Added a searchable rules index for the site (Velocidex#11)

Author: scudette

.github/workflows/gh-pages.yml

@@ -8,16 +8,16 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: true  # Fetch Hugo themes (true OR recursive)
           fetch-depth: 0    # Fetch all history for .GitInfo and .Lastmod
 
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
         with:
-          go-version: '^1.20'
+          go-version: '^1.23'
 
       - run: go version
 
@@ -41,3 +41,4 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/public
+          force_orphan: true

.github/workflows/test.yml

@@ -9,13 +9,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
       with:
         go-version: '^1.20'
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         submodules: recursive
 
@@ -27,7 +27,7 @@ jobs:
       run: |
         make test
 
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1
       if: always()
       with:
         name: output

Makefile

@@ -13,7 +13,7 @@ artifact:
 
 # Build the ZIP file for importing
 artifact_zip:
-	./reghunter compile --make_zip --output output/Windows.Registry.Hunter.zip Rules/*.yaml
+	./reghunter compile --make_zip --output output/Windows.Registry.Hunter.zip --index docs/content/docs/rules/index.json Rules/*.yaml
 
 test:
 	cd tests && make test

RECmd_Batch/RegistryASEPs.reb

@@ -1,5 +1,5 @@
 Description: Registry ASEPs
-Disabled: true
+Disabled: false
 Author: Troy Larson
 Version: 1.0
 Id: d6b50e3a-291c-4d8a-afbc-4dd05d252742

Rules/Detections.yaml

@@ -16,3 +16,17 @@ Rules:
       FROM glob(accessor="registry",
                 globs="HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\*rclone*")
     })
+
+- Description: DotNetStartupHooks
+  Category: Threat Hunting
+  Author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02
+  Comment: |
+    The .NET DLLs listed in the DOTNET_STARTUP_HOOKS environment
+    variable are loaded into .NET processes at runtime.
+
+  Query: |
+    SELECT OSPath, Data.value AS Value
+    FROM glob(globs=[
+    '''HKEY_LOCAL_MACHINE\System\ControlSet*\Control\Session Manager\Environment\DOTNET_STARTUP_HOOKS''',
+    '''HKEY_USERS\*\Environment\DOTNET_STARTUP_HOOKS'''], accessor="registry")
+    WHERE Value