CrackMapExec patterns

rules/windows/file_event/file_event_win_crackmapexec_patterns.yml

@@ -0,0 +1,57 @@
+title: CrackMapExec File Creation Patterns
+id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
+description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
+status: experimental
+author: Florian Roth
+references:
+    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+date: 2022/03/12
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_lsass_dump1:
+        TargetFilename|startswith: 'C:\Windows\Temp\'
+        Image: 'C:\WINDOWS\system32\rundll32.exe'
+        User|contains: 
+            - 'NT AUTHORI'
+            - 'NT AUTORI'
+        TargetFilename|endswith:
+            - '.rtf'
+            - '.otf'
+            - '.odt'
+            - '.txt'
+            - '.doc'
+            - '.pdf'
+            - '.dll'
+            - '.docx'
+            - '.wpd'
+            - '.icns'
+            - '.db'
+            - '.ini'
+            - '.tex'
+            - '.sys'
+            - '.csv'
+            - '.fon'
+            - '.tar'
+            - '.ttf'
+            - '.xml'
+            - '.cfg'
+            - '.cpl'
+            - '.jpg'
+            - '.drv'
+            - '.cur'
+            - '.tmp'
+            # list is incomplete
+    selection_procdump:
+        TargetFilename: 'C:\Windows\Temp\procdump.exe'
+        User|contains: 
+            - 'NT AUTHO'
+            - 'NT AUTO'
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml

@@ -0,0 +1,37 @@
+title: CrackMapExec Process Patterns
+id: f26307d8-14cd-47e3-a26b-4b4769f24af6
+description: Detects suspicious process patterns found in logs when CrackMapExec is used
+status: experimental
+author: Florian Roth
+references:
+    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+date: 2022/03/12
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_lsass_dump1:
+        CommandLine|contains|all:
+            - 'cmd.exe /c '
+            - 'tasklist /fi '
+            - 'Imagename eq lsass.exe'
+        User|contains: 
+            - 'NT AUTHO'
+            - 'NT AUTO'
+    selection_lsass_dump2:
+        CommandLine|contains|all:
+            - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
+            - '\Windows\Temp\'
+            - ' full'
+            - '%%B'
+    selection_procdump:
+        CommandLine|contains|all:
+            - 'tasklist /v /fo csv' 
+            - 'findstr /i "lsass"'
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: high