Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects command line patterns associated with CrackMapExec execution, a post-exploitation tool commonly used for lateral movement within Windows environments.

Strategy

This rule monitors Windows event logs for specific command line patterns that are characteristic of CrackMapExec usage. The detection focuses on distinctive command execution patterns commonly employed by CrackMapExec when it executes commands on remote systems via Windows Management Instrumentation (WMI), scheduled tasks, or PowerShell. These command structures are specifically designed to capture the output of executed commands and return it to the attacker while minimizing user visibility.

Triage & Response

• Examine the full command line content to understand what actions were executed on {{host}}.
• Analyze the context of the execution, including the user account that initiated the command and the process ancestry.
• Review network connections established around the time of execution to identify potential lateral movement attempts.
• Check for other indicators of compromise such as suspicious PowerShell scripts, unexpected scheduled tasks, or unusual WMI operations.
• Investigate which systems the affected host communicated with around the time of detection.