SigmaHQ/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml
2020-05-22 00:50:37 +02:00

38 lines
1.2 KiB
YAML

title: CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: experimental
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
- https://github.com/byt3bl33d3r/CrackMapExec
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
tags:
- attack.execution
- attack.t1086
- attack.defense_evasion
- attack.t1027
author: Thomas Patzke
date: 2020/05/22
logsource:
category: process_creation
product: windows
detection:
powershell_execution:
CommandLine|contains: 'powershell.exe'
snippets:
CommandLine|contains:
- 'join*split'
# Line 343ff
- "( $ShellId[1]+$ShellId[13]+'x')"
- '( $PSHome[*]+$PSHOME[*]+'
- "( $env:Public[13]+$env:Public[5]+'x')"
- "( $env:ComSpec[4,*,25]-Join'')"
- "[1,3]+'x'-Join'')"
condition: powershell_execution and snippets
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Unknown
level: high