valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7e732a2a89
SigmaHQ/rules/apt/apt_dragonfly.yml

39 lines
1.1 KiB
YAML
Executable File
Raw Blame History

---
action: global
title: CrackMapExecWin
description: Detects CrackMapExecWin Activity as Described by NCSC
status: experimental
references:
- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
tags:
- attack.g0035
author: Markus Neis
detection:
condition: 1 of them
falsepositives:
- None
level: critical
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
NewProcessName:
- '*\crackmapexec.exe'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection1:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
Image:
- '*\crackmapexec.exe'
Reference in New Issue View Git Blame Copy Permalink