HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
Sigma rule (View on GitHub)
1title: HackTool - CrackMapExec PowerShell Obfuscation
2id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
3status: test
4description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
5references:
6 - https://github.com/byt3bl33d3r/CrackMapExec
7 - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
8author: Thomas Patzke
9date: 2020-05-22
10modified: 2023-02-21
11tags:
12 - attack.execution
13 - attack.t1059.001
14 - attack.defense-evasion
15 - attack.t1027.005
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - OriginalFileName:
25 - 'PowerShell.EXE'
26 - 'pwsh.dll'
27 selection_cli:
28 CommandLine|contains:
29 - 'join*split'
30 # Line 343ff
31 - '( $ShellId[1]+$ShellId[13]+''x'')'
32 - '( $PSHome[*]+$PSHOME[*]+'
33 - '( $env:Public[13]+$env:Public[5]+''x'')'
34 - '( $env:ComSpec[4,*,25]-Join'''')'
35 - '[1,3]+''x''-Join'''')'
36 condition: all of selection_*
37fields:
38 - ComputerName
39 - User
40 - CommandLine
41falsepositives:
42 - Unknown
43level: high
References
-
A swiss army knife for pentesting networks. Contribute to byt3bl33d3r/CrackMapExec development by creating an account on GitHub.
Read More -
A swiss army knife for pentesting networks. Contribute to byt3bl33d3r/CrackMapExec development by creating an account on GitHub.
Read More
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Detection of PowerShell Execution via Sqlps.exe
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Greenbug Espionage Group Indicators