Added CrachMapExec rules

rules/windows/process_creation/win_susp_crackmapexec_execution.yml

@@ -0,0 +1,37 @@
+title: CrackMapExec Command Execution
+id: 058f4380-962d-40a5-afce-50207d36d7e2
+status: experimental
+description: Detect various execution methods of the CrackMapExec pentesting framework
+references:
+    - https://github.com/byt3bl33d3r/CrackMapExec
+tags:
+    - attack.execution
+    - attack.t1047
+    - attack.t1053
+    - attack.t1086
+author: Thomas Patzke
+date: 2020/05/22
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
+            - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
+            # cme/protocols/smb/atexec.py:109 (fileless output via share)
+            - '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
+            # cme/protocols/smb/atexec.py:111 (fileless output via share)
+            - '*cmd.exe /C * > *\\Temp\\* 2>&1'
+            # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
+            - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+            # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
+            - '*powershell.exe -noni -nop -w 1 -enc *'
+    condition: selection
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml

@@ -0,0 +1,37 @@
+title: CrackMapExec PowerShell Obfuscation
+id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
+status: experimental
+description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
+references:
+    - https://github.com/byt3bl33d3r/CrackMapExec
+    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
+tags:
+    - attack.execution
+    - attack.t1086
+    - attack.defense_evasion
+    - attack.t1027
+author: Thomas Patzke
+date: 2020/05/22
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    powershell_execution:
+        CommandLine|contains: 'powershell.exe'
+    snippets:
+        CommandLine|contains:
+            - 'join*split'
+            # Line 343ff
+            - "( $ShellId[1]+$ShellId[13]+'x')"
+            - '( $PSHome[*]+$PSHOME[*]+'
+            - "( $env:Public[13]+$env:Public[5]+'x')"
+            - "( $env:ComSpec[4,*,25]-Join'')"
+            - "[1,3]+'x'-Join'')"
+    condition: powershell_execution and snippets
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high