run evtx-sigma-checker From 0c473a3e775dd37954fd6aab1913504ba8c015e0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:24:03 +0100 Subject: [PATCH 06/12] workflow: evaluate findings, exclude known FPs --- .github/workflows/known-FPs.csv | 12 ++++++++++++ .github/workflows/matchgrep.sh | 33 ++++++++++++++++++++++++++++++++ .github/workflows/sigma-test.yml | 5 +++-- 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/known-FPs.csv create mode 100755 .github/workflows/matchgrep.sh diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv new file mode 100644 index 000000000..092277629 --- /dev/null +++ b/.github/workflows/known-FPs.csv @@ -0,0 +1,12 @@ +RuleId;RuleName;MatchString +8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.* +ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3 +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml +4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ +36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR +73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh new file mode 100755 index 000000000..e61bbe4c2 --- /dev/null +++ b/.github/workflows/matchgrep.sh @@ -0,0 +1,33 @@ +infile=$1 +fps=$2 + +if [[ -z ${infile} || -z ${fps} ]]; then + >&2 echo "usage: $0 [json-file] [FPs.csv]" + exit 1 +fi + +if [[ ! -f ${infile} || ! -r ${infile} ]]; then + >&2 echo "${infile} is not a valid, readable file" + exit 2 +fi +if [[ ! -f ${fps} || ! -r ${fps} ]]; then + >&2 echo "${fps} is not a valid, readable file" + exit 2 +fi + +# Exclude all rules with level "low" +findings=$(grep -v '"RuleLevel":"low"' ${infile}) + +{ + read # Skip CSV header + while IFS=\; read -r id name fpstring; do + findings=$(echo "${findings}" | grep -Ev "\"RuleId\":\"${id}\".*${fpstring}") + done +} < ${fps} + +if [[ -z ${findings} ]]; then + echo "No matches found." +else + >&2 echo "Found matches:" + >&2 echo "${findings}" +fi diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index e73de6ed1..630cb7b33 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -54,5 +54,6 @@ jobs: - name: Run evtx-sigma-checker run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings-client.json - cat findings-client.json + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json + - name: Check for Sigma matches in baseline + run: ./github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From 2cecd0e6ef7ddecbf81ce5f01b2205ccfdcbb414 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:27:27 +0100 Subject: [PATCH 07/12] workflow: rename steps --- .github/workflows/sigma-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 630cb7b33..00dd1fa1b 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -51,9 +51,9 @@ jobs: tar xzf win10-client.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - - name: Run evtx-sigma-checker + - name: Check for Sigma matches in baseline (run evtx-sigma-checker) run: | chmod +x evtx-sigma-checker ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - - name: Check for Sigma matches in baseline + - name: Show findings (exclude known FPs) run: ./github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From a1c0c1c03dcb1c2004a8e604d08d1c1c7c5735a8 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:29:39 +0100 Subject: [PATCH 08/12] workflow: add shebang to matchgrep.sh --- .github/workflows/matchgrep.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh index e61bbe4c2..c5c0f715f 100755 --- a/.github/workflows/matchgrep.sh +++ b/.github/workflows/matchgrep.sh @@ -1,3 +1,5 @@ +#!/bin/bash + infile=$1 fps=$2 From fc8cf7d4a0dcb0415ccdeba08e573a74a00b9ed0 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:31:09 +0100 Subject: [PATCH 09/12] workflow: fix: missing . in path --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 00dd1fa1b..00876fca6 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -56,4 +56,4 @@ jobs: chmod +x evtx-sigma-checker ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - name: Show findings (exclude known FPs) - run: ./github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From 3961774991833b8ba207b7f3d5f6e22edbd4bf18 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:42:52 +0100 Subject: [PATCH 10/12] workflow: show error on sigma matches --- .github/workflows/matchgrep.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh index c5c0f715f..651a7407c 100755 --- a/.github/workflows/matchgrep.sh +++ b/.github/workflows/matchgrep.sh @@ -32,4 +32,6 @@ if [[ -z ${findings} ]]; then else >&2 echo "Found matches:" >&2 echo "${findings}" + >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv" + exit 3 fi From 62949b043735698947264840667010fcf051854b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:50:26 +0100 Subject: [PATCH 11/12] workflow: output cosmetics --- .github/workflows/matchgrep.sh | 1 + .github/workflows/sigma-test.yml | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh index 651a7407c..49baf8473 100755 --- a/.github/workflows/matchgrep.sh +++ b/.github/workflows/matchgrep.sh @@ -32,6 +32,7 @@ if [[ -z ${findings} ]]; then else >&2 echo "Found matches:" >&2 echo "${findings}" + >&2 echo >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv" exit 3 fi diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 00876fca6..64a6ed7f2 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -44,16 +44,16 @@ jobs: steps: - uses: actions/checkout@v2 - name: Download evtx-sigma-checker - run: wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker - name: Download and extract Windows 10 baseline run: | - wget https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz tar xzf win10-client.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - - name: Check for Sigma matches in baseline (run evtx-sigma-checker) + - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - - name: Show findings (exclude known FPs) + - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv From df21201783638bfd4b04be8b32f94c07c3861c00 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 21 Feb 2022 11:09:20 +0100 Subject: [PATCH 12/12] fix: FP --- rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml index bd0590851..7582d89b3 100644 --- a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 date: 2022/02/16 +modified: 2022/02/21 logsource: category: process_creation product: windows @@ -19,7 +20,9 @@ detection: - '-m ' - '-a ' - '-u ' - condition: selection + filter: + ParentImage: 'C:\Windows\System32\winlogon.exe' + condition: selection and not filter falsepositives: - Unknown level: medium