From afadda8c04a19c0b81f026e333c7ff7cdd69d92c Mon Sep 17 00:00:00 2001
From: t0x1c-1 <markus.neis@gmail.com>
Date: Tue, 4 Sep 2018 15:52:25 +0200
Subject: [PATCH] Suspicious SYSVOL Domain Group Policy Access

---
 .../builtin/win_susp_sysvol_access.yml        | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/windows/builtin/win_susp_sysvol_access.yml

diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml
new file mode 100644
index 000000000..32032b9e7
--- /dev/null
+++ b/rules/windows/builtin/win_susp_sysvol_access.yml
@@ -0,0 +1,35 @@
+---
+action: global
+title: Suspicious SYSVOL Domain Group Policy Access
+status: experimental
+description: Detects Access to Domain Group Policies stored in SYSVOL
+references:
+    - https://adsecurity.org/?p=2288
+    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
+author: Markus Neis
+date: 2018/04/09
+tags:
+    - attack.credential_access
+    - attack.t1003
+detection:
+    selection:
+        CommandLine: '*\SYSVOL\*\policies\*'
+    condition: selection
+falsepositives: 
+    - administrative activity 
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688