PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
Sigma rule (View on GitHub)
1title: PUA - Crassus Execution
2id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
3status: test
4description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
5references:
6 - https://github.com/vu-ls/Crassus
7author: pH-T (Nextron Systems)
8date: 2023-04-17
9tags:
10 - attack.discovery
11 - attack.reconnaissance
12 - attack.t1590.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\Crassus.exe'
19 - OriginalFileName: 'Crassus.exe'
20 - Description|contains: 'Crassus'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- PUA - Advanced IP/Port Scanner Update Check
- Bitbucket User Permissions Export Attempt
- Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript