Florian Roth
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
title: CrackMapExec File Creation Patterns
|
|
id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
|
|
description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
|
|
status: experimental
|
|
author: Florian Roth
|
|
references:
|
|
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
|
|
date: 2022/03/12
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
logsource:
|
|
product: windows
|
|
category: file_event
|
|
detection:
|
|
selection_lsass_dump1:
|
|
TargetFilename|startswith: 'C:\Windows\Temp\'
|
|
Image: 'C:\WINDOWS\system32\rundll32.exe'
|
|
User|contains:
|
|
- 'NT AUTHORI'
|
|
- 'NT AUTORI'
|
|
TargetFilename|endswith:
|
|
- '.rtf'
|
|
- '.otf'
|
|
- '.odt'
|
|
- '.txt'
|
|
- '.doc'
|
|
- '.pdf'
|
|
- '.dll'
|
|
- '.docx'
|
|
- '.wpd'
|
|
- '.icns'
|
|
- '.db'
|
|
- '.ini'
|
|
- '.tex'
|
|
- '.sys'
|
|
- '.csv'
|
|
- '.fon'
|
|
- '.tar'
|
|
- '.ttf'
|
|
- '.xml'
|
|
- '.cfg'
|
|
- '.cpl'
|
|
- '.jpg'
|
|
- '.drv'
|
|
- '.cur'
|
|
- '.tmp'
|
|
# list is incomplete
|
|
selection_procdump:
|
|
TargetFilename: 'C:\Windows\Temp\procdump.exe'
|
|
User|contains:
|
|
- 'NT AUTHO'
|
|
- 'NT AUTO'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high |