Merge PR #4585 from @phantinuss - Update evtx-baseline to v0.8 and fi…

…x FP found in baseline chore: update evtx-baseline to v0.8 chore: add file paths that impact the test chore: split goodlog and QA tests into two separate workflows fix: File or Folder Permissions Modifications - FPs with partial paths
SigmaHQ · Nov 21, 2023 · 2c24b24 · 2c24b24
1 parent 01730d0
commit 2c24b24
Show file tree

Hide file tree

Showing 5 changed files with 193 additions and 118 deletions.
diff --git a/.github/workflows/goodlog-tests.yml b/.github/workflows/goodlog-tests.yml
@@ -0,0 +1,162 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Goodlog Tests
+
+on:
+  push:
+    branches:
+      - "*"
+    paths:
+      - ".github/workflows/goodlog-tests.yml"
+      - ".github/workflows/known-FPs.csv"
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "tests/thor.yml"
+      - "unsupported/**.yml"
+  pull_request:
+    branches:
+      - master
+    paths:
+      - ".github/workflows/goodlog-tests.yml"
+      - ".github/workflows/known-FPs.csv"
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "tests/thor.yml"
+      - "unsupported/**.yml"
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  EVTX_BASELINE_VERSION: v0.8
+
+jobs:
+  check-baseline-win7:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 7 32-bit baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
+        tar xzf win7-x86.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win10:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 10 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
+        tar xzf win10-client.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win11:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 11 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
+        tar xzf win11-client.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win11-2023:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 11 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz
+        tar xzf win11-client-2023.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win2022:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
+        tar xzf win2022-evtx.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win2022-domain-controller:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
+        tar xzf win2022-ad.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win2022-0-20348-azure:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022.0.20348 Azure baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
+        tar xzf win2022-0-20348-azure.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
@@ -3,38 +3,41 @@
 
 name: Sigma Rule Tests
 
-on: # yamllint disable-line rule:truthy
+on:
   push:
     branches:
       - "*"
     paths:
+      - ".github/workflows/sigma-test.yml"
       - "deprecated/**.yml"
       - "rules-compliance/**.yml"
       - "rules-dfir/**.yml"
       - "rules-emerging-threats/**.yml"
       - "rules-placeholder/**.yml"
       - "rules-threat-hunting/**.yml"
       - "rules/**.yml"
+      - "tests/test_logsource.py"
+      - "tests/test_rules.py"
       - "unsupported/**.yml"
   pull_request:
     branches:
       - master
     paths:
+      - ".github/workflows/sigma-test.yml"
       - "deprecated/**.yml"
       - "rules-compliance/**.yml"
       - "rules-dfir/**.yml"
       - "rules-emerging-threats/**.yml"
       - "rules-placeholder/**.yml"
       - "rules-threat-hunting/**.yml"
       - "rules/**.yml"
+      - "tests/test_logsource.py"
+      - "tests/test_rules.py"
       - "unsupported/**.yml"
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-env:
-  EVTX_BASELINE_VERSION: v0.7
-
 jobs:
   yamllint:
     runs-on: ubuntu-latest
@@ -81,111 +84,3 @@ jobs:
       run: |
         pip install PyYAML colorama
         python tests/test_rules.py
-
-  check-baseline-win7:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 7 32-bit baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
-        tar xzf win7-x86.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win10:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 10 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
-        tar xzf win10-client.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win11:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 11 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
-        tar xzf win11-client.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win2022:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 2022 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
-        tar xzf win2022-evtx.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win2022-domain-controller:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 2022 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
-        tar xzf win2022-ad.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win2022-0-20348-azure:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 2022.0.20348 Azure baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
-        tar xzf win2022-0-20348-azure.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
diff --git a/.github/workflows/sigma-validation.yml b/.github/workflows/sigma-validation.yml
@@ -12,6 +12,7 @@ on:
       - "rules-placeholder/**.yml"
       - "rules-threat-hunting/**.yml"
       - "rules/**.yml"
+      - "tests/validate-sigma-schema/validate.sh"
       - "unsupported/**.yml"
   pull_request:
     branches:
@@ -24,8 +25,9 @@ on:
       - "rules-placeholder/**.yml"
       - "rules-threat-hunting/**.yml"
       - "rules/**.yml"
+      - "tests/validate-sigma-schema/validate.sh"
       - "unsupported/**.yml"
-  
+
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 

diff --git a/...hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/...hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/swagkarna/Defeat-Defender-V1.2.0
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/23
-modified: 2023/11/06
+modified: 2023/11/21
 tags:
     - attack.defense_evasion
     - attack.t1222.001
@@ -41,11 +41,11 @@ detection:
     filter_optional_vscode:
         CommandLine|contains:
             - '\AppData\Local\Programs\Microsoft VS Code'
-            - ':\Program Files\Microsoft VS Code\'
+            - ':\Program Files\Microsoft VS Code'
     filter_optional_avira:
         CommandLine|contains:
-            - ':\Program Files (x86)\Avira\'
-            - ':\Program Files\Avira\'
+            - ':\Program Files (x86)\Avira'
+            - ':\Program Files\Avira'
     condition: 1 of selection_* and not 1 of filter_optional_*
 falsepositives:
     - Users interacting with the files on their own (unlikely unless privileged users).

diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh
@@ -151,10 +151,23 @@ OS="Windows 11"
 pids+=($!)
 PID2OS[$!]=$OS
 
+# Windows 11 2023
+OS="Windows 11 2023"
+{
+    sleep 40
+    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client-2023.tgz
+    tar xzf win11-client-2023.tgz
+    echo "  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)"
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11-2023.json
+    echo "  Finished Checking for Sigma matches in $OS baseline"
+}&
+pids+=($!)
+PID2OS[$!]=$OS
+
 # Windows 2022.0.20348 Azure
 OS="Windows 2022.0.20348 Azure"
 {
-    sleep 40
+    sleep 50
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz
     tar xzf win2022-0-20348-azure.tgz
     echo "  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)"
@@ -184,6 +197,9 @@ echo
 echo "Windows 11:"
 "${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv
 echo
+echo "Windows 11 2023:"
+"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11-2023.json "${SIGMA}"/.github/workflows/known-FPs.csv
+echo
 echo "Windows 2022:"
 "${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022.json "${SIGMA}"/.github/workflows/known-FPs.csv
 echo