This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.discovery
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.t1110
- attack.t1201
logsource:
category: process_creation
product: windows
detection:
selection_binary:
Image|endswith: '\crackmapexec.exe'
selection_special:
CommandLine|contains: ' -M pe_inject '
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- " -H 'NTHASH'"
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
condition: 1 of selection_* or all of part_localauth*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessName endswith "\\crackmapexec.exe" or TargetProcessCommandLine contains " -M pe_inject " or (TargetProcessCommandLine contains " --local-auth" and TargetProcessCommandLine contains " -u " and TargetProcessCommandLine contains " -x ") or (TargetProcessCommandLine contains " --local-auth" and TargetProcessCommandLine contains " -u " and TargetProcessCommandLine contains " -p " and TargetProcessCommandLine contains " -H 'NTHASH'") or (TargetProcessCommandLine contains " mssql " and TargetProcessCommandLine contains " -u " and TargetProcessCommandLine contains " -p " and TargetProcessCommandLine contains " -M " and TargetProcessCommandLine contains " -d ") or (TargetProcessCommandLine contains " smb " and TargetProcessCommandLine contains " -u " and TargetProcessCommandLine contains " -H " and TargetProcessCommandLine contains " -M " and TargetProcessCommandLine contains " -o ") or (TargetProcessCommandLine contains " smb " and TargetProcessCommandLine contains " -u " and TargetProcessCommandLine contains " -p " and TargetProcessCommandLine contains " --local-auth")) or ((TargetProcessCommandLine contains " --local-auth" and TargetProcessCommandLine contains " -u " and TargetProcessCommandLine contains " -p ") and (TargetProcessCommandLine contains " 10." and TargetProcessCommandLine contains " 192.168." and TargetProcessCommandLine contains "/24 "))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |