HackTool - CrackMapExec File Indicators
Detects file creation events with filename patterns used by CrackMapExec.
Sigma rule (View on GitHub)
1title: HackTool - CrackMapExec File Indicators
2id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
3related:
4 - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
5 type: obsoletes
6status: experimental
7description: Detects file creation events with filename patterns used by CrackMapExec.
8references:
9 - https://github.com/byt3bl33d3r/CrackMapExec/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024/03/11
12modified: 2024/06/27
13tags:
14 - attack.credential_access
15 - attack.t1003.001
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection_path:
21 TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
22 selection_names_str:
23 TargetFilename|endswith:
24 - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
25 - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
26 selection_names_re:
27 - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
28 - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
29 condition: selection_path and 1 of selection_names_*
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- HackTool - SafetyKatz Dump Indicator
- LSASS Access Detected via Attack Surface Reduction
- Potentially Suspicious GrantedAccess Flags On LSASS
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- LSASS Process Memory Dump Files