CrackMapExec File Indicators

calendar Mar 11, 2024 · attack.credential_access attack.t1003.001  ·
Share on: linkedin copy

Detects file creation events with filename patterns used by CrackMapExec.

Sigma rule (View on GitHub)

 1title: CrackMapExec File Indicators
 2id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
 3related:
 4    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
 5      type: obsoletes
 6status: experimental
 7description: Detects file creation events with filename patterns used by CrackMapExec.
 8references:
 9    - https://github.com/byt3bl33d3r/CrackMapExec/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024/03/11
12tags:
13    - attack.credential_access
14    - attack.t1003.001
15logsource:
16    product: windows
17    category: file_event
18detection:
19    selection_path:
20        TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
21    selection_names_str:
22        TargetFilename|endswith:
23            - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
24            - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
25    selection_names_re:
26        - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
27        - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
28    condition: selection_path and 1 of selection_names_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top