SigmaHQ/rules/apt/apt_dragonfly.yml

title: CrackMapExecWin 
description: Detects CrackMapExecWin Activity as Described by NCSC
status: experimental
references:
    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
tags:
    - attack.g0035
author: Markus Neis
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image:
            - '*\crackmapexec.exe'
    condition: selection
falsepositives: 
    - None 
level: critical
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 15:10:00 +00:00			`title: CrackMapExecWin`
			`description: Detects CrackMapExecWin Activity as Described by NCSC`
			`status: experimental`
			`references:`
			`- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control`
Add tags to APT rules 2018-07-25 07:50:01 +00:00			`tags:`
			`- attack.g0035`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 15:10:00 +00:00			`author: Markus Neis`
			`logsource:`
updated to use process_creation 2019-03-02 18:05:15 +00:00			`category: process_creation`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 15:10:00 +00:00			`product: windows`
			`detection:`
updated to use process_creation 2019-03-02 18:05:15 +00:00			`selection:`
added NCSC CrackMapExecWin Description in apt_dragonfly.yml 2018-04-08 15:10:00 +00:00			`Image:`
			`- '*\crackmapexec.exe'`
updated to use process_creation 2019-03-02 18:05:15 +00:00			`condition: selection`
			`falsepositives:`
			`- None`
			`level: critical`