From 96fae4be68faa1bad2c8cfa92b1e5a500e72d765 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 22 May 2020 00:50:37 +0200 Subject: [PATCH] Added CrachMapExec rules --- .../win_susp_crackmapexec_execution.yml | 37 +++++++++++++++++++ ...sp_crackmapexec_powershell_obfuscation.yml | 37 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_crackmapexec_execution.yml create mode 100644 rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml new file mode 100644 index 000000000..ed8904ba2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -0,0 +1,37 @@ +title: CrackMapExec Command Execution +id: 058f4380-962d-40a5-afce-50207d36d7e2 +status: experimental +description: Detect various execution methods of the CrackMapExec pentesting framework +references: + - https://github.com/byt3bl33d3r/CrackMapExec +tags: + - attack.execution + - attack.t1047 + - attack.t1053 + - attack.t1086 +author: Thomas Patzke +date: 2020/05/22 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) + - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' + # cme/protocols/smb/atexec.py:109 (fileless output via share) + - '*cmd.exe /C * > \\\\*\\*\\* 2>&1' + # cme/protocols/smb/atexec.py:111 (fileless output via share) + - '*cmd.exe /C * > *\\Temp\\* 2>&1' + # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) + - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*' + # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) + - '*powershell.exe -noni -nop -w 1 -enc *' + condition: selection +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml new file mode 100644 index 000000000..0d9437038 --- /dev/null +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -0,0 +1,37 @@ +title: CrackMapExec PowerShell Obfuscation +id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf +status: experimental +description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. +references: + - https://github.com/byt3bl33d3r/CrackMapExec + - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 +tags: + - attack.execution + - attack.t1086 + - attack.defense_evasion + - attack.t1027 +author: Thomas Patzke +date: 2020/05/22 +logsource: + category: process_creation + product: windows +detection: + powershell_execution: + CommandLine|contains: 'powershell.exe' + snippets: + CommandLine|contains: + - 'join*split' + # Line 343ff + - "( $ShellId[1]+$ShellId[13]+'x')" + - '( $PSHome[*]+$PSHOME[*]+' + - "( $env:Public[13]+$env:Public[5]+'x')" + - "( $env:ComSpec[4,*,25]-Join'')" + - "[1,3]+'x'-Join'')" + condition: powershell_execution and snippets +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high