← Back to SOC feed Coverage →

HackTool - CrackMapExec Process Patterns

sigma HIGH SigmaHQ
T1003.001
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects suspicious process patterns found in logs when CrackMapExec is used

Detection Rule

Sigma (Original)

title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_lsass_dump1:
        CommandLine|contains|all:
            - 'tasklist /fi '
            - 'Imagename eq lsass.exe'
        CommandLine|contains:
            - 'cmd.exe /c '
            - 'cmd.exe /r '
            - 'cmd.exe /k '
            - 'cmd /c '
            - 'cmd /r '
            - 'cmd /k '
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_lsass_dump2:
        CommandLine|contains|all:
            - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
            - '\Windows\Temp\'
            - ' full'
            - '%%B'
    selection_procdump:
        CommandLine|contains|all:
            - 'tasklist /v /fo csv'
            - 'findstr /i "lsass"'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessCommandLine contains "tasklist /fi " and TargetProcessCommandLine contains "Imagename eq lsass.exe") and (TargetProcessCommandLine contains "cmd.exe /c " or TargetProcessCommandLine contains "cmd.exe /r " or TargetProcessCommandLine contains "cmd.exe /k " or TargetProcessCommandLine contains "cmd /c " or TargetProcessCommandLine contains "cmd /r " or TargetProcessCommandLine contains "cmd /k ") and (TargetUsername contains "AUTHORI" or TargetUsername contains "AUTORI")) or (TargetProcessCommandLine contains "do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump" and TargetProcessCommandLine contains "\\Windows\\Temp\\" and TargetProcessCommandLine contains " full" and TargetProcessCommandLine contains "%%B") or (TargetProcessCommandLine contains "tasklist /v /fo csv" and TargetProcessCommandLine contains "findstr /i \"lsass\"")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml