← Back to Explore
sigmahighHunting
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
Detection Query
selection:
- Image|endswith: \Crassus.exe
- OriginalFileName: Crassus.exe
- Description|contains: Crassus
condition: selection
Author
pH-T (Nextron Systems)
Created
2023-04-17
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.discoveryattack.reconnaissanceattack.t1590.001
Raw Content
title: PUA - Crassus Execution
id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
status: test
description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
references:
- https://github.com/vu-ls/Crassus
author: pH-T (Nextron Systems)
date: 2023-04-17
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Crassus.exe'
- OriginalFileName: 'Crassus.exe'
- Description|contains: 'Crassus'
condition: selection
falsepositives:
- Unlikely
level: high