title: CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
description: Detects suspicious process patterns found in logs when CrackMapExec is used
status: experimental
author: Florian Roth
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
date: 2022/03/12
tags:
    - attack.credential_access
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_lsass_dump1:
        CommandLine|contains|all:
            - 'cmd.exe /c '
            - 'tasklist /fi '
            - 'Imagename eq lsass.exe'
        User|contains: 
            - 'NT AUTHO'
            - 'NT AUTO'
    selection_lsass_dump2:
        CommandLine|contains|all:
            - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
            - '\Windows\Temp\'
            - ' full'
            - '%%B'
    selection_procdump:
        CommandLine|contains|all:
            - 'tasklist /v /fo csv' 
            - 'findstr /i "lsass"'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high