CrackMapExec File Indicators
Detects file creation events with filename patterns used by CrackMapExec.
Sigma rule (View on GitHub)
1title: CrackMapExec File Indicators
2id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
3related:
4 - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
5 type: obsoletes
6status: experimental
7description: Detects file creation events with filename patterns used by CrackMapExec.
8references:
9 - https://github.com/byt3bl33d3r/CrackMapExec/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024/03/11
12tags:
13 - attack.credential_access
14 - attack.t1003.001
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection_path:
20 TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
21 selection_names_str:
22 TargetFilename|endswith:
23 - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
24 - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
25 selection_names_re:
26 - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
27 - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
28 condition: selection_path and 1 of selection_names_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Potential Credential Dumping Activity Via LSASS
- Password Dumper Remote Thread in LSASS
- HackTool - CrackMapExec Process Patterns
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- LSASS Access Detected via Attack Surface Reduction