Add new rule to detect changes to TPM Keys on Windows

microsoft · Apr 22, 2020 · 8b0ce20 · 8b0ce20
1 parent 106685c
commit 8b0ce20
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 52 deletions.
diff --git a/.github/ISSUE_TEMPLATE/rule.md b/.github/ISSUE_TEMPLATE/rule.md
@@ -0,0 +1,17 @@
+---
+name: Filter Request or Submission
+about: Request a filter be added to the default ruleset
+title: 
+labels: filters
+assignees: ''
+
+---
+**What does this rule detect?**
+
+**Why should this rule be added?**
+
+**Does this require the addition of a new [operation](https://microsoft.github.io/AttackSurfaceAnalyzer/api/AttackSurfaceAnalyzer.Types.OPERATION.html) to the parser?**
+
+If so, this should be filed as an feature request.
+
+**Rule Json (optional)**
diff --git a/Pipelines/pr-validation.yml b/Pipelines/pr-validation.yml
@@ -16,6 +16,7 @@ pr:
     - Tests
     - Benchmarks
     - Pipelines
+    - analyses.json
 
 variables:
   solution: '**/*.sln'

diff --git a/Pipelines/release.yml b/Pipelines/release.yml
@@ -8,6 +8,7 @@ trigger:
     - Cli
     - Lib
     - Pipelines
+    - analyses.json
   branches:
     include:
     - release/v2.*

diff --git a/analyses.json b/analyses.json
@@ -840,6 +840,24 @@
           "Operation": "IS_EXPIRED"
         }
       ]
+    },
+    {
+      "Name": "TPM Keys",
+      "Description": "These TPM Keys have been changed.",
+      "Flag": "WARNING",
+      "ResultType": "FILE",
+      "Platforms": [
+        "WINDOWS"
+      ],
+      "Clauses": [
+        {
+          "Field": "Path",
+          "Operation": "ENDS_WITH",
+          "Data": [
+            ".PCPKEY"
+          ]
+        }
+      ]
     }
   ],
   "DefaultLevels": {

diff --git a/filters.json b/filters.json