security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Windows Redcannary

Browse Source
This commit is contained in:
frack113
2022-01-09 12:37:23 +01:00
parent ac240b1487
commit 01c6e5f6e3
3 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file_event/win_fe_csharp_compile_artefact.yml
+24
View File
@@ -0,0 +1,24 @@
title: Dynamic C Sharp Compile Artefact
id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
status: experimental
description: |
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
date: 2022/01/09
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.cmdline'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.defense_evasion
- attack.t1027.004
rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml
+25
View File
@@ -0,0 +1,25 @@
title: Suspicious IO.FileStream
id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: experimental
description: open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
date: 2022/01/09
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- New-Object
- IO.FileStream
- '"\\.\'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
tags:
- attack.defense_evasion
- attack.t1070.003
rules/windows/process_creation/win_pc_iis_http_logging.yml
+26
View File
@@ -0,0 +1,26 @@
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: experimental
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
date: 2022/01/09
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \appcmd.exe
CommandLine|contains|all:
- set
- config
- '/section:httplogging'
- '/dontLog:true'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.defense_evasion
- attack.t1562.002