From 53f0261a622be8df5848b48d7d53b8b988cf23d5 Mon Sep 17 00:00:00 2001
From: Ryan Plas <ryan.plas@stage2sec.com>
Date: Mon, 5 Oct 2020 10:39:21 -0400
Subject: [PATCH 1/2] Add Stored Credentials in Fake Files rule

---
 ...ess_fake_files_with_stored_credentials.yml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml

diff --git a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml b/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml
new file mode 100644
index 000000000..ab2533ba9
--- /dev/null
+++ b/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml
@@ -0,0 +1,29 @@
+title: Stored Credentials in Fake Files
+id: 692b979c-f747-41dc-ad72-1f11c01b110e
+description: Search for accessing of fake files with stored credentials
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references: 
+    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
+tags:
+    - attack.credential_access
+    - attack.t1555
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4663
+        AccessList|contains: '%%4416'
+        ObjectName|endswith:
+            - '\{641ECF7F-6AC4-4A63-BF85-DFDE140E9F89}\Machine\Preferences\Groups\Groups.xml'
+            - '\Panther\Unattend.xml'
+    condition: selection
+fields:
+    - EventID
+    - AccessList
+    - ObjectName
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file

From ff8485280386500317a54f63ec2e2f3dd7e3d4bd Mon Sep 17 00:00:00 2001
From: Ryan Plas <ryan.plas@stage2sec.com>
Date: Sat, 17 Oct 2020 09:36:25 -0400
Subject: [PATCH 2/2] Replace start of paths with placeholders

---
 .../win_access_fake_files_with_stored_credentials.yml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename {rules/windows/builtin => rules-unsupported}/win_access_fake_files_with_stored_credentials.yml (84%)

diff --git a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
similarity index 84%
rename from rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml
rename to rules-unsupported/win_access_fake_files_with_stored_credentials.yml
index ab2533ba9..c8f95ed78 100644
--- a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml
+++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
@@ -17,8 +17,8 @@ detection:
         EventID: 4663
         AccessList|contains: '%%4416'
         ObjectName|endswith:
-            - '\{641ECF7F-6AC4-4A63-BF85-DFDE140E9F89}\Machine\Preferences\Groups\Groups.xml'
-            - '\Panther\Unattend.xml'
+            - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
+            - '\%FOLDER_NAME%\Unattend.xml'
     condition: selection
 fields:
     - EventID