diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 72adaf3acbf..e9ce352241b 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -76,7 +76,7 @@ jobs: - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv @@ -94,7 +94,7 @@ jobs: - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv @@ -112,7 +112,7 @@ jobs: - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv @@ -130,7 +130,7 @@ jobs: - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv @@ -148,7 +148,7 @@ jobs: - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv @@ -166,6 +166,6 @@ jobs: - name: Check for Sigma matches in baseline run: | chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ > findings.json + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index 39de60fae05..98097b8beb8 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -21,7 +21,14 @@ detection: selection: TargetObject|contains: 'Security\Trusted Locations\Location' TargetObject|endswith: '\Path' - condition: selection + filter_main_office_click_to_run: + Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\' + Image|endswith: '\OfficeClickToRun.exe' + filter_main_office_apps: + Image|contains: + - ':\Program Files\Microsoft Office\' + - ':\Program Files (x86)\Microsoft Office\' + condition: selection and not 1 of filter_main_* falsepositives: - During office installations or setup, trusted locations are added, which will trigger this rule. level: medium diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index c85b088b20f..917eaffdd61 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -10,7 +10,7 @@ references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/21 -modified: 2023/08/17 +modified: 2023/09/29 tags: - attack.defense_evasion - attack.t1112 @@ -22,25 +22,22 @@ detection: TargetObject|contains: 'Security\Trusted Locations\Location' TargetObject|endswith: '\Path' filter_exclude_known_paths: - Details|startswith: + Details|contains: - '%APPDATA%\Microsoft\Templates' - '%%APPDATA%%\Microsoft\Templates' - '%APPDATA%\Microsoft\Word\Startup' - '%%APPDATA%%\Microsoft\Word\Startup' - - 'C:\Program Files (x86)\Microsoft Office\root\Templates\' - - 'C:\Program Files\Microsoft Office (x86)\Templates' - - 'C:\Program Files\Microsoft Office\root\Templates\' - - 'C:\Program Files\Microsoft Office\Templates\' + - ':\Program Files (x86)\Microsoft Office\root\Templates\' + - ':\Program Files\Microsoft Office (x86)\Templates' + - ':\Program Files\Microsoft Office\root\Templates\' + - ':\Program Files\Microsoft Office\Templates\' filter_main_office_click_to_run: - Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\' Image|endswith: '\OfficeClickToRun.exe' filter_main_office_apps: - Image|startswith: - - 'C:\Program Files\Microsoft Office\' - - 'C:\Program Files (x86)\Microsoft Office\' - Image|endswith: - - '\winword.exe' - - '\excel.exe' + Image|contains: + - ':\Program Files\Microsoft Office\' + - ':\Program Files (x86)\Microsoft Office\' condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_* falsepositives: - Other unknown legitimate or custom paths need to be filtered to avoid false positives diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 1aec7f146be..2c3fd80be62 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -71,6 +71,7 @@ echo echo "Copy rules from ${SIGMA} to ${TMP}" cp -r "${RULES}"/windows . cp -r "${SIGMA}"/rules-emerging-threats . +cp -r "${SIGMA}"/rules-threat-hunting . echo echo "Remove deprecated rules" grep -ERl "^status: deprecated" windows | xargs -r rm -v @@ -93,7 +94,7 @@ OS="Windows 7 32-bit" wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz tar xzf win7-x86.tgz echo " Checking for Sigma matches in $OS baseline" - ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win7_x86/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win7.json + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win7_x86/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win7.json echo " Finished Checking for Sigma matches in $OS baseline" }& pids+=($!) @@ -105,7 +106,7 @@ OS="Windows 2022" wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-evtx.tgz tar xzf win2022-evtx.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 1 minute)" - ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win2022.json + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022.json echo " Finished Checking for Sigma matches in $OS baseline" }& pids+=($!) @@ -118,7 +119,7 @@ OS="Windows 10" wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz tar xzf win10-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" - ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Client/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win10.json + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Client/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win10.json echo " Finished Checking for Sigma matches in $OS baseline" }& pids+=($!) @@ -131,7 +132,7 @@ OS="Windows 2022 AD" wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz tar xzf win2022-ad.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" - ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Win2022-AD/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win2022-ad.json + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Win2022-AD/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022-ad.json echo " Finished Checking for Sigma matches in $OS baseline" }& pids+=($!) @@ -144,7 +145,7 @@ OS="Windows 11" wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz tar xzf win11-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" - ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win11.json + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11.json echo " Finished Checking for Sigma matches in $OS baseline" }& pids+=($!) @@ -157,7 +158,7 @@ OS="Windows 2022.0.20348 Azure" wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz tar xzf win2022-0-20348-azure.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" - ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ --rule-path rules-emerging-threats/ > findings-win2022-0-20348-azure.json + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022-0-20348-azure.json echo " Finished Checking for Sigma matches in $OS baseline" }& pids+=($!)