search

microsoft / AttackSurfaceAnalyzer

Attack Surface Analyzer can help you analyze your operating system's security configuration for changes during software installation.
MIT License
2.76k stars 281 forks source link

Add Weak Permissions Flags for Files/Registry/Processes #250

Open gfs opened 5 years ago

gfs commented 5 years ago

Bringing forward a feature from ASA Classic, we should report on weak ACLs on Files (executable types), Registry Keys (in Local Machine hive) and Processes (Windows has process ACLs)

Also useful for: COM Classes Named Pipes Services Memory Mapped Sections

BenOSIsoft commented 4 years ago

I'm really excited for this feature, and I've been evaluating this product for the past few weeks to see what all it could or could not identify not realizing this feature is open and will be in the next release. I was curious when this version is planned? As an aside, I didn't really see a lot on how the 'file filter' works. The current comparison scan seems to show all issues regardless if the issues were in both the before and after scans. I was curious if there is a filter setting to only show 'new' issues between the files?

Thanks for all of your work, and let me know if there is a better location to ask generic questions. I didn't feel this was quite a 'bug', but more so a feature enhancement possibly.

gfs commented 4 years ago

Thanks for your interest in ASA.

You can see we have a lot on our roadmap for 2.3. The current plan is to release in October. It is possible some of this work can be implemented using analysis rules only in which case that portion will be released in 2.2 as well. We are also open to any feedback on what you would consider to fit this rule or any other things you're interested in detecting.

If you have any suggestions or questions you can open them as a new generic issue below the template options.

It sounds like you want to specifically view only "Created" results and not Modified or Deleted. We currently don't have a mechanism to do that, but you can request it as a feature by opening a new issue.

The closest you can do now is create a custom analysis file with a default level lower and a rule for Created items that raises their importance. The Gui shows items in order of importance.

I'll post a sample analyses.json for you later today based on the default rules.

gfs commented 4 years ago

For detailed information on authoring rules: https://github.com/microsoft/AttackSurfaceAnalyzer/wiki/Authoring-Analysis-Rules

Feel free to open an issue separately if you have issues with the below and the wiki guidance.

Here's the snippet that will raise created items higher priority. This example is for File objects.

    {
      "Name":"Created Files",
      "Description":"Flag created files at a higher priority",
      "Flag":"INFORMATION",
      "ResultType":"FILE",
      "ChangeTypes": [
        "CREATED"
      ]
    }

And then you need to specify the default levels to be lower than you are flagging here:

"DefaultLevels": {
      "PORT": "INFORMATION",
      "FILE": "DEBUG",
      "SERVICE": "INFORMATION",
      "CERTIFICATE": "INFORMATION",
      "USER": "INFORMATION",
      "REGISTRY": "DEBUG",
      "FIREWALL": "INFORMATION",
      "COM": "INFORMATION",
      "LOG": "DEBUG"
  }

When you put it together with the current default rules you get:

{
  "Rules": [
    {
      "Name": "Privileged ports",
      "Description": "Flag when privileged ports are opened.",
      "Flag": "WARNING",
      "ResultType": "PORT",
      "Clauses": [
        {
          "Field": "port",
          "Operation": "LT",
          "Data": [
            "1024"
          ]
        }
      ]
    },
    {
      "Name": "Privileged users",
      "Description": "Flag when privileged users are modified.",
      "Flag": "WARNING",
      "ResultType": "USER",
      "Clauses": [
        {
          "Field": "Privileged",
          "Operation": "IS_TRUE"
        }
      ]
    },
    {
      "Name": "Hidden users",
      "Description": "Flag when hidden user accounts are modified.",
      "Flag": "WARNING",
      "ResultType": "USER",
      "Clauses": [
        {
          "Field": "Hidden",
          "Operation": "IS_TRUE"
        }
      ]
    },
    {
      "Name": "Unsigned binaries",
      "Description": "Flag when unsigned/incorrectly signed binaries are added.",
      "Flag": "WARNING",
      "ChangeTypes": [
        "CREATED",
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "is_exe AND NOT valid_windows_signature AND null_mac_signature",
      "Clauses": [
        {
          "Label": "is_exe",
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Label": "valid_windows_signature",
          "Field": "SignatureStatus",
          "Operation": "NEQ",
          "Data": [
            "Valid"
          ]
        },
        {
          "Label": "null_mac_signature",
          "Field": "MacSignatureStatus",
          "Operation": "IS_NULL"
        }
      ]
    },
    {
      "Name": "SetUid",
      "Description": "Flag UID is set on a file.",
      "Flag": "WARNING",
      "Platforms": [
        "LINUX",
        "MACOS"
      ],
      "ChangeTypes": [
        "CREATED",
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "SetUid",
          "Operation": "IS_TRUE"
        }
      ]
    },
    {
      "Name": "SetGid",
      "Description": "Flag GID is set on a file.",
      "Flag": "WARNING",
      "Platforms": [
        "LINUX",
        "MACOS"
      ],
      "ChangeTypes": [
        "CREATED",
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "SetGid",
          "Operation": "IS_TRUE"
        }
      ]
    },
    {
      "Name": "Missing ASLR",
      "Description": "Flag when executables are created without ASLR.",
      "Flag": "WARNING",
      "Platforms": [
        "WINDOWS"
      ],
      "ChangeTypes": [
        "CREATED",
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "EXE AND NOT ASLR",
      "Clauses": [
        {
          "Label": "EXE",
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Label": "ASLR",
          "Field": "Characteristics",
          "Operation": "CONTAINS",
          "Data": [
            "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
            "IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA"
          ]
        }
      ]
    },
    {
      "Name": "Missing DEP",
      "Description": "Flag when executables are created without DEP.",
      "Flag": "WARNING",
      "Platforms": [
        "WINDOWS"
      ],
      "ChangeTypes": [
        "CREATED",
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "EXE AND NOT DEP",
      "Clauses": [
        {
          "Label": "EXE",
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Label": "DEP",
          "Field": "Characteristics",
          "Operation": "CONTAINS",
          "Data": [
            "IMAGE_DLLCHARACTERISTICS_NX_COMPAT"
          ]
        }
      ]
    },
    {
      "Name": "Missing Signed Enforcement",
      "Description": "Flag when executables are signed binaries are created without Force Integrity Flag.",
      "Flag": "INFORMATION",
      "Platforms": [
        "WINDOWS"
      ],
      "ChangeTypes": [
        "CREATED",
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "EXE AND SIGNED AND NOT INTEGRITYFLAG",
      "Clauses": [
        {
          "Label": "EXE",
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Label": "SIGNED",
          "Field": "SignatureStatus",
          "Operation": "IS_TRUE"
        },
        {
          "Label": "INTEGRITYFLAG",
          "Field": "Characteristics",
          "Operation": "CONTAINS",
          "Data": [
            "IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY"
          ]
        }
      ]
    },
    {
      "Name": "Certificates",
      "Description": "Flag when certificates are placed on disk.",
      "Flag": "INFORMATION",
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "Path",
          "Operation": "ENDS_WITH",
          "Data": [
            ".cer",
            ".der",
            ".crt"
          ]
        }
      ]
    },
    {
      "Name": "UPNP Ports",
      "Description": "Universal Plug n' Play.",
      "Flag": "INFORMATION",
      "ResultType": "PORT",
      "Clauses": [
        {
          "Field": "port",
          "Operation": "EQ",
          "Data": [
            "1900"
          ]
        }
      ]
    },
    {
      "Name": "Keystore Files",
      "Description": "Java keystore files contain encryption keys and certificates.",
      "Flag": "INFORMATION",
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "Path",
          "Operation": "ENDS_WITH",
          "Data": [
            ".keystore"
          ]
        }
      ]
    },
    {
      "Name": "Firewall Settings Modified",
      "Description": "Flag when OS X firewall settings are modified.",
      "Flag": "INFORMATION",
      "Platforms": [
        "MACOS"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "Path",
          "Operation": "EQ",
          "Data": [
            "/Library/Preferences/com.apple.alf.plist"
          ]
        }
      ]
    },
    {
      "Name": "COM Objects Modified",
      "Description": "Flags when a COM Object has been Added, Removed or Modified.",
      "Flag": "INFORMATION",
      "Platforms": [
        "WINDOWS"
      ],
      "ResultType": "REGISTRY",
      "Clauses": [
        {
          "Field": "KEY",
          "Operation": "CONTAINS",
          "Data": [
            "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
          ]
        }
      ]
    },
    {
      "Name": "Weak Permissions on UID Binaries",
      "Description": "Flags if a binary is Executable by everyone but has SETUID.",
      "Flag": "WARNING",
      "Platforms": [
        "LINUX",
        "MACOS"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Field": "SetUid",
          "Operation": "IS_TRUE"
        },
        {
          "Field": "Permissions",
          "Operation": "CONTAINS",
          "DictData": [
            {
              "Key": "Other",
              "Value": "Execute"
            }
          ]
        }
      ]
    },
    {
      "Name": "Weak Permissions on GID Binaries",
      "Description": "Flags if a binary is Executable by everyone but has SETGID.",
      "Flag": "WARNING",
      "Platforms": [
        "LINUX",
        "MACOS"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Field": "SetGid",
          "Operation": "IS_TRUE"
        },
        {
          "Field": "Permissions",
          "Operation": "CONTAINS",
          "DictData": [
            {
              "Key": "Other",
              "Value": "Execute"
            }
          ]
        }
      ]
    },
    {
      "Name": "SIP Violation",
      "Description": "Flags if System Integrity Protection prevented an action.",
      "Flag": "WARNING",
      "Platforms": [
        "MACOS"
      ],
      "ResultType": "LOG",
      "Clauses": [
        {
          "Field": "Summary",
          "Operation": "CONTAINS",
          "Data": [ "sandbox" ]
        }
      ]
    },
    {
      "Name": "Signatory Change",
      "Description": "Flag when the signatory of an executable changes.",
      "Flag": "WARNING",
      "Platforms": [
        "WINDOWS"
      ],
      "ChangeTypes": [
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "SignatureStatus.SigningCertificate.Issuer",
          "Operation": "WAS_MODIFIED"
        }
      ]
    },
    {
      "Name": "Modified Items in Program Files",
      "Description": "Flag when the a file is modified in Program files.",
      "Flag": "INFORMATION",
      "Platforms": [
        "WINDOWS"
      ],
      "ChangeTypes": [
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "Path",
          "Operation": "REGEX",
          "Data": [
            "[A-Z]:\\\\Program Files\\\\",
            "[A-Z]:\\\\Program Files \\(x86\\)\\\\"
          ]
        }
      ]
    },
    {
      "Name": "Modified Items in System Files",
      "Description": "Flag when the a file is modified in System files.",
      "Flag": "WARNING",
      "Platforms": [
        "WINDOWS"
      ],
      "ChangeTypes": [
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "0 AND NOT 1",
      "Clauses": [
        {
          "Label": "0",
          "Field": "Path",
          "Operation": "REGEX",
          "Data": [ "[A-Z]:\\\\Windows\\\\" ]
        },
        {
          "Label": "1",
          "Field": "PATH",
          "Operation": "REGEX",
          "Data": [
            "[A-Z]:\\+Windows\\+appcompat\\+Programs\\+.*",
            "[A-Z]:\\+Windows\\+AppReadiness\\+.*",
            "[A-Z]:\\+Windows\\+Logs\\+waasmedia\\+.*",
            "[A-Z]:\\+Windows\\+ServiceProfiles\\+LocalService\\+.*",
            "[A-Z]:\\+Windows\\+ServiceProfiles\\+NetworkService\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+catroot2\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+config\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+LogFiles\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+SleepStudy\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+sru\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+winevt\\+.*",
            "[A-Z]:\\+Windows\\+(SysWOW64|System32)\\+Windows\\.Security\\.Authentication\\.Identity\\.Provider\\.dll"
          ]
        }
      ]
    },
    {
      "Name": "Frequently attacked binaries",
      "Description": "List from GTFOBINS.",
      "Flag": "WARNING",
      "Platforms": [
        "LINUX",
        "MACOS"
      ],
      "ResultType": "FILE",
      "Expression": "0 AND 1",
      "Clauses": [
        {
          "Label": "0",
          "Field": "Path",
          "Operation": "REGEX",
          "Data": [
            "\/apt-get^",
            "\/apt^",
            "\/aria2c^",
            "\/arp^",
            "\/ash^",
            "\/awk^",
            "\/base32^",
            "\/base64^",
            "\/bash^",
            "\/bpftrace^",
            "\/bundler^",
            "\/busctl^",
            "\/busybox^",
            "\/byebug^",
            "\/cancel^",
            "\/cat^",
            "\/chmod^",
            "\/chown^",
            "\/chroot^",
            "\/cobc^",
            "\/cp^",
            "\/cpan^",
            "\/cpulimit^",
            "\/crash^",
            "\/crontab^",
            "\/crash^",
            "\/curl^",
            "\/cut^",
            "\/dash^",
            "\/date^",
            "\/dd^",
            "\/dialog^",
            "\/diff^",
            "\/dmesg^",
            "\/dmsetup^",
            "\/dnf^",
            "\/docker^",
            "\/dpkg^",
            "\/easy_install^",
            "\/eb^",
            "\/ed^",
            "\/emacs^",
            "\/env^",
            "\/eqn^",
            "\/expand^",
            "\/expect^",
            "\/facter^",
            "\/file^",
            "\/find^",
            "\/finger^",
            "\/flock^",
            "\/fmt^",
            "\/fold^",
            "\/ftp^",
            "\/gawk^",
            "\/gcc^",
            "\/gdb^",
            "\/gem^",
            "\/genisoimage^",
            "\/gimp^",
            "\/git^",
            "\/grep^",
            "\/gtester^",
            "\/hd^",
            "\/head^",
            "\/hexdump^",
            "\/gighlight^",
            "\/iconv^",
            "\/iftop^",
            "\/ionice^",
            "\/iftopirb^",
            "\/jjs^",
            "\/journalctl^",
            "\/jq^",
            "\/jrunscript^",
            "\/ksh^",
            "\/ksshell^",
            "\/ld.so^",
            "\/ldconfig^",
            "\/less^",
            "\/logsave^",
            "\/look^",
            "\/ltrace^",
            "\/lua^",
            "\/lwp-download^",
            "\/lwp-request^",
            "\/mail^",
            "\/make^",
            "\/man^",
            "\/mawk^",
            "\/more^",
            "\/mount^",
            "\/mtr^",
            "\/mv^",
            "\/mysql^",
            "\/nano^",
            "\/nawk^",
            "\/nc^",
            "\/nice^",
            "\/nl^",
            "\/nmap^",
            "\/node^",
            "\/nohup^",
            "\/nroff^",
            "\/nsenter^",
            "\/od^",
            "\/openssl^",
            "\/pdb^",
            "\/perl^",
            "\/pg^",
            "\/php^",
            "\/pic^",
            "\/pico^",
            "\/pip^",
            "\/pry^",
            "\/puppet^",
            "\/python^",
            "\/rake^",
            "\/readelf^",
            "\/red^",
            "\/redcarpet^",
            "\/rlogin^",
            "\/rlwrap^",
            "\/rpm^",
            "\/rpmquery^",
            "\/rsync^",
            "\/ruby^",
            "\/run-mailcap^",
            "\/run-parts^",
            "\/rvim^",
            "\/scp^",
            "\/screen^",
            "\/script^",
            "\/sed^",
            "\/service^",
            "\/setarch^",
            "\/sftp^",
            "\/shuf^",
            "\/smbclient^",
            "\/socat^",
            "\/soelim^",
            "\/sort^",
            "\/sqlite3^",
            "\/ssh^",
            "\/start-stop-daemon^",
            "\/stdbuf^",
            "\/strace^",
            "\/strings^",
            "\/systemctl^",
            "\/tac^",
            "\/tail^",
            "\/tar^",
            "\/taskset^",
            "\/tclsh^",
            "\/tcpdump^",
            "\/tee^",
            "\/telnet^",
            "\/tftp^",
            "\/time^",
            "\/timeout^",
            "\/tmux^",
            "\/top^",
            "\/ul^",
            "\/unexpand^",
            "\/uniq^",
            "\/unshare^",
            "\/uudecode^",
            "\/uuencode^",
            "\/valgrind^",
            "\/vi^",
            "\/vim^",
            "\/watch^",
            "\/wget^",
            "\/whois^",
            "\/wish^",
            "\/xargs^",
            "\/xxd^",
            "\/yelp^",
            "\/yum^",
            "\/zip^",
            "\/zsh^",
            "\/zsoelim^",
            "\/zypper^"
          ]
        },
        {
          "Label": "1",
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        }
      ]
    },
    {
      "Name": "Modified Services",
      "Description": "Flag when a startup item is modified.",
      "Flag": "WARNING",
      "ChangeTypes": [
        "MODIFIED"
      ],
      "ResultType": "SERVICE"
    },
    {
      "Name": "Modified Hosts File",
      "Description": "Flag when the hosts file is modified.",
      "Flag": "WARNING",
      "ChangeTypes": [
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "WINDOWS OR NIX",
      "Clauses": [
        {
          "Label": "WINDOWS",
          "Field": "Path",
          "Operation": "REGEX",
          "Data": [
            "[A-Z]:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts"
          ]
        },
        {
          "Label": "NIX",
          "Field": "Path",
          "Operation": "EQ",
          "Data": [
            "/etc/hosts"
          ]
        }
      ]
    },
    {
      "Name": "Signed File was modified",
      "Description": "A signed file was modified.",
      "Flag": "WARNING",
      "ChangeTypes": [
        "MODIFIED"
      ],
      "ResultType": "FILE",
      "Expression": "is_exe AND (windows OR NOT macos_null)",
      "Clauses": [
        {
          "Label": "is_exe",
          "Field": "IsExecutable",
          "Operation": "IS_TRUE"
        },
        {
          "Label": "windows",
          "Field": "SignatureStatus",
          "Operation": "EQ",
          "Data": [
            "Valid"
          ]
        },
        {
          "Label": "macos_null",
          "Field": "MacSignatureStatus",
          "Operation": "IS_NULL"
        }
      ]
    },
    {
      "Name": "Files Frequently Modified by Windows",
      "Description": "These files are frequently modified by the system itself.",
      "Flag": "VERBOSE",
      "Platforms": [
        "WINDOWS"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Field": "Path",
          "Operation": "REGEX",
          "Data": [
            "[A-Z]:\\+ProgramData\\+Microsoft\\+DiagnosticLogCSP\\+.*",
            "[A-Z]:\\+ProgramData\\+Microsoft\\+SmsRouter\\+MessageStore\\+.*",
            "[A-Z]:\\+ProgramData\\+Microsoft\\+Windows\\+AppRepository\\+.*",
            "[A-Z]:\\+ProgramData\\+USOShared\\+Logs\\+System\\+.*",
            "[A-Z]:\\+Windows\\+appcompat\\+Programs\\+.*",
            "[A-Z]:\\+Windows\\+AppReadiness\\+.*",
            "[A-Z]:\\+Windows\\+Logs\\+waasmedia\\+.*",
            "[A-Z]:\\+Windows\\+ServiceProfiles\\+LocalService\\+.*",
            "[A-Z]:\\+Windows\\+ServiceProfiles\\+NetworkService\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+catroot2\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+config\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+LogFiles\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+SleepStudy\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+sru\\+.*",
            "[A-Z]:\\+Windows\\+System32\\+winevt\\+.*",
            "[A-Z]:\\+Windows\\+(SysWOW64|System32)\\+Windows\\.Security\\.Authentication\\.Identity\\.Provider\\.dll",
            "[A-Z]:\\+Users\\+[^\\[:;|=,+*?<>\"\\\\]+\\+AppData\\+Local\\+ConnectedDevicesPlatform\\+.*",
            "[A-Z]:\\+Users\\+[^\\[:;|=,+*?<>\"\\\\]+\\+AppData\\+Local\\+Packages\\+Microsoft.Windows.Search_.*",
            "[A-Z]:\\+Users\\+[^\\[:;|=,+*?<>\"\\\\]+\\+AppData\\+Local\\+Temp\\+StructuredQuery\\.log",
            "[A-Z]:\\+Users\\+[^\\[:;|=,+*?<>\"\\\\]+\\+AppData\\+Roaming\\+Microsoft\\+Windows\\+Recent\\+.*",
            "[A-Z]:\\+Users\\+[^\\[:;|=,+*?<>\"\\\\]+\\+ntuser\\.dat\\..*",
            "^[A-Z]:\\\\pagefile.sys$",
            "^[A-Z]:\\\\hiberfil.sys$",
            "^[A-Z]:\\\\swapfile.sys$"
          ]
        }
      ]
    },
    {
      "Name": "Registry Keys Frequently Modified by Windows",
      "Description": "These registry keys are frequently modified by the system itself.",
      "Flag": "VERBOSE",
      "Platforms": [
        "WINDOWS"
      ],
      "ResultType": "REGISTRY",
      "Clauses": [
        {
          "Field": "Key",
          "Operation": "REGEX",
          "Data": [
            "MrtCache"
          ]
        }
      ]
    },
    {
      "Name": "Files Frequently Modified by Macos",
      "Description": "These files are frequently modified by the system itself.",
      "Flag": "VERBOSE",
      "Platforms": [
        "MACOS"
      ],
      "ResultType": "REGISTRY",
      "Clauses": [
        {
          "Field": "Key",
          "Operation": "REGEX",
          "Data": [
            "^/.Spotlight-V100"
          ]
        }
      ]
    },
    {
      "Name": "LOLBAS List",
      "Description": "This is the LOLBAS items which are not included in the other system file rules.",
      "Flag": "WARNING",
      "Platforms": [
        "WINDOWS"
      ],
      "ResultType": "FILE",
      "Clauses": [
        {
          "Operation": "IS_TRUE",
          "Field": "IsExecutable"
        },
        {
          "Field": "Path",
          "Operation": "ENDS_WITH",
          "Data": [
            "\\Bginfo.exe",
            "\\dnx.exe",
            "\\msxsl.exe",
            "\\rcsi.exe",
            "\\Microsoft\\Teams\\current\\Squirrel.exe",
            "\\te.exe",
            "\\Tracker.exe",
            "\\Microsoft\\Teams\\update.exe"
          ]
        }
      ]
    },
    {
      "Name": "Expired Certificates",
      "Description": "These Certificates are expired.",
      "Flag": "WARNING",
      "ResultType": "CERTIFICATE",
      "ChangeTypes": [
        "MODIFIED",
        "CREATED"
      ],
      "Clauses": [
        {
          "Field": "Certificate.NotAfter",
          "Operation": "IS_EXPIRED"
        }
      ]
    },
    {
      "Name": "Binaries with expired signatures",
      "Description": "These binaries have expired signatures.",
      "Flag": "WARNING",
      "ResultType": "FILE",
      "ChangeTypes": [
        "MODIFIED",
        "CREATED"
      ],
      "Clauses": [
        {
          "Field": "SignatureStatus.SigningCertificate.NotAfter",
          "Operation": "IS_EXPIRED"
        }
      ]
    },
    {
      "Name": "TPM Keys",
      "Description": "These TPM Keys have been changed.",
      "Flag": "WARNING",
      "ResultType": "FILE",
      "Platforms": [
        "WINDOWS"
      ],
      "Clauses": [
        {
          "Field": "Path",
          "Operation": "ENDS_WITH",
          "Data": [
            ".PCPKEY"
          ]
        }
      ]
    },
    {
      "Name":"Created Files",
      "Description":"Flag created files at a higher priority",
      "Flag":"INFORMATION",
      "ResultType":"FILE",
      "ChangeTypes": [
        "CREATED"
      ]
    }
  ],
  "DefaultLevels": {
      "PORT": "INFORMATION",
      "FILE": "DEBUG",
      "SERVICE": "INFORMATION",
      "CERTIFICATE": "INFORMATION",
      "USER": "INFORMATION",
      "REGISTRY": "DEBUG",
      "FIREWALL": "INFORMATION",
      "COM": "INFORMATION",
      "LOG": "DEBUG"
  }
}
gfs commented 4 years ago

To add further clarification.

All the findings you see should represent actual changes, either the addition of something in the second snapshot, the modification of something that existed in both snapshots or the deletion of something that only existed in the first snapshot.

No-op (for example, file existed, file continues to exist unchanged) are not reported at all in the analysis, so all issues you see should be related to an actual system change.