From 592485fac54d3539ee8b99677fd0facb67cbecd0 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 12 Jan 2022 20:27:56 +0100
Subject: [PATCH] Windows Redcannary

---
 .../posh_ps_create_volume_shadow_copy.yml     | 26 +++++++++++++++++++
 .../posh_ps_suspicious_gwmi.yml               | 25 ++++++++++++++++++
 .../win_pc_uninstall_sysmon.yml               | 24 +++++++++++++++++
 .../sysmon/sysmon_config_modification.yml     | 20 ++++++++++++++
 4 files changed, 95 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml
 create mode 100644 rules/windows/process_creation/win_pc_uninstall_sysmon.yml
 create mode 100644 rules/windows/sysmon/sysmon_config_modification.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
new file mode 100644
index 000000000..6c098c110
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
@@ -0,0 +1,26 @@
+title: Create Volume Shadow Copy with Powershell
+id: afd12fed-b0ec-45c9-a13d-aa86625dac81
+status: experimental
+description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
+date: 2022/01/12
+author: frack113
+references:
+    - https://attack.mitre.org/datasources/DS0005/
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - win32_shadowcopy
+            - ').Create('
+            - ClientAccessible
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1003.003 
diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml
new file mode 100644
index 000000000..de0c276a4
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml
@@ -0,0 +1,25 @@
+title: Suspicious Get-WmiObject
+id: 0332a266-b584-47b4-933d-a00b103e1b37
+status: experimental
+description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
+date: 2022/01/12
+author: frack113
+references:
+    - https://attack.mitre.org/datasources/DS0005/
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - Get-WmiObject
+            - gwmi
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: low
+tags:
+    - attack.persistence
+    - attack.t1546
diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml
new file mode 100644
index 000000000..11a90070f
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml
@@ -0,0 +1,24 @@
+title: Uninstall Sysinternals Sysmon 
+id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
+status: experimental
+description: Uninstall Sysinternals Sysmon for Defense Evasion
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
+author: frack113
+date: 2022/01/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    sysmon:
+        Image|endswith: 
+            - \Sysmon64.exe
+            - \Sysmon.exe
+        CommandLine|contains: '-u'
+    condition: sysmon
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml
new file mode 100644
index 000000000..87b371606
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_config_modification.yml
@@ -0,0 +1,20 @@
+title: Sysmon Configuration Change
+id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
+description: Someone can try to hide from Sysmon
+status: experimental
+author: frack113
+date: 2022/01/12
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 16
+    condition: selection
+falsepositives:
+    - legitimate administrative action
+level: medium 
+tags:
+    - attack.defense_evasion