phantinuss
82 lines
2.3 KiB
Bash
Executable File
82 lines
2.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
if [[ -z $(command -v jq) ]]; then
|
|
>2& echo "jq not found. Please install."
|
|
>2& echo "Exiting"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z $(command -v wget) ]]; then
|
|
>2& echo "wget not found. Please install."
|
|
>2& echo "Exiting"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z $(command -v realpath) ]]; then
|
|
>2& echo "realpath not found. Please install coreutils."
|
|
>2& echo "Exiting"
|
|
exit 1
|
|
fi
|
|
|
|
OS=$(uname -s)
|
|
|
|
if [[ "${OS}" != "Linux" && "${OS}" != "Darwin" ]]; then
|
|
>2& echo "This script only supports Linux and MacOS"
|
|
>2& echo "$(uname -s) is not a supported OS"
|
|
>2& echo "Exiting"
|
|
exit 1
|
|
fi
|
|
|
|
SCRIPT="$(realpath $0)"
|
|
TOOLS="${SCRIPT%/*}"
|
|
SIGMA="${TOOLS%/*}"
|
|
|
|
if [[ -n "$1" && -d "$1" && -r "$1" ]]; then
|
|
RULES="$1"
|
|
else
|
|
RULES="${SIGMA}"/rules
|
|
fi
|
|
|
|
TMP=$(mktemp -d)
|
|
if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then
|
|
>2& echo "Error: Created temporary directory ${TMP} is not writable."
|
|
>2& echo "Exiting"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
cd "${TMP}"
|
|
|
|
echo
|
|
echo "Copy rules from ${SIGMA} to ${TMP}"
|
|
cp -r "${RULES}"/windows .
|
|
echo
|
|
echo "Download evtx-sigma-checker"
|
|
if [[ "${OS}" == "Linux" ]]; then
|
|
wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
|
|
elif [[ "${OS}" == "Darwin" ]]; then
|
|
wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker-darwin -O evtx-sigma-checker
|
|
fi
|
|
echo
|
|
echo "Download and extract Windows 10 baseline events"
|
|
wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
|
|
tar xzf win10-client.tgz
|
|
echo
|
|
echo "Remove deprecated rules"
|
|
grep -ERl "^status: deprecated" windows | xargs -r rm -v
|
|
echo
|
|
echo "Check for Sigma matches in baseline (this takes at least 2 minutes)"
|
|
chmod +x evtx-sigma-checker
|
|
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Client/ --rule-path windows/ > findings.json
|
|
|
|
echo
|
|
echo "Checking for matches:"
|
|
"${SIGMA}"/.github/workflows/matchgrep.sh findings.json "${SIGMA}"/.github/workflows/known-FPs.csv
|
|
|
|
echo
|
|
read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s
|
|
echo
|
|
rm -r "${TMP}"
|
|
echo "Removed ${TMP}"
|
|
echo "Finished"
|