HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
Sigma rule (View on GitHub)
1title: HackTool - CrackMapExec Execution
2id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
3status: test
4description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
5references:
6 - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
7 - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
8 - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
9 - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
10author: Florian Roth (Nextron Systems)
11date: 2022/02/25
12modified: 2023/03/08
13tags:
14 - attack.execution
15 - attack.persistence
16 - attack.privilege_escalation
17 - attack.credential_access
18 - attack.discovery
19 - attack.t1047
20 - attack.t1053
21 - attack.t1059.003
22 - attack.t1059.001
23 - attack.t1110
24 - attack.t1201
25logsource:
26 category: process_creation
27 product: windows
28detection:
29 selection_binary:
30 Image|endswith: '\crackmapexec.exe'
31 selection_special:
32 CommandLine|contains: ' -M pe_inject '
33 selection_execute:
34 CommandLine|contains|all:
35 - ' --local-auth'
36 - ' -u '
37 - ' -x '
38 selection_hash:
39 CommandLine|contains|all:
40 - ' --local-auth'
41 - ' -u '
42 - ' -p '
43 - " -H 'NTHASH'"
44 selection_module_mssql:
45 CommandLine|contains|all:
46 - ' mssql '
47 - ' -u '
48 - ' -p '
49 - ' -M '
50 - ' -d '
51 selection_module_smb1:
52 CommandLine|contains|all:
53 - ' smb '
54 - ' -u '
55 - ' -H '
56 - ' -M '
57 - ' -o '
58 selection_module_smb2:
59 CommandLine|contains|all:
60 - ' smb '
61 - ' -u '
62 - ' -p '
63 - ' --local-auth'
64 part_localauth_1:
65 CommandLine|contains|all:
66 - ' --local-auth'
67 - ' -u '
68 - ' -p '
69 part_localauth_2:
70 CommandLine|contains|all:
71 - ' 10.'
72 - ' 192.168.'
73 - '/24 '
74 condition: 1 of selection_* or all of part_localauth*
75fields:
76 - ComputerName
77 - User
78 - CommandLine
79falsepositives:
80 - Unknown
81level: high
References
-
In November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle East government customer. During the investigation, Mandiant identified new targeted malware, G...
Read More -
List of all CrackMapExec modules for LDAP, MSSQL, SMB, SSH and WinRM network protocols with detailed information and usage examples.
Read More -
List of all CrackMapExec modules for LDAP, MSSQL, SMB, SSH and WinRM network protocols with detailed information and usage examples.
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry