Windows Redcannary impact

rules/windows/powershell/powershell_script/powershell_ps_susp_remove_adgroupmember.yml

@@ -0,0 +1,28 @@
+title: Remove Account From Domain Admin Group
+id: 48a45d45-8112-416b-8a67-46e03a4b2107
+status: experimental
+author: frack113
+date: 2021/12/26
+description: |
+  Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
+  Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Remove-ADGroupMember'
+            - '-Identity '
+            - '-Members ' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.impact
+    - attack.t1531
+

rules/windows/powershell/powershell_script/powershell_ps_susp_wallpaper.yml

@@ -0,0 +1,31 @@
+title: Replace Desktop Wallpaper by Powershell
+id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
+status: experimental
+author: frack113
+date: 2021/12/26
+description: |
+    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
+    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_1:
+        ScriptBlockText|contains|all:
+            - 'Get-ItemProperty'
+            - 'Registry::'
+            - 'HKEY_CURRENT_USER\Control Panel\Desktop\' 
+            - 'WallPaper'
+    selection_2:
+        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.impact
+    - attack.t1491.001
+

rules/windows/powershell/powershell_script/powershell_ps_susp_win32_shadowcopy.yml

@@ -0,0 +1,25 @@
+title: Delete Volume Shadow Copies via WMI with PowerShell
+id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
+status: experimental
+author: frack113
+date: 2021/12/26
+description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Get-WmiObject'
+            - 'Win32_Shadowcopy'
+            - '.Delete()' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.impact
+    - attack.t1490