Suspicious Task Scheduler DLL Load #72

Workflow file for this run

.github/workflows/goodlog-tests.yml at 0ddbf51

	# This workflow will install Python dependencies, run tests and lint with a single version of Python
	# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

	name: Goodlog Tests

	on:
	push:
	branches:
	- "*"
	paths:
	- ".github/workflows/goodlog-tests.yml"
	- ".github/workflows/known-FPs.csv"
	- "deprecated/**.yml"
	- "rules-compliance/**.yml"
	- "rules-dfir/**.yml"
	- "rules-emerging-threats/**.yml"
	- "rules-placeholder/**.yml"
	- "rules-threat-hunting/**.yml"
	- "rules/**.yml"
	- "tests/thor.yml"
	- "unsupported/**.yml"
	pull_request:
	branches:
	- master
	paths:
	- ".github/workflows/goodlog-tests.yml"
	- ".github/workflows/known-FPs.csv"
	- "deprecated/**.yml"
	- "rules-compliance/**.yml"
	- "rules-dfir/**.yml"
	- "rules-emerging-threats/**.yml"
	- "rules-placeholder/**.yml"
	- "rules-threat-hunting/**.yml"
	- "rules/**.yml"
	- "tests/thor.yml"
	- "unsupported/**.yml"

	# Allows you to run this workflow manually from the Actions tab
	workflow_dispatch:

	env:
	EVTX_BASELINE_VERSION: v0.8

	jobs:
	check-baseline-win7:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 7 32-bit baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
	tar xzf win7-x86.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: \|
	chmod +x .github/workflows/matchgrep.sh
	./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

	check-baseline-win10:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 10 baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
	tar xzf win10-client.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: \|
	chmod +x .github/workflows/matchgrep.sh
	./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

	check-baseline-win11:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 11 baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
	tar xzf win11-client.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: \|
	chmod +x .github/workflows/matchgrep.sh
	./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

	check-baseline-win11-2023:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 11 baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz
	tar xzf win11-client-2023.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: \|
	chmod +x .github/workflows/matchgrep.sh
	./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

	check-baseline-win2022:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 2022 baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
	tar xzf win2022-evtx.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

	check-baseline-win2022-domain-controller:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 2022 baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
	tar xzf win2022-ad.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

	check-baseline-win2022-0-20348-azure:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Download evtx-sigma-checker
	run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
	- name: Download and extract Windows 2022.0.20348 Azure baseline
	run: \|
	wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
	tar xzf win2022-0-20348-azure.tgz
	- name: Check for Sigma matches in baseline
	run: \|
	chmod +x evtx-sigma-checker
	./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
	- name: Show findings excluding known FPs
	run: \|
	chmod +x .github/workflows/matchgrep.sh
	./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Suspicious Task Scheduler DLL Load #72

Workflow file

Suspicious Task Scheduler DLL Load #72

Jobs

Run details

Workflow file for this run