Refactor artifacts to allow for a base artifact. (#39)

Refactored the Windows.Hayabusa.Rules artifact into two artifacts: - Windows.Sigma.Base is a base artifact containing log sources and field mappings within the Velociraptor realm - Windows.Hayabusa.Rules calls Windows.Sigma.Base with pre-packaged rules. This effectively creates a reusable Velociraptor taxonomy which can be used to help build custom rules - as long as the rule refers to the well defined log sources and field mappings, the rule will work within Velociraptor. Also removed curated rules and upgraded Hayabusa rules.
Velocidex · Nov 13, 2024 · 909334a · 909334a
1 parent ceb4e30
commit 909334a
Show file tree

Hide file tree

Showing 583 changed files with 2,267 additions and 25,233 deletions.
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
         with:
@@ -30,6 +30,7 @@ jobs:
       - name: Prepare
         run: |
           make linux
+          ./velosigmac compile --config ./config/windows_base.yaml --output ./output/Windows-Sigma-Base.zip  --yaml ./output/Windows.Sigma.Base.yaml
           ./velosigmac compile --config ./config/windows_hayabusa_rules.yaml --output ./output/Velociraptor-Hayabusa-Rules.zip --rejects ./rejected/windows_hayabusa_rejects.json --ignore_previous_rejects
           ./velosigmac compile --config ./config/windows_hayabusa_event_monitoring.yaml --output ./output/Velociraptor-Hayabusa-Monitoring.zip --rejects rejected/windows_hayabusa_rejects.json --ignore_previous_rejects
           ./velosigmac compile --config ./config/ChopChopGo_rules.yaml --output ./output/Velociraptor-ChopChopGo-Rules.zip --rejects rejected/ChopChopGo_rules_rejects.json --ignore_previous_rejects

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,23 +9,23 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
-        go-version: '^1.20'
+        go-version: '^1.23'
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: recursive
 
     - name: Download Latest Velociraptor
-      uses: robinraju/release-downloader@v1.8
+      uses: robinraju/release-downloader@v1
       id: velociraptor
       with:
         repository: velocidex/velociraptor
-        tag: v0.72
-        fileName: "velociraptor-v0.72.4-linux-amd64-musl"
+        tag: v0.73
+        fileName: "velociraptor-v0.73.3-linux-amd64-musl"
         out-file-path: tests
 
     - name: Run tests
@@ -43,13 +43,13 @@ jobs:
         chmod +x ./tests/velociraptor
         make golden
 
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       if: always()
       with:
         name: artifact
         path: tests/testcases
 
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       if: always()
       with:
         name: output

diff --git a/Makefile b/Makefile
@@ -1,5 +1,3 @@
-
-
 all: linux
 
 linux:
@@ -8,12 +6,15 @@ linux:
 windows:
 	GOOS=windows go build -o velosigmac.exe .\src\
 
-compile: compileThirdParty compileCurated
+compile: compileThirdParty
 
 compileThirdParty:  compileHayabusa compileHayabusaMonitoring compileChopChopGo
 
-compileHayabusa:
-	./velosigmac compile --config ./config/windows_hayabusa_rules.yaml --output ./output/Velociraptor-Hayabusa-Rules.zip --yaml ./output/Velociraptor-Hayabusa-Rules.yaml --rejects rejected/windows_hayabusa_rejects.json --ignore_previous_rejects
+compileWindowsBase:
+	./velosigmac compile --config ./config/windows_base.yaml --output ./output/Windows-Sigma-Base.zip --yaml ./output/Windows.Sigma.Base.yaml
+
+compileHayabusa: compileWindowsBase
+	./velosigmac compile --config ./config/windows_hayabusa_rules.yaml --output ./output/Velociraptor-Hayabusa-Rules.zip --yaml ./output/Velociraptor.Hayabusa.Rules.yaml --rejects rejected/windows_hayabusa_rejects.json --ignore_previous_rejects
 
 debugHayabusa:
 	dlv debug ./src -- compile --config ./config/windows_hayabusa_rules.yaml --output ./output/Velociraptor-Hayabusa-Rules.zip --yaml ./output/Velociraptor-Hayabusa-Rules.yaml
@@ -24,14 +25,6 @@ compileHayabusaMonitoring:
 compileChopChopGo:
 	./velosigmac compile --config ./config/ChopChopGo_rules.yaml --output ./output/Velociraptor-ChopChopGo-Rules.zip --yaml ./output/Velociraptor-ChopChopGo-Rules.yaml --rejects rejected/ChopChopGo_rules_rejects.json --ignore_previous_rejects
 
-compileCurated:  compilePostProcess compileWindowsRules
-
-compilePostProcess:
-	./velosigmac compile --config ./config/velociraptor_post_process.yaml --output ./output/Velociraptor-Post-Process.zip --yaml ./output/Velociraptor-Post-Process.yaml
-
-compileWindowsRules:
-	./velosigmac compile --config ./config/velociraptor_windows_rules.yaml --output ./output/Velociraptor-Windows-Rules.zip --yaml ./output/Velociraptor-Windows-Rules.yaml
-
 test: compile
 	go test -v ./...
 

diff --git a/config/velociraptor_linux_rules.yaml b/config/velociraptor_linux_rules.yaml
diff --git a/config/velociraptor_post_process.yaml b/config/velociraptor_post_process.yaml