add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml

rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

@@ -2,7 +2,7 @@ title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
 description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
-author: Samir Bousseaden
+author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
 references:
     - https://twitter.com/menasec1/status/1111556090137903104
     - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
@@ -19,6 +19,7 @@ detection:
         Value: 
          - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
          - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+         - '*89e95b76-444d-4c62-991a-0facbeda640c*'
     condition: selection
 falsepositives:
     - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.

rules/windows/builtin/win_ad_object_writedac_access.yml

@@ -0,0 +1,22 @@
+title: T1000 AD Object WriteDAC Access
+description: Detects WRITE_DAC access to a domain object
+status: experimental
+date: 2019/09/12
+author: Roberto Rodriguez @Cyb3rWard0g
+references:
+    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_one: 
+        EventID: 4662
+        ObjectServer: 'DS'
+        AccessMask: 0x40000
+        ObjectType:
+            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
+            - 'domainDNS'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml

@@ -0,0 +1,19 @@
+title: T1055 CreateRemoteThread API and LoadLibrary
+description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process 
+status: experimental
+date: 2019/08/11
+author: Roberto Rodriguez @Cyb3rWard0g
+references:
+    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection: 
+        EventID: 8
+        StartModule: '*\kernel32.dll'
+        StartFunction: 'LoadLibraryA'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/sysmon/sysmon_rdp_registry_modification.yml

@@ -0,0 +1,21 @@
+title: T1112 RDP Registry Modification
+description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
+status: experimental
+date: 2019/09/12
+author: Roberto Rodriguez @Cyb3rWard0g
+references:
+    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_one: 
+        EventID: 13
+        TargetObject:
+            - '*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
+            - '*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
+        Details: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical