From 2c24b24cf1269a4087acf04136fd2d6eaf447452 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 21 Nov 2023 15:16:18 +0100 Subject: [PATCH] Merge PR #4585 from @phantinuss - Update evtx-baseline to v0.8 and fix FP found in baseline chore: update evtx-baseline to v0.8 chore: add file paths that impact the test chore: split goodlog and QA tests into two separate workflows fix: File or Folder Permissions Modifications - FPs with partial paths --- .github/workflows/goodlog-tests.yml | 162 ++++++++++++++++++ .github/workflows/sigma-test.yml | 119 +------------ .github/workflows/sigma-validation.yml | 4 +- ...win_susp_file_permission_modifications.yml | 8 +- tests/check-baseline-local.sh | 18 +- 5 files changed, 193 insertions(+), 118 deletions(-) create mode 100644 .github/workflows/goodlog-tests.yml diff --git a/.github/workflows/goodlog-tests.yml b/.github/workflows/goodlog-tests.yml new file mode 100644 index 00000000000..7b5548e5aae --- /dev/null +++ b/.github/workflows/goodlog-tests.yml @@ -0,0 +1,162 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Goodlog Tests + +on: + push: + branches: + - "*" + paths: + - ".github/workflows/goodlog-tests.yml" + - ".github/workflows/known-FPs.csv" + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "tests/thor.yml" + - "unsupported/**.yml" + pull_request: + branches: + - master + paths: + - ".github/workflows/goodlog-tests.yml" + - ".github/workflows/known-FPs.csv" + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "tests/thor.yml" + - "unsupported/**.yml" + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + EVTX_BASELINE_VERSION: v0.8 + +jobs: + check-baseline-win7: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 7 32-bit baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz + tar xzf win7-x86.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win10: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 10 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz + tar xzf win10-client.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win11: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 11 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz + tar xzf win11-client.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win11-2023: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 11 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz + tar xzf win11-client-2023.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win2022: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz + tar xzf win2022-evtx.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win2022-domain-controller: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz + tar xzf win2022-ad.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win2022-0-20348-azure: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022.0.20348 Azure baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348-azure.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index effaa0152dd..4f4be1955ca 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -3,11 +3,12 @@ name: Sigma Rule Tests -on: # yamllint disable-line rule:truthy +on: push: branches: - "*" paths: + - ".github/workflows/sigma-test.yml" - "deprecated/**.yml" - "rules-compliance/**.yml" - "rules-dfir/**.yml" @@ -15,11 +16,14 @@ on: # yamllint disable-line rule:truthy - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/test_logsource.py" + - "tests/test_rules.py" - "unsupported/**.yml" pull_request: branches: - master paths: + - ".github/workflows/sigma-test.yml" - "deprecated/**.yml" - "rules-compliance/**.yml" - "rules-dfir/**.yml" @@ -27,14 +31,13 @@ on: # yamllint disable-line rule:truthy - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/test_logsource.py" + - "tests/test_rules.py" - "unsupported/**.yml" # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -env: - EVTX_BASELINE_VERSION: v0.7 - jobs: yamllint: runs-on: ubuntu-latest @@ -81,111 +84,3 @@ jobs: run: | pip install PyYAML colorama python tests/test_rules.py - - check-baseline-win7: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 7 32-bit baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz - tar xzf win7-x86.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win10: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 10 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz - tar xzf win10-client.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win11: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 11 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz - tar xzf win11-client.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win2022: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz - tar xzf win2022-evtx.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win2022-domain-controller: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz - tar xzf win2022-ad.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win2022-0-20348-azure: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022.0.20348 Azure baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz - tar xzf win2022-0-20348-azure.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/.github/workflows/sigma-validation.yml b/.github/workflows/sigma-validation.yml index 32a6ac351df..d9544e3a746 100644 --- a/.github/workflows/sigma-validation.yml +++ b/.github/workflows/sigma-validation.yml @@ -12,6 +12,7 @@ on: - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/validate-sigma-schema/validate.sh" - "unsupported/**.yml" pull_request: branches: @@ -24,8 +25,9 @@ on: - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/validate-sigma-schema/validate.sh" - "unsupported/**.yml" - + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index 97078430353..09435200619 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -8,7 +8,7 @@ references: - https://github.com/swagkarna/Defeat-Defender-V1.2.0 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/23 -modified: 2023/11/06 +modified: 2023/11/21 tags: - attack.defense_evasion - attack.t1222.001 @@ -41,11 +41,11 @@ detection: filter_optional_vscode: CommandLine|contains: - '\AppData\Local\Programs\Microsoft VS Code' - - ':\Program Files\Microsoft VS Code\' + - ':\Program Files\Microsoft VS Code' filter_optional_avira: CommandLine|contains: - - ':\Program Files (x86)\Avira\' - - ':\Program Files\Avira\' + - ':\Program Files (x86)\Avira' + - ':\Program Files\Avira' condition: 1 of selection_* and not 1 of filter_optional_* falsepositives: - Users interacting with the files on their own (unlikely unless privileged users). diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 2c3fd80be62..4d53cd3373e 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -151,10 +151,23 @@ OS="Windows 11" pids+=($!) PID2OS[$!]=$OS +# Windows 11 2023 +OS="Windows 11 2023" +{ + sleep 40 + wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client-2023.tgz + tar xzf win11-client-2023.tgz + echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11-2023.json + echo " Finished Checking for Sigma matches in $OS baseline" +}& +pids+=($!) +PID2OS[$!]=$OS + # Windows 2022.0.20348 Azure OS="Windows 2022.0.20348 Azure" { - sleep 40 + sleep 50 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz tar xzf win2022-0-20348-azure.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" @@ -184,6 +197,9 @@ echo echo "Windows 11:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv echo +echo "Windows 11 2023:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11-2023.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo echo "Windows 2022:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022.json "${SIGMA}"/.github/workflows/known-FPs.csv echo