SigmaHQ/rules/apt/apt_dragonfly.yml

---
action: global
title: CrackMapExecWin 
description: Detects CrackMapExecWin Activity as Described by NCSC
status: experimental
references:
    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
tags:
    - attack.g0035
author: Markus Neis
detection:
    condition: 1 of them
falsepositives: 
    - None 
level: critical
---
# Windows Audit Log
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection1:
        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
        EventID: 4688
        NewProcessName:
            - '*\crackmapexec.exe'
---
# Sysmon
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
        EventID: 1
        Image:
            - '*\crackmapexec.exe'