valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_susp_crackmapexec_execution.yml

Browse Source
This commit is contained in:
yugoslavskiy 2020-11-28 12:53:00 +01:00 committed by GitHub
parent 38e7853891
commit 5d7f42a4a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/windows/process_creation/win_susp_crackmapexec_execution.yml
View File

@ -19,13 +19,27 @@ logsource:
product: windows
detection:
selection:
CommandLine|contains:
- CommandLine|contains|all:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
- 'cmd.exe /Q /c'
- '1> \\\\'
- '\\'
- '\\'
- '2>&1'
- CommandLine|contains|all:
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
- 'cmd.exe /C'
- '> \\\\'
- '\\'
- '\\'
- '2>&1'
- CommandLine|contains|all:
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- 'cmd.exe /C * > *\\Temp\\* 2>&1'
- 'cmd.exe /C'
- '>'
- '\\Temp\\'
- '2>&1'
- CommandLine|contains:
# cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)