title: CrackMapExecWin id: 04d9079e-3905-4b70-ad37-6bdf11304965 description: Detects CrackMapExecWin Activity as Described by NCSC status: experimental references: - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control tags: - attack.g0035 author: Markus Neis date: 2018/04/08 logsource: category: process_creation product: windows detection: selection: Image|endswith: - '\crackmapexec.exe' condition: selection falsepositives: - None level: critical