forked from SwiftOnSecurity/sysmon-config
-
Notifications
You must be signed in to change notification settings - Fork 73
97 lines (76 loc) · 3.44 KB
/
main.yml
File metadata and controls
97 lines (76 loc) · 3.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: CI
on:
# Trigger the workflow on push or pull requests, but only for the
# main branch
#push:
# branches:
# - master
pull_request:
branches:
- master
workflow_dispatch:
jobs:
msbuild:
runs-on: 'windows-latest'
steps:
- name: Checkout sysmon-config
uses: actions/checkout@v3
- name: Download Sysmon
run: Invoke-WebRequest http://live.sysinternals.com/tools/sysmon.exe -OutFile .\sysmon.exe
shell: powershell
- name: Run Sysmon
run: .\sysmon.exe -accepteula -i sysmonconfig-export.xml
shell: powershell
- name: Check Eventcount
run: '$EventCount = 0 ;Get-WinEvent -ListLog Microsoft-Windows-Sysmon* | where {$_.RecordCount -gt 0} | foreach{$_;$EventCount = $EventCount + $_.RecordCount}|Out-Null;"Eventcount: "+$EventCount; if ($EventCount -gt 100){ Write-Output "Too many events"; $host.SetShouldExit(1)}'
shell: powershell
msbuild-trace:
runs-on: 'windows-latest'
steps:
- name: Checkout sysmon-config
uses: actions/checkout@v3
- name: Download Sysmon
run: Invoke-WebRequest http://live.sysinternals.com/tools/sysmon.exe -OutFile .\sysmon.exe
shell: powershell
- name: Run Sysmon
run: .\sysmon.exe -accepteula -i sysmonconfig-trace.xml
shell: powershell
- name: Check Eventcount
run: '$EventCount = 0 ;Get-WinEvent -ListLog Microsoft-Windows-Sysmon* | where {$_.RecordCount -gt 0} | foreach{$_;$EventCount = $EventCount + $_.RecordCount}|Out-Null;"Eventcount: "+$EventCount; if ($EventCount -gt 15000){ Write-Output "Too many events"; $host.SetShouldExit(1)}'
shell: powershell
msbuild-block:
runs-on: 'windows-latest'
steps:
- name: Checkout sysmon-config
uses: actions/checkout@v3
- name: Download Sysmon
run: Invoke-WebRequest http://live.sysinternals.com/tools/sysmon.exe -OutFile .\sysmon.exe
shell: powershell
- name: Run Sysmon
run: .\sysmon.exe -accepteula -i sysmonconfig-export-block.xml
shell: powershell
- name: Check Eventcount
run: '$EventCount = 0 ;Get-WinEvent -ListLog Microsoft-Windows-Sysmon* | where {$_.RecordCount -gt 0} | foreach{$_;$EventCount = $EventCount + $_.RecordCount}|Out-Null;"Eventcount: "+$EventCount; if ($EventCount -gt 100){ Write-Output "Too many events"; $host.SetShouldExit(1)}'
shell: powershell
busySystem:
runs-on: 'windows-latest'
steps:
- name: Checkout sysmon-config
uses: actions/checkout@v3
- name: Download Sysmon
run: Invoke-WebRequest http://live.sysinternals.com/tools/sysmon.exe -OutFile .\sysmon.exe
shell: powershell
- name: Run Sysmon
run: .\sysmon.exe -accepteula -i sysmonconfig-export.xml
shell: powershell
- name: Print Eventcount
run: Get-WinEvent -ListLog Microsoft-Windows-Sysmon*
- name: Install some Choco Packages
run: choco install ninja adobereader googlechrome firefox nodejs
- name: Download User Sim
run: Invoke-WebRequest https://github.com/humpalum/sim-user/releases/download/latest/5minuser.exe -OutFile .\5minuser.exe
- name: Run User Sim
run: .\5minuser.exe
- name: Check Eventcount
run: '$EventCount = 0 ;Get-WinEvent -ListLog Microsoft-Windows-Sysmon* | where {$_.RecordCount -gt 0} | foreach{$_;$EventCount = $EventCount + $_.RecordCount}|Out-Null;"Eventcount: "+$EventCount; if ($EventCount -gt 10000){ Write-Output "Too many events"; $host.SetShouldExit(1)}'
shell: powershell