From 69671733a8441e88e4eef3f9b22ccf8d63a12daa Mon Sep 17 00:00:00 2001 From: root Date: Sun, 8 Apr 2018 17:10:00 +0200 Subject: [PATCH] added NCSC CrackMapExecWin Description in apt_dragonfly.yml --- rules/apt/apt_dragonfly.yml | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/apt/apt_dragonfly.yml diff --git a/rules/apt/apt_dragonfly.yml b/rules/apt/apt_dragonfly.yml new file mode 100644 index 000000000..e65945a23 --- /dev/null +++ b/rules/apt/apt_dragonfly.yml @@ -0,0 +1,45 @@ + +action: global +title: CrackMapExecWin +description: Detects CrackMapExecWin Activity as Described by NCSC +status: experimental +references: + - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control +author: Markus Neis +detection: + selection1: + CommandLine: + - '*\crackmapexec.exe' + condition: 1 of them +falsepositives: + - None +level: critical +--- +# Windows Audit Log +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection1: + # Requires group policy 'Audit Process Creation' > Include command line in process creation events + EventID: 4688 + selection2: + # Does not require group policy 'Audit Process Creation' > Include command line in process creation events + EventID: 4688 + NewProcessName: + - '*\crackmapexec.exe' +--- +# Sysmon +logsource: + product: windows + service: sysmon +detection: + selection1: + # Requires group policy 'Audit Process Creation' > Include command line in process creation events + EventID: 1 + selection2: + # Does not require group policy 'Audit Process Creation' > Include command line in process creation events + EventID: 1 + Image: + - '*\crackmapexec.exe'