title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.discovery
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.t1110
- attack.t1201
logsource:
category: process_creation
product: windows
detection:
selection_binary:
Image|endswith: '\crackmapexec.exe'
selection_special:
CommandLine|contains: ' -M pe_inject '
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- " -H 'NTHASH'"
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
condition: 1 of selection_* or all of part_localauth*
falsepositives:
- Unknown
level: high
title: Password Policy Enumerated
id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199
status: test
description: Detects when the password policy is enumerated.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
- https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951
author: Zach Mathis
date: 2023-05-19
tags:
- attack.discovery
- attack.t1201
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection:
EventID: 4661 # A handle to an object was requested.
AccessList|contains: '%%5392' # ReadPasswordParameters
ObjectServer: 'Security Account Manager'
condition: selection
level: medium
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low
title: Password Policy Discovery - Linux
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
- https://linux.die.net/man/1/chage
- https://man7.org/linux/man-pages/man1/passwd.1.html
- https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020-10-08
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1201
logsource:
product: linux
service: auditd
detection:
selection_files:
type: 'PATH'
name:
- '/etc/login.defs'
- '/etc/pam.d/auth'
- '/etc/pam.d/common-account'
- '/etc/pam.d/common-auth'
- '/etc/pam.d/common-password'
- '/etc/pam.d/system-auth'
- '/etc/security/pwquality.conf'
selection_chage:
type: 'EXECVE'
a0: 'chage'
a1:
- '--list'
- '-l'
selection_passwd:
type: 'EXECVE'
a0: 'passwd'
a1:
- '-S'
- '--status'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
status: test
description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1201
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low