rules/apt/apt_dragonfly.yml

title: CrackMapExecWin
id: 04d9079e-3905-4b70-ad37-6bdf11304965
description: Detects CrackMapExecWin Activity as Described by NCSC
status: experimental
references:
    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
tags:
    - attack.g0035
author: Markus Neis
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image:
            - '*\crackmapexec.exe'
    condition: selection
falsepositives: 
    - None 
level: critical
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`title: CrackMapExecWin`
			`id: 04d9079e-3905-4b70-ad37-6bdf11304965`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00			`description: Detects CrackMapExecWin Activity as Described by NCSC`
			`status: experimental`
			`references:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control`
Add tags to APT rules 2018-07-25 09:50:01 +02:00			`tags:`
			`- attack.g0035`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00			`author: Markus Neis`
			`logsource:`
updated to use process_creation 2019-03-02 21:05:15 +03:00			`category: process_creation`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00			`product: windows`
			`detection:`
updated to use process_creation 2019-03-02 21:05:15 +03:00			`selection:`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 17:10:00 +02:00			`Image:`
			`- '*\crackmapexec.exe'`
updated to use process_creation 2019-03-02 21:05:15 +03:00			`condition: selection`
			`falsepositives:`
			`- None`
			`level: critical`