From 744b7602c9c76b27fccd351da4b089c1ac03d527 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 27 Dec 2021 20:25:01 +0100
Subject: [PATCH 1/2] Windows redcannary rules

---
 .../powershell_ps_copy_item_system32.yml      | 24 +++++++++++++++++
 ...rshell_ps_suspicious_networkcredential.yml | 26 +++++++++++++++++++
 .../win_pc_findstr_gpp_passwords.yml          | 25 ++++++++++++++++++
 .../process_creation/win_pc_hashcat.yml       | 26 +++++++++++++++++++
 4 files changed, 101 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml
 create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml
 create mode 100644 rules/windows/process_creation/win_pc_findstr_gpp_passwords.yml
 create mode 100644 rules/windows/process_creation/win_pc_hashcat.yml

diff --git a/rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml b/rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml
new file mode 100644
index 000000000..7cb894a5b
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml
@@ -0,0 +1,24 @@
+title: Powershell Install a DLL in System32
+id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
+status: experimental
+description: Uses PowerShell to install a DLL in System32
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
+author: frack113
+date: 2021/12/27
+logsource:
+    product: windows
+    category: ps_script
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+           - 'Copy-Item '
+           - '-Destination '
+           - '\Windows\System32'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1556.002
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml b/rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml
new file mode 100644
index 000000000..691fe178d
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml
@@ -0,0 +1,26 @@
+title: Suspicious Connection to Remote Account
+id: 1883444f-084b-419b-ac62-e0d0c5b3693f
+status: experimental
+description: |
+    Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
+    Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
+author: frack113
+date: 2021/12/27
+logsource:
+    product: windows
+    category: ps_script
+detection:
+    selection:
+        ScriptBlockText|contains:
+           - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
+           - 'System.Net.NetworkCredential'
+           - 'System.DirectoryServices.Protocols.LdapConnection'
+    condition: selection
+falsepositives:
+    - unknown
+level: low
+tags:
+    - attack.credential_access
+    - attack.t1110.001
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_findstr_gpp_passwords.yml b/rules/windows/process_creation/win_pc_findstr_gpp_passwords.yml
new file mode 100644
index 000000000..75e245400
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_findstr_gpp_passwords.yml
@@ -0,0 +1,25 @@
+title: Findstr GPP Passwords
+id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
+status: experimental
+description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
+date: 2021/12/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: \findstr.exe
+        CommandLine|contains|all:
+            - cpassword 
+            - \sysvol\
+            - .xml
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.credential_access 
+    - attack.t1552.006
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_hashcat.yml b/rules/windows/process_creation/win_pc_hashcat.yml
new file mode 100644
index 000000000..3262261fe
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_hashcat.yml
@@ -0,0 +1,26 @@
+title: Password Cracking with Hashcat
+id: 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf
+status: experimental
+description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat
+author: frack113
+date: 2021/12/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    hashcat_basic:
+        Image|endswith: \hashcat.exe 
+    hashcat_option:
+        CommandLine|contains|all:
+            - '-a '
+            - '-m '
+            - '-r '
+    condition: 1 of hashcat_*
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1110.002
\ No newline at end of file

From ee0f2169295aeb7df06814984f1cc66420dab3cb Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 28 Dec 2021 12:09:59 +0100
Subject: [PATCH 2/2] Update win_pc_hashcat.yml

---
 rules/windows/process_creation/win_pc_hashcat.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/win_pc_hashcat.yml b/rules/windows/process_creation/win_pc_hashcat.yml
index 3262261fe..9708b0c6b 100644
--- a/rules/windows/process_creation/win_pc_hashcat.yml
+++ b/rules/windows/process_creation/win_pc_hashcat.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat
+    - https://hashcat.net/wiki/doku.php?id=hashcat
 author: frack113
 date: 2021/12/27
 logsource:
@@ -15,12 +16,12 @@ detection:
     hashcat_option:
         CommandLine|contains|all:
             - '-a '
-            - '-m '
+            - '-m 1000 '
             - '-r '
     condition: 1 of hashcat_*
 falsepositives:
-    - unknown
-level: high
+    - Tools that accidentally use the same command line flags and values
+level: critical
 tags:
     - attack.credential_access
-    - attack.t1110.002
\ No newline at end of file
+    - attack.t1110.002