PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
Sigma rule (View on GitHub)
1title: PUA - Crassus Execution
2id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
3status: test
4description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
5references:
6 - https://github.com/vu-ls/Crassus
7author: pH-T (Nextron Systems)
8date: 2023-04-17
9tags:
10 - attack.discovery
11 - attack.t1590.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith: '\Crassus.exe'
18 - OriginalFileName: 'Crassus.exe'
19 - Description|contains: 'Crassus'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- AD Privileged Users or Groups Reconnaissance