Adversaries may use CrackMapExec to execute attacks by creating files with specific patterns, indicating potential lateral movement or command and control activity. SOC teams should proactively hunt for these file creation events in Azure Sentinel to identify and mitigate early-stage compromise attempts.
Detection Rule
title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
- id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
- https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_path:
TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
selection_names_str:
TargetFilename|endswith:
- '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
- '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
selection_names_re:
- TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
- TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
condition: selection_path and 1 of selection_names_*
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName startswith "C:\\Windows\\Temp\\" and ((TargetFileName endswith "\\temp.ps1" or TargetFileName endswith "\\msol.ps1") or (TargetFileName matches regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or TargetFileName matches regex "\\\\[a-zA-Z]{8}\\.tmp$"))Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled task runs a script that creates temporary files with names similar to CrackMapExec patterns (e.g., cme.exe, crackmapexec.exe).
Filter/Exclusion: Exclude files created by scheduled tasks with known names or paths (e.g., C:\Windows\Tasks\, C:\ProgramData\).
Scenario: Admin Tool for Network Discovery
Description: An administrator uses a legitimate network discovery tool (e.g., nmap, arp -a) that generates temporary files with names resembling CrackMapExec.
Filter/Exclusion: Exclude files created in directories commonly used by network tools (e.g., C:\Users\Administrator\AppData\Local\Temp\, C:\Windows\System32\).
Scenario: File Creation During Software Installation
Description: A legitimate software installation process creates temporary files with names that match CrackMapExec patterns (e.g., setup.exe, install.exe).
Filter/Exclusion: Exclude files created in installation directories (e.g., C:\Program Files\, C:\Users\*\Downloads\).
Scenario: User-Initiated File Transfer
Description: A user transfers a file named crackmapexec.exe from a trusted source (e.g., a shared drive or internal repository) to a workstation.
Filter/Exclusion: Exclude files with known hashes or signed by trusted internal sources (e.g., using file_hash or signer fields).
Scenario: Log File Generation by Security Tools
Description: A security tool (e.g., Sysmon, Windows Defender) generates log files with names that resemble CrackMapExec patterns.
Filter/Exclusion: Exclude files created in log directories (