forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck-baseline-local.sh
executable file
·162 lines (141 loc) · 4.99 KB
/
check-baseline-local.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/bash
if [[ -z $(command -v jq) ]]; then
>2& echo "jq not found. Please install."
>2& echo "Exiting"
exit 1
fi
if [[ -z $(command -v wget) ]]; then
>2& echo "wget not found. Please install."
>2& echo "Exiting"
exit 1
fi
if [[ -z $(command -v realpath) ]]; then
>2& echo "realpath not found. Please install coreutils."
>2& echo "Exiting"
exit 1
fi
OS=$(uname -s)
if [[ "${OS}" != "Linux" && "${OS}" != "Darwin" ]]; then
>2& echo "This script only supports Linux and MacOS"
>2& echo "$(uname -s) is not a supported OS"
>2& echo "Exiting"
exit 1
fi
SCRIPT="$(realpath $0)"
TOOLS="${SCRIPT%/*}"
SIGMA="${TOOLS%/*}"
declare -A PID2OS
if [[ -n "$1" && -d "$1" && -r "$1" ]]; then
RULES="$1"
else
RULES="${SIGMA}"/rules
fi
TMP=$(mktemp -d)
if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then
>2& echo "Error: Created temporary directory ${TMP} is not writable."
>2& echo "Exiting"
exit 1
fi
cd "${TMP}"
echo
echo "Copy rules from ${SIGMA} to ${TMP}"
cp -r "${RULES}"/windows .
echo
echo "Remove deprecated rules"
grep -ERl "^status: deprecated" windows | xargs -r rm -v
echo
echo "Download evtx-sigma-checker"
if [[ "${OS}" == "Linux" ]]; then
wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
elif [[ "${OS}" == "Darwin" ]]; then
wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker-darwin -O evtx-sigma-checker
fi
chmod +x evtx-sigma-checker
echo
echo
echo "Starting EVTX checking in parallel..."
# Windows 7 32-bit
OS="Windows 7 32-bit"
{
wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz
tar xzf win7-x86.tgz
echo " Checking for Sigma matches in $OS baseline"
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win7_x86/ --rule-path windows/ > findings-win7.json
echo " Finished Checking for Sigma matches in $OS baseline"
}&
pids+=($!)
PID2OS[$!]=$OS
# Windows 2022
OS="Windows 2022"
{
wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-evtx.tgz
tar xzf win2022-evtx.tgz
echo " Checking for Sigma matches in $OS baseline (this takes around 1 minute)"
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ > findings-win2022.json
echo " Finished Checking for Sigma matches in $OS baseline"
}&
pids+=($!)
PID2OS[$!]=$OS
# Windows 10
OS="Windows 10"
{
wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
tar xzf win10-client.tgz
echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)"
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Client/ --rule-path windows/ > findings-win10.json
echo " Finished Checking for Sigma matches in $OS baseline"
}&
pids+=($!)
PID2OS[$!]=$OS
# Windows 2022 AD
OS="Windows 2022 AD"
{
wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz
tar xzf win2022-ad.tgz
echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)"
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Win2022-AD/ --rule-path windows/ > findings-win2022-ad.json
echo " Finished Checking for Sigma matches in $OS baseline"
}&
pids+=($!)
PID2OS[$!]=$OS
# Windows 11
OS="Windows 11"
{
wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz
tar xzf win11-client.tgz
echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)"
./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ > findings-win11.json
echo " Finished Checking for Sigma matches in $OS baseline"
}&
pids+=($!)
PID2OS[$!]=$OS
# Sync with all background jobs
for pid in ${pids[*]}; do
echo "===> Waiting for PID $pid / ${PID2OS[$pid]}"
wait $pid
done
echo
echo "###############"
echo "## MATCHES ##"
echo "###############"
echo
echo "Windows 7 32-bit:"
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win7.json "${SIGMA}"/.github/workflows/known-FPs.csv
echo
echo "Windows 10:"
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win10.json "${SIGMA}"/.github/workflows/known-FPs.csv
echo
echo "Windows 11:"
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv
echo
echo "Windows 2022:"
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022.json "${SIGMA}"/.github/workflows/known-FPs.csv
echo
echo "Windows 2022 AD:"
"${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-ad.json "${SIGMA}"/.github/workflows/known-FPs.csv
echo
read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s
echo
rm -r "${TMP}"
echo "Removed ${TMP}"
echo "Finished"