From 306bb438e3deeec2e35028ba5b2c7e37413eedc8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 15 Mar 2022 18:05:04 +0100
Subject: [PATCH] CrackMapExec patterns

---
 .../file_event_win_crackmapexec_patterns.yml  | 57 +++++++++++++++++++
 ...roc_creation_win_crackmapexec_patterns.yml | 37 ++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 rules/windows/file_event/file_event_win_crackmapexec_patterns.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml

diff --git a/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml b/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml
new file mode 100644
index 000000000..597efe66a
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml
@@ -0,0 +1,57 @@
+title: CrackMapExec File Creation Patterns
+id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
+description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
+status: experimental
+author: Florian Roth
+references:
+    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+date: 2022/03/12
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_lsass_dump1:
+        TargetFilename|startswith: 'C:\Windows\Temp\'
+        Image: 'C:\WINDOWS\system32\rundll32.exe'
+        User|contains: 
+            - 'NT AUTHORI'
+            - 'NT AUTORI'
+        TargetFilename|endswith:
+            - '.rtf'
+            - '.otf'
+            - '.odt'
+            - '.txt'
+            - '.doc'
+            - '.pdf'
+            - '.dll'
+            - '.docx'
+            - '.wpd'
+            - '.icns'
+            - '.db'
+            - '.ini'
+            - '.tex'
+            - '.sys'
+            - '.csv'
+            - '.fon'
+            - '.tar'
+            - '.ttf'
+            - '.xml'
+            - '.cfg'
+            - '.cpl'
+            - '.jpg'
+            - '.drv'
+            - '.cur'
+            - '.tmp'
+            # list is incomplete
+    selection_procdump:
+        TargetFilename: 'C:\Windows\Temp\procdump.exe'
+        User|contains: 
+            - 'NT AUTHO'
+            - 'NT AUTO'
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml b/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml
new file mode 100644
index 000000000..121de7ae4
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml
@@ -0,0 +1,37 @@
+title: CrackMapExec Process Patterns
+id: f26307d8-14cd-47e3-a26b-4b4769f24af6
+description: Detects suspicious process patterns found in logs when CrackMapExec is used
+status: experimental
+author: Florian Roth
+references:
+    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+date: 2022/03/12
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_lsass_dump1:
+        CommandLine|contains|all:
+            - 'cmd.exe /c '
+            - 'tasklist /fi '
+            - 'Imagename eq lsass.exe'
+        User|contains: 
+            - 'NT AUTHO'
+            - 'NT AUTO'
+    selection_lsass_dump2:
+        CommandLine|contains|all:
+            - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
+            - '\Windows\Temp\'
+            - ' full'
+            - '%%B'
+    selection_procdump:
+        CommandLine|contains|all:
+            - 'tasklist /v /fo csv' 
+            - 'findstr /i "lsass"'
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file