Windows redcannary

rules/windows/process_creation/win_pc_susp_adfind_enumerate.yml

@@ -0,0 +1,36 @@
+title: Suspicious AdFind Enumerate
+id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
+status: experimental
+description: Detects the execution of a AdFind for enumeration 
+references:
+    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
+author: frack113
+date: 2021/12/13
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\adfind.exe'
+    test_5: #Listing password policy
+        CommandLine|contains:
+            - lockoutduration
+            - lockoutthreshold
+            - lockoutobservationwindow
+            - maxpwdage
+            - minpwdage
+            - minpwdlength
+            - pwdhistorylength
+            - pwdproperties
+    test_6: #Enumerate Active Directory Admins
+        CommandLine|contains: '-sc admincountdmp' 
+    test_8: #Enumerate Active Directory Exchange AD Objects
+        CommandLine|contains: '-sc exchaddresses'
+    condition: selection and 1 of test_*
+falsepositives:
+    - Administrative activity
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1087.002

rules/windows/process_creation/win_pc_susp_network_listing_connections.yml

@@ -6,6 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
 author: frack113
 date: 2021/12/10
+modified: 2021/12/13
 logsource:
     category: process_creation
     product: windows
@@ -15,13 +16,16 @@ detection:
     net_cmd:
         CommandLine|contains: 'net '
     net_opt:
-        CommandLine|contains:
-            - use
-            - sessions
+        - CommandLine|endswith:
+            - ' use'
+            - ' sessions'
+        - CommandLine|contains:
+            - ' use '
+            - ' sessions '
     condition: netstat or (net_cmd and net_opt)
 falsepositives:
     - unknown
 level: low
 tags:
     - attack.discovery
-    - attack.t1049
+    - attack.t1049