security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2495 from frack113/redcannary_20211227

Browse Source 
Windows redcannary rules
This commit is contained in:
frack113
2021-12-28 12:52:07 +01:00
committed by GitHub
parent 1f1b0dc656 ee0f216929
commit 1a877a5ccd
4 changed files with 102 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/powershell_ps_copy_item_system32.yml
+24
View File
@@ -0,0 +1,24 @@
title: Powershell Install a DLL in System32
id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
status: experimental
description: Uses PowerShell to install a DLL in System32
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
author: frack113
date: 2021/12/27
logsource:
product: windows
category: ps_script
detection:
selection:
ScriptBlockText|contains|all:
- 'Copy-Item '
- '-Destination '
- '\Windows\System32'
condition: selection
falsepositives:
- unknown
level: high
tags:
- attack.credential_access
- attack.t1556.002
rules/windows/powershell/powershell_script/powershell_ps_suspicious_networkcredential.yml
+26
View File
@@ -0,0 +1,26 @@
title: Suspicious Connection to Remote Account
id: 1883444f-084b-419b-ac62-e0d0c5b3693f
status: experimental
description: |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
author: frack113
date: 2021/12/27
logsource:
product: windows
category: ps_script
detection:
selection:
ScriptBlockText|contains:
- 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
- 'System.Net.NetworkCredential'
- 'System.DirectoryServices.Protocols.LdapConnection'
condition: selection
falsepositives:
- unknown
level: low
tags:
- attack.credential_access
- attack.t1110.001