PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
Sigma rule (View on GitHub)
1title: PUA - Crassus Execution
2id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
3status: test
4description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
5references:
6 - https://github.com/vu-ls/Crassus
7author: pH-T (Nextron Systems)
8date: 2023/04/17
9tags:
10 - attack.discovery
11 - attack.t1590.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith: '\Crassus.exe'
18 - OriginalFileName: 'Crassus.exe'
19 - Description|contains: 'Crassus'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- HackTool - Certify Execution
- HackTool - Certipy Execution
- Potential Bucket Enumeration on AWS
- Github Self Hosted Runner Changes Detected
- PUA - Advanced IP/Port Scanner Update Check