2020-05-21 22:50:37 +00:00
|
|
|
title: CrackMapExec PowerShell Obfuscation
|
|
|
|
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
|
|
|
|
status: experimental
|
|
|
|
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
|
|
|
|
references:
|
|
|
|
- https://github.com/byt3bl33d3r/CrackMapExec
|
|
|
|
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
|
|
|
|
tags:
|
|
|
|
- attack.execution
|
2020-06-16 20:46:08 +00:00
|
|
|
- attack.t1059.001
|
2020-09-05 17:35:21 +00:00
|
|
|
- attack.defense_evasion
|
|
|
|
- attack.t1027.005
|
|
|
|
- attack.t1027 # an old one
|
|
|
|
- attack.t1086 # an old one
|
2020-05-21 22:50:37 +00:00
|
|
|
author: Thomas Patzke
|
|
|
|
date: 2020/05/22
|
|
|
|
logsource:
|
|
|
|
category: process_creation
|
|
|
|
product: windows
|
|
|
|
detection:
|
|
|
|
powershell_execution:
|
|
|
|
CommandLine|contains: 'powershell.exe'
|
|
|
|
snippets:
|
|
|
|
CommandLine|contains:
|
|
|
|
- 'join*split'
|
|
|
|
# Line 343ff
|
|
|
|
- "( $ShellId[1]+$ShellId[13]+'x')"
|
|
|
|
- '( $PSHome[*]+$PSHOME[*]+'
|
|
|
|
- "( $env:Public[13]+$env:Public[5]+'x')"
|
|
|
|
- "( $env:ComSpec[4,*,25]-Join'')"
|
|
|
|
- "[1,3]+'x'-Join'')"
|
|
|
|
condition: powershell_execution and snippets
|
|
|
|
fields:
|
|
|
|
- ComputerName
|
|
|
|
- User
|
|
|
|
- CommandLine
|
|
|
|
falsepositives:
|
|
|
|
- Unknown
|
|
|
|
level: high
|