HackTool - CrackMapExec Process Patterns
Detects suspicious process patterns found in logs when CrackMapExec is used
Sigma rule (View on GitHub)
1title: HackTool - CrackMapExec Process Patterns
2id: f26307d8-14cd-47e3-a26b-4b4769f24af6
3status: test
4description: Detects suspicious process patterns found in logs when CrackMapExec is used
5references:
6 - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
7author: Florian Roth (Nextron Systems)
8date: 2022/03/12
9modified: 2023/02/13
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection_lsass_dump1:
18 CommandLine|contains|all:
19 - 'tasklist /fi '
20 - 'Imagename eq lsass.exe'
21 CommandLine|contains:
22 - 'cmd.exe /c '
23 - 'cmd.exe /r '
24 - 'cmd.exe /k '
25 - 'cmd /c '
26 - 'cmd /r '
27 - 'cmd /k '
28 User|contains: # covers many language settings
29 - 'AUTHORI'
30 - 'AUTORI'
31 selection_lsass_dump2:
32 CommandLine|contains|all:
33 - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
34 - '\Windows\Temp\'
35 - ' full'
36 - '%%B'
37 selection_procdump:
38 CommandLine|contains|all:
39 - 'tasklist /v /fo csv'
40 - 'findstr /i "lsass"'
41 condition: 1 of selection*
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- LSASS Access Detected via Attack Surface Reduction
- LSASS Access From Non System Account
- Potentially Suspicious AccessMask Requested From LSASS
- Credential Dumping Activity By Python Based Tool