Windows redcannary

rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml

@@ -0,0 +1,31 @@
+title: Accessing Encrypted Credentials from Google Chrome Login Database
+id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
+status: experimental
+author: frack113
+date: 2021/12/20
+description: |
+  Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
+  Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
+  Web browsers typically store the credentials in an encrypted format within a credential store.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_cmd:
+        ScriptBlockText|contains|all: 
+            - Copy-Item
+            - '-Destination'
+    selection_path:
+        ScriptBlockText|contains:
+            - '\Google\Chrome\User Data\Default\Login Data'
+            - '\Google\Chrome\User Data\Default\Login Data For Account'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.credential_access
+    - attack.tT1555.003

rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml

@@ -0,0 +1,37 @@
+title: Dump Credentials from Windows Credential Manager With PowerShell
+id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
+status: experimental
+author: frack113
+date: 2021/12/20
+description: |
+  Adversaries may search for common password storage locations to obtain user credentials.
+  Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_kiddie:
+        ScriptBlockText|contains: 
+            - 'Get-PasswordVaultCredentials'
+            - 'Get-CredManCreds'
+    selection_rename_Password:
+        ScriptBlockText|contains|all:
+            - 'New-Object'
+            - 'Windows.Security.Credentials.PasswordVault'
+    selection_rename_credman:
+        ScriptBlockText|contains|all:
+            - 'New-Object'
+            - 'Microsoft.CSharp.CSharpCodeProvider'
+            - '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())'
+            - 'Collections.ArrayList'
+            - 'System.CodeDom.Compiler.CompilerParameters'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1555

rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml

@@ -0,0 +1,30 @@
+title: Enumerate Credentials from Windows Credential Manager With PowerShell
+id: 603c6630-5225-49c1-8047-26c964553e0e
+status: experimental
+author: frack113
+date: 2021/12/20
+description: |
+  Adversaries may search for common password storage locations to obtain user credentials.
+  Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_cmd:
+        ScriptBlockText|contains|all: 
+            - vaultcmd
+            - '/listcreds:'
+    selection_option:
+        ScriptBlockText|contains:
+            - 'Windows Credentials'
+            - 'Web Credentials'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1555