Windows Redcannary

rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml

@@ -0,0 +1,23 @@
+title: Enable Windows Remote Management
+id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
+status: experimental
+description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains: 'Enable-PSRemoting '
+    condition: selection_cmdlet
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.lateral_movement
+    - attack.t1021.006

rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml

@@ -0,0 +1,25 @@
+title: Execute Invoke-command on Remote Host
+id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
+status: experimental
+description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains|all:
+            - 'invoke-command '
+            - ' -ComputerName '
+    condition: selection_cmdlet
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.lateral_movement
+    - attack.t1021.006

rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml

@@ -0,0 +1,29 @@
+title: Powershell DNSExfiltration
+id: d59d7842-9a21-4bc6-ba98-64bfe0091355
+status: experimental
+description: DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
+    - https://github.com/Arno0x/DNSExfiltrator
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        - ScriptBlockText|contains: Invoke-DNSExfiltrator
+        - ScriptBlockText|contains|all:
+            - ' -i '
+            - ' -d '
+            - ' -p '
+            - ' -doh '
+            - ' -t '
+    condition: selection_cmdlet
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1048

rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml

@@ -0,0 +1,26 @@
+title: PowerShell Remote Session Creation
+id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
+status: experimental
+description: |
+  Adversaries may abuse PowerShell commands and scripts for execution.
+  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
+author: frack113
+date: 2022/01/06
+logsource:
+    product: windows
+    category: ps_script
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - New-PSSession
+            - '-ComputerName '
+    condition: selection
+falsepositives:
+  - legitimate administrative script
+level: medium
+tags:
+  - attack.execution
+  - attack.t1059.001

rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml

@@ -0,0 +1,26 @@
+title: Powershell Exfiltration Over SMTP
+id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
+status: experimental
+description: |
+  Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+  The data may also be sent to an alternate network location from the main command and control server. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
+    - https://www.ietf.org/rfc/rfc2821.txt
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains: Send-MailMessage
+    condition: selection_cmdlet
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1048.003

rules/windows/powershell/powershell_script/powershell_ps_upload.yml

@@ -0,0 +1,31 @@
+title: Windows PowerShell Upload Web Request
+id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
+status: experimental
+description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
+    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'Invoke-WebRequest'
+            - 'iwr '
+    selection_method:
+        ScriptBlockText|contains: '-Method '
+    selection_verb:
+            - ' Put ' 
+            - ' Post '
+    condition: all of selection_*
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1020