From f8d4d23be5e50d6b7cd86c8f5a7df32d75b7be58 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 13 Dec 2021 18:52:17 +0100
Subject: [PATCH] Windows redcannary

---
 .../win_pc_susp_adfind_enumerate.yml          | 36 +++++++++++++++++++
 ...in_pc_susp_network_listing_connections.yml | 12 ++++---
 2 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 rules/windows/process_creation/win_pc_susp_adfind_enumerate.yml

diff --git a/rules/windows/process_creation/win_pc_susp_adfind_enumerate.yml b/rules/windows/process_creation/win_pc_susp_adfind_enumerate.yml
new file mode 100644
index 000000000..b04dbd07e
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_adfind_enumerate.yml
@@ -0,0 +1,36 @@
+title: Suspicious AdFind Enumerate
+id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
+status: experimental
+description: Detects the execution of a AdFind for enumeration 
+references:
+    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
+author: frack113
+date: 2021/12/13
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\adfind.exe'
+    test_5: #Listing password policy
+        CommandLine|contains:
+            - lockoutduration
+            - lockoutthreshold
+            - lockoutobservationwindow
+            - maxpwdage
+            - minpwdage
+            - minpwdlength
+            - pwdhistorylength
+            - pwdproperties
+    test_6: #Enumerate Active Directory Admins
+        CommandLine|contains: '-sc admincountdmp' 
+    test_8: #Enumerate Active Directory Exchange AD Objects
+        CommandLine|contains: '-sc exchaddresses'
+    condition: selection and 1 of test_*
+falsepositives:
+    - Administrative activity
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1087.002
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_susp_network_listing_connections.yml b/rules/windows/process_creation/win_pc_susp_network_listing_connections.yml
index 97c9c8bb5..b4ee08af1 100644
--- a/rules/windows/process_creation/win_pc_susp_network_listing_connections.yml
+++ b/rules/windows/process_creation/win_pc_susp_network_listing_connections.yml
@@ -6,6 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
 author: frack113
 date: 2021/12/10
+modified: 2021/12/13
 logsource:
     category: process_creation
     product: windows
@@ -15,13 +16,16 @@ detection:
     net_cmd:
         CommandLine|contains: 'net '
     net_opt:
-        CommandLine|contains:
-            - use
-            - sessions
+        - CommandLine|endswith:
+            - ' use'
+            - ' sessions'
+        - CommandLine|contains:
+            - ' use '
+            - ' sessions '
     condition: netstat or (net_cmd and net_opt)
 falsepositives:
     - unknown
 level: low
 tags:
     - attack.discovery
-    - attack.t1049
+    - attack.t1049
\ No newline at end of file