phantinuss
32169dbc33
also a simple (non-commprehensive) test case to find usages of localized user names
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
title: CrackMapExec Process Patterns
|
|
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
|
|
description: Detects suspicious process patterns found in logs when CrackMapExec is used
|
|
status: experimental
|
|
author: Florian Roth
|
|
references:
|
|
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
|
|
date: 2022/03/12
|
|
modified: 2022/05/27
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection_lsass_dump1:
|
|
CommandLine|contains|all:
|
|
- 'cmd.exe /c '
|
|
- 'tasklist /fi '
|
|
- 'Imagename eq lsass.exe'
|
|
User|contains: # covers many language settings
|
|
- 'AUTHORI'
|
|
- 'AUTORI'
|
|
selection_lsass_dump2:
|
|
CommandLine|contains|all:
|
|
- 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
|
|
- '\Windows\Temp\'
|
|
- ' full'
|
|
- '%%B'
|
|
selection_procdump:
|
|
CommandLine|contains|all:
|
|
- 'tasklist /v /fo csv'
|
|
- 'findstr /i "lsass"'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high |