From d7e9dccdbeda0baba214c0d23f9d74a1da62c440 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 16 Dec 2021 10:32:45 +0100
Subject: [PATCH] Windows redcannary

---
 ...ershell_ps_security_software_discovery.yml | 34 +++++++++++++++++++
 .../win_pc_susp_findstr_385201.yml            | 22 ++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml
 create mode 100644 rules/windows/process_creation/win_pc_susp_findstr_385201.yml

diff --git a/rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml
new file mode 100644
index 000000000..bbb829097
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/powershell_ps_security_software_discovery.yml
@@ -0,0 +1,34 @@
+title:  Security Software Discovery by Powershell
+id: 904e8e61-8edf-4350-b59c-b905fc8e810c
+status: experimental
+author: frack113
+date: 2021/12/16
+description: |
+    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.
+    This may include things such as firewall rules and anti-viru
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_1:
+        ScriptBlockText|contains|all:
+            - 'get-process'
+            - '.Description'
+            - '-like'
+    selection_2:
+        ScriptBlockText|contains:
+            - '"*virus*"'
+            - '"*carbonblack*"'
+            - '"*defender*"'
+            - '"*cylance*"'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.discovery
+    - attack.t1518.001
+
diff --git a/rules/windows/process_creation/win_pc_susp_findstr_385201.yml b/rules/windows/process_creation/win_pc_susp_findstr_385201.yml
new file mode 100644
index 000000000..e7fd6469d
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_findstr_385201.yml
@@ -0,0 +1,22 @@
+title: Suspicious Findstr 385201 Execution
+id: 37db85d1-b089-490a-a59a-c7b6f984f480
+status: experimental
+description: Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
+date: 2021/12/16
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: \findstr.exe
+        CommandLine|contains: ' 385201'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.discovery
+    - attack.t1518.001
\ No newline at end of file