Windows.Audit.CISCat_Lite :: Velociraptor

Windows.Audit.CISCat_Lite

This artifact runs the CISCat-Lite tool on the target machine and uploads the html output on the velociraptor server.

CIS-CAT Lite is a free tool from the Center for Internet Security that helps in assessing and improving IT security configurations. It enables unlimited system scans, provides compliance scores, and offers remediation steps based on CIS Benchmarks. This tool is useful for organizations seeking to enhance their technology security.

The artifact has been configured to perform a standard scan of a Windows 10 Enterprise machine. To select the baseline and profiles, execute the command “.\Assessor-CLI.bat -i”


name: Windows.Audit.CISCat_Lite
description: |
  This artifact runs the CISCat-Lite tool on the target machine and uploads the html output on the velociraptor server.
  
  CIS-CAT Lite is a free tool from the Center for Internet Security that helps in assessing and improving IT security configurations. 
  It enables unlimited system scans, provides compliance scores, and offers remediation steps based on CIS Benchmarks. 
  This tool is useful for organizations seeking to enhance their technology security.
 
  The artifact has been configured to perform a standard scan of a Windows 10 Enterprise machine. 
  To select the baseline and profiles, execute the command ".\Assessor-CLI.bat -i"
type: CLIENT

author: Antonio Blescia (TheThMando)

parameters:
  - name: BaselinePath
    default: "./benchmarks/CIS_Microsoft_Windows_10_Enterprise_Benchmark_v3.0.0-xccdf.xml"
  - name: ProfileName
    default: "Level 1 (L1) - Corporate/Enterprise Environment (general use)"

tools:
  - name: CISCat_Lite
    url: https://workbench.cisecurity.org/api/vendor/v1/cis-cat/lite/latest

sources:
  - precondition: SELECT OS From info() where OS = 'windows'

    query: |
      -- Generate the temp dir
      LET TmpDir <= tempdir(remove_last=true)
      -- Upload the CISCat_Lite tool on the host
      LET Toolzip <= SELECT OSPath
        FROM Artifact.Generic.Utils.FetchBinary(ToolName="CISCat_Lite",
                                                IsExecutable=FALSE)
      -- Extract the CISCat_Lite tool zip
      LET _ <= SELECT *
        FROM unzip(filename=Toolzip.OSPath, output_directory=TmpDir, type="zip")
     
      -- Generate the absolute path that points the the extracted tool location  
      LET CISCatPath = path_join(
          components=[TmpDir, 'Assessor', 'Assessor-CLI.bat'],
          path_type='windows')
          
      -- Run the command     
      LET _ <= SELECT *
        FROM execve(argv=[CISCatPath, "-b", BaselinePath, '-p', ProfileName])

      SELECT * 
         FROM foreach( row={
             SELECT OSPath
             FROM glob(
                 globs='/Assessor/reports/*.html', root=TmpDir)
             WHERE NOT IsDir
         }, query={
              SELECT OSPath, upload(file=OSPath) AS Upload
              FROM scope()
         })