heroui logo

HackTool - CrackMapExec PowerShell Obfuscation

Sigma Rules

View Source
Summary
This detection rule targets the use of PowerShell obfuscation techniques employed by the CrackMapExec framework, a popular penetration testing tool. It checks for specific static strings that are commonly associated with obfuscated PowerShell commands utilized in the execution of attack techniques. The rule primarily focuses on process creation events revolving around PowerShell executables, specifically 'powershell.exe' and 'pwsh.exe', while also examining the command line arguments for certain patterns indicative of obfuscation. These patterns include manipulations of the PowerShell environment variables and string operations often used to evade security detection. This rule aims to identify instances of potential misuse of the CrackMapExec tool in environment setups where it should not be present, thereby helping analysts to detect possible malicious activities stemming from this pentesting utility.
Categories
  • Endpoint
  • Windows
  • Cloud
Data Sources
  • Process
Created: 2020-05-22