HackTool - CrackMapExec File Indicators

calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
Share on: linkedin copy

Detects file creation events with filename patterns used by CrackMapExec.

Sigma rule (View on GitHub)

 1title: HackTool - CrackMapExec File Indicators
 2id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
 3related:
 4    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
 5      type: obsolete
 6status: experimental
 7description: Detects file creation events with filename patterns used by CrackMapExec.
 8references:
 9    - https://github.com/byt3bl33d3r/CrackMapExec/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-03-11
12modified: 2024-06-27
13tags:
14    - attack.credential-access
15    - attack.t1003.001
16logsource:
17    product: windows
18    category: file_event
19detection:
20    selection_path:
21        TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
22    selection_names_str:
23        TargetFilename|endswith:
24            - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
25            - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
26    selection_names_re:
27        - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
28        - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
29    condition: selection_path and 1 of selection_names_*
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top