Merge PR SigmaHQ#4464 from @phantinuss - Update Goodlog Test

chore: add threat hunting rules to goodlog tests --------- Co-authored-by: Nasreddine Bencherchali <[email protected]>
jamestiotio · Sep 29, 2023 · 733de44 · 733de44
1 parent c57c076
commit 733de44
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 26 deletions.
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
@@ -76,7 +76,7 @@ jobs:
     - name: Check for Sigma matches in baseline
       run: |
         chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
 
@@ -94,7 +94,7 @@ jobs:
     - name: Check for Sigma matches in baseline
       run: |
         chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
 
@@ -112,7 +112,7 @@ jobs:
     - name: Check for Sigma matches in baseline
       run: |
         chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
 
@@ -130,7 +130,7 @@ jobs:
     - name: Check for Sigma matches in baseline
       run: |
         chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
 
@@ -148,7 +148,7 @@ jobs:
     - name: Check for Sigma matches in baseline
       run: |
         chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
 
@@ -166,6 +166,6 @@ jobs:
     - name: Check for Sigma matches in baseline
       run: |
         chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml
@@ -21,7 +21,14 @@ detection:
     selection:
         TargetObject|contains: 'Security\Trusted Locations\Location'
         TargetObject|endswith: '\Path'
-    condition: selection
+    filter_main_office_click_to_run:
+        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+        Image|endswith: '\OfficeClickToRun.exe'
+    filter_main_office_apps:
+        Image|contains:
+            - ':\Program Files\Microsoft Office\'
+            - ':\Program Files (x86)\Microsoft Office\'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - During office installations or setup, trusted locations are added, which will trigger this rule.
 level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml
@@ -10,7 +10,7 @@ references:
     - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/21
-modified: 2023/08/17
+modified: 2023/09/29
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -22,25 +22,22 @@ detection:
         TargetObject|contains: 'Security\Trusted Locations\Location'
         TargetObject|endswith: '\Path'
     filter_exclude_known_paths:
-        Details|startswith:
+        Details|contains:
             - '%APPDATA%\Microsoft\Templates'
             - '%%APPDATA%%\Microsoft\Templates'
             - '%APPDATA%\Microsoft\Word\Startup'
             - '%%APPDATA%%\Microsoft\Word\Startup'
-            - 'C:\Program Files (x86)\Microsoft Office\root\Templates\'
-            - 'C:\Program Files\Microsoft Office (x86)\Templates'
-            - 'C:\Program Files\Microsoft Office\root\Templates\'
-            - 'C:\Program Files\Microsoft Office\Templates\'
+            - ':\Program Files (x86)\Microsoft Office\root\Templates\'
+            - ':\Program Files\Microsoft Office (x86)\Templates'
+            - ':\Program Files\Microsoft Office\root\Templates\'
+            - ':\Program Files\Microsoft Office\Templates\'
     filter_main_office_click_to_run:
-        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
         Image|endswith: '\OfficeClickToRun.exe'
     filter_main_office_apps:
-        Image|startswith:
-            - 'C:\Program Files\Microsoft Office\'
-            - 'C:\Program Files (x86)\Microsoft Office\'
-        Image|endswith:
-            - '\winword.exe'
-            - '\excel.exe'
+        Image|contains:
+            - ':\Program Files\Microsoft Office\'
+            - ':\Program Files (x86)\Microsoft Office\'
     condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
 falsepositives:
     - Other unknown legitimate or custom paths need to be filtered to avoid false positives

diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh
@@ -71,6 +71,7 @@ echo
 echo "Copy rules from ${SIGMA} to ${TMP}"
 cp -r "${RULES}"/windows .
 cp -r "${SIGMA}"/rules-emerging-threats .
+cp -r "${SIGMA}"/rules-threat-hunting .
 echo
 echo "Remove deprecated rules"
 grep -ERl "^status: deprecated" windows | xargs -r rm -v
@@ -93,7 +94,7 @@ OS="Windows 7 32-bit"
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz
     tar xzf win7-x86.tgz
     echo "  Checking for Sigma matches in $OS baseline"
-    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win7_x86/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win7.json
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win7_x86/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win7.json
     echo "  Finished Checking for Sigma matches in $OS baseline"
 }&
 pids+=($!)
@@ -105,7 +106,7 @@ OS="Windows 2022"
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-evtx.tgz
     tar xzf win2022-evtx.tgz
     echo "  Checking for Sigma matches in $OS baseline (this takes around 1 minute)"
-    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win2022.json
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022.json
     echo "  Finished Checking for Sigma matches in $OS baseline"
 }&
 pids+=($!)
@@ -118,7 +119,7 @@ OS="Windows 10"
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
     tar xzf win10-client.tgz
     echo "  Checking for Sigma matches in $OS baseline (this takes around 2 minutes)"
-    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Client/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win10.json
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Client/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win10.json
     echo "  Finished Checking for Sigma matches in $OS baseline"
 }&
 pids+=($!)
@@ -131,7 +132,7 @@ OS="Windows 2022 AD"
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz
     tar xzf win2022-ad.tgz
     echo "  Checking for Sigma matches in $OS baseline (this takes around 2 minutes)"
-    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Win2022-AD/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win2022-ad.json
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Win2022-AD/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022-ad.json
     echo "  Finished Checking for Sigma matches in $OS baseline"
 }&
 pids+=($!)
@@ -144,7 +145,7 @@ OS="Windows 11"
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz
     tar xzf win11-client.tgz
     echo "  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)"
-    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win11.json
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11.json
     echo "  Finished Checking for Sigma matches in $OS baseline"
 }&
 pids+=($!)
@@ -157,7 +158,7 @@ OS="Windows 2022.0.20348 Azure"
     wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz
     tar xzf win2022-0-20348-azure.tgz
     echo "  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)"
-    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win2022-0-20348-azure.json
+    ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022-0-20348-azure.json
     echo "  Finished Checking for Sigma matches in $OS baseline"
 }&
 pids+=($!)