detection.wiki

Detection rules › Sigma

HackTool - CrackMapExec PowerShell Obfuscation

Severity
high
Author
Thomas Patzke
Source
upstream

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027.005 Obfuscated Files or Information: Indicator Removal from Tools

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll

Stage 2: all of selection_cli

or:
CommandLine|contains: '( $PSHome[*]+$PSHOME[*]+'
CommandLine|contains: '( $ShellId[1]+$ShellId[13]+''x'')'
CommandLine|contains: '( $env:ComSpec[4,*,25]-Join'''')'
CommandLine|contains: '( $env:Public[13]+$env:Public[5]+''x'')'
CommandLine|contains: '[1,3]+''x''-Join'''')'
CommandLine|contains: 'join*split'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • ( $PSHome[*]+$PSHOME[*]+
  • ( $ShellId[1]+$ShellId[13]+'x')
  • ( $env:ComSpec[4,*,25]-Join'')
  • ( $env:Public[13]+$env:Public[5]+'x')
  • [1,3]+'x'-Join'')
  • join*split
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)