Windows.Audit.CISCat_Lite :: Velociraptor

Windows.Audit.CISCat_Lite

This artifact runs the CISCat-Lite tool on the target machine and uploads the html output on the velociraptor server.

CIS-CAT Lite is a free tool from the Center for Internet Security that helps in assessing and improving IT security configurations. It enables unlimited system scans, provides compliance scores, and offers remediation steps based on CIS Benchmarks. This tool is useful for organizations seeking to enhance their technology security.

The artifact has been configured to perform a standard scan of a Windows 10 Enterprise machine. To select the baseline and profiles, execute the command “.\Assessor-CLI.bat -i”


name: Windows.Audit.CISCat_Lite
description: |
  This artifact runs the CISCat-Lite tool on the target machine and
  uploads the html output on the velociraptor server.

  CIS-CAT Lite is a free tool from the Center for Internet Security
  that helps in assessing and improving IT security configurations.
  It enables unlimited system scans, provides compliance scores, and
  offers remediation steps based on CIS Benchmarks.  This tool is
  useful for organizations seeking to enhance their technology
  security.

  The artifact has been configured to perform a standard scan of a
  Windows 10 Enterprise machine.  To select the baseline and profiles,
  execute the command ".\Assessor-CLI.bat -i"
type: CLIENT

author: Antonio Blescia (TheThMando)

implied_permissions:
 - EXECVE
 - FILESYSTEM_WRITE

parameters:
  - name: BaselinePath
    default: "./Assessor/benchmarks/CIS_Microsoft_Windows_10_Enterprise_Benchmark_v4.0.0-xccdf.xml"
  - name: ProfileName
    default: "Level 1 (L1)"

tools:
  - name: CISCat_Lite
    url: https://workbench.cisecurity.org/api/vendor/v1/cis-cat/lite/latest

sources:
  - name: CISOutput
    query: |
      -- Generate the temp dir
      LET TmpDir <= tempdir(remove_last=true)
      -- Upload the CISCat_Lite tool on the host
      LET Toolzip <= SELECT OSPath
        FROM Artifact.Generic.Utils.FetchBinary(ToolName="CISCat_Lite",
                                                IsExecutable=FALSE)
      -- Extract the CISCat_Lite tool zip
      LET _ <= SELECT *
        FROM unzip(filename=Toolzip.OSPath, output_directory=TmpDir, type="zip")
        WHERE FALSE

      -- Generate the absolute path that points the the extracted tool location
      LET CISCatPath = path_join(
          components=[TmpDir, 'Assessor', 'Assessor-CLI.bat'],
          path_type='windows')

      -- Run the command
      SELECT *
      FROM execve(argv=[CISCatPath, "-b", path_join(components=[TmpDir, BaselinePath]), '-p', ProfileName])

  - query: |
      SELECT *
         FROM foreach( row={
             SELECT OSPath
             FROM glob(
                 globs='/Assessor/reports/*.html', root=TmpDir)
             WHERE NOT IsDir
         }, query={
              SELECT OSPath, upload(file=OSPath) AS Upload
              FROM scope()
         })