From cb938c14df0fae93a684d4b597855a5d2f217a50 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 15 Jan 2022 17:04:03 +0100
Subject: [PATCH 1/4] Windows Redcannary

---
 .../win_fd_delete_prefetch_file.yml           | 23 ++++++++++++++
 .../posh_ps_remove_item_path.yml              | 25 ++++++++++++++++
 .../posh_ps_suspicious_start_process.yml      | 26 ++++++++++++++++
 .../process_creation/win_pc_cmd_delete.yml    | 30 +++++++++++++++++++
 .../process_creation/win_pc_run_from_zip.yml  | 21 +++++++++++++
 .../win_pc_susp_char_in_cmd.yml               | 30 +++++++++++++++++++
 6 files changed, 155 insertions(+)
 create mode 100644 rules/windows/file_delete/win_fd_delete_prefetch_file.yml
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml
 create mode 100644 rules/windows/process_creation/win_pc_cmd_delete.yml
 create mode 100644 rules/windows/process_creation/win_pc_run_from_zip.yml
 create mode 100644 rules/windows/process_creation/win_pc_susp_char_in_cmd.yml

diff --git a/rules/windows/file_delete/win_fd_delete_prefetch_file.yml b/rules/windows/file_delete/win_fd_delete_prefetch_file.yml
new file mode 100644
index 000000000..60b0806f2
--- /dev/null
+++ b/rules/windows/file_delete/win_fd_delete_prefetch_file.yml
@@ -0,0 +1,23 @@
+title: Delete Prefetch File
+id: 4f14dd15-1625-451c-afa6-af6505a18e26
+status: experimental
+description: Deletion of prefetch files is a known anti-forensic technique
+author: frack113
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-9---delete-prefetch-file
+date: 2022/01/15
+logsource:
+  product: windows
+  category: file_delete
+detection:
+  selection_file:
+    TargetFilename|endswith: .pf
+  selection_valid: 
+    Image: C:\Windows\system32\svchost.exe
+  condition: selection_file and not selection_valid
+falsepositives:
+  - unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
new file mode 100644
index 000000000..cda5dcbf2
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
@@ -0,0 +1,25 @@
+title: Use Remove-Item to Delete File
+id: b8af5f36-1361-4ebe-9e76-e36128d947bf
+status: experimental
+description: Powershell Remove-Item  with -Path to delete a file or a folder with "-Recurse"
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
+date: 2022/01/15
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - Remove-Item
+            - '-Path '
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: low
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml
new file mode 100644
index 000000000..196e8c2b3
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_start_process.yml
@@ -0,0 +1,26 @@
+title: Suspicious Start-Process PassThru
+id: 0718cd72-f316-4aa2-988f-838ea8533277
+status: experimental
+description: Powershell use PassThru option to start in background
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
+date: 2022/01/15
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - Start-Process
+            - '-PassThru '
+            - '-FilePath '
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
diff --git a/rules/windows/process_creation/win_pc_cmd_delete.yml b/rules/windows/process_creation/win_pc_cmd_delete.yml
new file mode 100644
index 000000000..b72c3a0f5
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_cmd_delete.yml
@@ -0,0 +1,30 @@
+title: Windows Cmd Delete File 
+id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
+status: experimental
+description: |
+  Adversaries may delete files left behind by the actions of their intrusion activity.
+  Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
+  Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. 
+author: frack113
+date: 2022/01/15
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|contains|all:
+            - 'del '
+            - /f
+        - Image|contains|all:    
+            - rmdir
+            - /s
+            - /q 
+    condition: selection
+falsepositives:
+    - Legitim script
+level: low
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_run_from_zip.yml b/rules/windows/process_creation/win_pc_run_from_zip.yml
new file mode 100644
index 000000000..e7fc41db3
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_run_from_zip.yml
@@ -0,0 +1,21 @@
+title: Run from a Zip File
+id: 1a70042a-6622-4a2b-8958-267625349abf
+status: experimental
+description: Payloads may be compressed, archived, or encrypted in order to avoid detection
+author: frack113
+date: 2021/12/26
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|contains: '.zip\'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - attack.impact
+    - attack.t1485
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml b/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml
new file mode 100644
index 000000000..791898f77
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_susp_char_in_cmd.yml
@@ -0,0 +1,30 @@
+title: Obfuscated Command Line Using Special Unicode Characters
+id: e0552b19-5a83-4222-b141-b36184bb8d79
+status: experimental
+description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. 
+author: frack113
+references:
+    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
+date: 2022/01/15
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        #find the sysmon event
+        CommandLine|contains: 
+            - 'â'
+            - '€'
+            - '£'
+            - '¯'
+            - '®'
+            - 'µ'
+            - '¶'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
\ No newline at end of file

From 38ddf072916f5e408f322a92beb000b554b818ce Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Sat, 15 Jan 2022 23:31:51 +0100
Subject: [PATCH 2/4] Add french user

---
 .../win_fd_delete_prefetch_file.yml           | 23 -------------------
 1 file changed, 23 deletions(-)
 delete mode 100644 rules/windows/file_delete/win_fd_delete_prefetch_file.yml

diff --git a/rules/windows/file_delete/win_fd_delete_prefetch_file.yml b/rules/windows/file_delete/win_fd_delete_prefetch_file.yml
deleted file mode 100644
index 60b0806f2..000000000
--- a/rules/windows/file_delete/win_fd_delete_prefetch_file.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: Delete Prefetch File
-id: 4f14dd15-1625-451c-afa6-af6505a18e26
-status: experimental
-description: Deletion of prefetch files is a known anti-forensic technique
-author: frack113
-references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md#atomic-test-9---delete-prefetch-file
-date: 2022/01/15
-logsource:
-  product: windows
-  category: file_delete
-detection:
-  selection_file:
-    TargetFilename|endswith: .pf
-  selection_valid: 
-    Image: C:\Windows\system32\svchost.exe
-  condition: selection_file and not selection_valid
-falsepositives:
-  - unknown
-level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004

From c4f4b55920adca1d2a1b71ab4bf1c86f60ddf860 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Sat, 15 Jan 2022 23:33:36 +0100
Subject: [PATCH 3/4] Add french user

---
 rules/windows/file_delete/sysmon_delete_prefetch.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml
index 451971948..954dd6b04 100755
--- a/rules/windows/file_delete/sysmon_delete_prefetch.yml
+++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml
@@ -5,6 +5,7 @@ description: Detects the deletion of a prefetch file (AntiForensic)
 level: high
 author: Cedric MAURUGEON
 date: 2021/09/29
+modified: 2022/01/15
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -17,7 +18,9 @@ detection:
         TargetFilename|endswith: '.pf'
     exception:
         Image: 'C:\windows\system32\svchost.exe'
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
     condition: selection and not exception
 falsepositives:
     - Unknown

From 262cb31143573e77b7bf06dc896eca8d1e06d4d8 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 16 Jan 2022 11:15:50 +0100
Subject: [PATCH 4/4] Fix CommandLine

Forget to copy the correct from Test VM
---
 rules/windows/process_creation/win_pc_cmd_delete.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_pc_cmd_delete.yml b/rules/windows/process_creation/win_pc_cmd_delete.yml
index b72c3a0f5..6b9cba57b 100644
--- a/rules/windows/process_creation/win_pc_cmd_delete.yml
+++ b/rules/windows/process_creation/win_pc_cmd_delete.yml
@@ -14,10 +14,10 @@ logsource:
     product: windows
 detection:
     selection:
-        - Image|contains|all:
+        - CommandLine|contains|all:
             - 'del '
             - /f
-        - Image|contains|all:    
+        - CommandLine|contains|all:    
             - rmdir
             - /s
             - /q 
@@ -27,4 +27,4 @@ falsepositives:
 level: low
 tags:
     - attack.defense_evasion
-    - attack.t1070.004
\ No newline at end of file
+    - attack.t1070.004