Merge pull request #77 from yt0ng/sigma-yt0ng

added NCSC CrackMapExecWin Description in apt_dragonfly.yml
2024-11-07 09:48:58 +00:00 · 2018-04-08 23:21:49 +02:00 · 2018-04-08 23:21:49 +02:00 · 35d43c5ed9
commit 35d43c5ed9
parent 4183b1b59e 69671733a8
1 changed files with 45 additions and 0 deletions
--- a/rules/apt/apt_dragonfly.yml
+++ b/rules/apt/apt_dragonfly.yml
@ -0,0 +1,45 @@
+
+action: global
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+author: Markus Neis
+detection:
+    selection1:
+        CommandLine:
+            - '*\crackmapexec.exe'
+    condition: 1 of them
+falsepositives: 
+    - None 
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+    selection2:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+        NewProcessName:
+            - '*\crackmapexec.exe'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+    selection2:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+        Image:
+            - '*\crackmapexec.exe'