← Back to Explore
sigmahighHunting
HackTool - CrackMapExec Process Patterns
Detects suspicious process patterns found in logs when CrackMapExec is used
Detection Query
selection_lsass_dump1:
CommandLine|contains|all:
- "tasklist /fi "
- Imagename eq lsass.exe
CommandLine|contains:
- "cmd.exe /c "
- "cmd.exe /r "
- "cmd.exe /k "
- "cmd /c "
- "cmd /r "
- "cmd /k "
User|contains:
- AUTHORI
- AUTORI
selection_lsass_dump2:
CommandLine|contains|all:
- do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump
- \Windows\Temp\
- " full"
- "%%B"
selection_procdump:
CommandLine|contains|all:
- tasklist /v /fo csv
- findstr /i "lsass"
condition: 1 of selection*
Author
Florian Roth (Nextron Systems)
Created
2022-03-12
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.credential-accessattack.t1003.001
Raw Content
title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_lsass_dump1:
CommandLine|contains|all:
- 'tasklist /fi '
- 'Imagename eq lsass.exe'
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd.exe /r '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /r '
- 'cmd /k '
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_lsass_dump2:
CommandLine|contains|all:
- 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
- '\Windows\Temp\'
- ' full'
- '%%B'
selection_procdump:
CommandLine|contains|all:
- 'tasklist /v /fo csv'
- 'findstr /i "lsass"'
condition: 1 of selection*
falsepositives:
- Unknown
level: high