Windows Redcannary

rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml

@@ -0,0 +1,26 @@
+title: Create Volume Shadow Copy with Powershell
+id: afd12fed-b0ec-45c9-a13d-aa86625dac81
+status: experimental
+description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
+date: 2022/01/12
+author: frack113
+references:
+    - https://attack.mitre.org/datasources/DS0005/
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - win32_shadowcopy
+            - ').Create('
+            - ClientAccessible
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1003.003 

rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml

@@ -0,0 +1,25 @@
+title: Suspicious Get-WmiObject
+id: 0332a266-b584-47b4-933d-a00b103e1b37
+status: experimental
+description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
+date: 2022/01/12
+author: frack113
+references:
+    - https://attack.mitre.org/datasources/DS0005/
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - Get-WmiObject
+            - gwmi
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: low
+tags:
+    - attack.persistence
+    - attack.t1546