Update main.yml #18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run Atomic Test with Sysmon Monitoring | |
| on: [push] | |
| jobs: | |
| sysmon-atomic-test: | |
| runs-on: windows-latest | |
| name: Sysmon and Atomic Red Team Test | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Install Sysmon | |
| shell: pwsh | |
| run: | | |
| Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -OutFile "Sysmon64.exe" | |
| Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile "sysmonconfig.xml" | |
| .\Sysmon64.exe -accepteula -i sysmonconfig.xml | |
| - name: Install and Run Atomic Test | |
| shell: pwsh | |
| run: | | |
| # Install Atomic Red Team | |
| IEX (Invoke-WebRequest 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); | |
| Install-AtomicRedTeam -getAtomics -Force | |
| # Define the path and message for the test | |
| $file_contents_path = "$Env:TEMP\test.bin" | |
| $message = "Hello from the Windows Command Prompt!" | |
| # Run Atomic Test T1059.003 - Test #2 | |
| Invoke-AtomicTest T1059.003 -TestNumbers 2 -InputArgs @{ "file_contents_path" = $file_contents_path; "message" = $message } | |
| # Output the results | |
| Write-Host "Contents of the file created by the test:" | |
| Get-Content -Path $file_contents_path | |
| - name: Retrieve Sysmon Logs | |
| shell: pwsh | |
| run: | | |
| # Fetch and display detailed Sysmon log entries | |
| Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 50 | ForEach-Object { | |
| Write-Host "`nEvent ID: $($_.Id)" | |
| Write-Host "Time Created: $($_.TimeCreated)" | |
| Write-Host "Message: $($_.Message)" | |
| } | |
| - name: Save Sysmon Logs to File | |
| shell: pwsh | |
| run: | | |
| Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 50 | ForEach-Object { | |
| "`nEvent ID: $($_.Id)" | |
| "Time Created: $($_.TimeCreated)" | |
| "Message: $($_.Message)" | |
| } | Out-File -FilePath sysmon_logs.txt | |
| - name: Upload Sysmon Logs as Artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: sysmon-logs | |
| path: sysmon_logs.txt | |
| process-logs: | |
| needs: sysmon-atomic-test | |
| runs-on: ubuntu-latest | |
| name: Process Sysmon Logs | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Download Sysmon Logs Artifact | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: sysmon-logs | |
| - name: Convert Sysmon Logs to WINLOGBEAT Format | |
| run: | | |
| cat sysmon_logs.txt | |
| python convert.py | |
| - name: Install jq | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| cat sysmon_logs.txt | |
| - name: Process WINLOGBEAT Format Logs with jq | |
| run: | | |
| cat winlogbeat_events.json | jq |