Detecting Hashcat

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Hashcat is a widely used open-source password recovery tool which is used by both cybersecurity specialists and adversaries to crack the hashed passwords. Attackers may attempt to use haschcat against target systems to obtain plaintext passwords from the cracked hash files to carry out malicious activities such as account compromise, access to sensitive data and more.

Impact:

It can be used by adversaries in the following ways:

• Credential theft
• Privelege escalation
• Operational disruption

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactic: TA0006- Credential Access

Technique: T1003-Brute Force

Sub Techniques: T1110.002- Password Cracking

Criteria:

((Command line contains -m) AND (Command line contains -a)) AND ((Parent process name ends with windows\system32\windowspowershell\v1.0\powershell.exe OR Parent process name ends with windows\sysWow64\windowspowershell\v1.0\powershell.exe OR Parent process name ends with WINNT\system32\windowspowershell\v1.0\powershell.exe) OR (Parent process name ends with windows\system32\cmd.exe OR Parent process name ends with windows\sysWOW64\cmd.exe OR Parent process name ends with WINNT\system32\cmd.exe)) AND (Process name contains hashcat)

'-a', '-m', ''windows\system32\windowspowershell\v1.0\powershell.exe' or 'windows\sysWow64\windowspowershell\v1.0\powershell.exe', 'windows\system32\cmd.exe' - These are commands used by attackers while using Hashcat tool for designating the type of hash to be cracked, a dictionary attack and if the parent process ends with 'cmd.exe', which is located either in 'System 32' or 'System 64' directory of the Windows operating system.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when the hashcat is being used within the network. This enables you to stop the runtime activity and prevent credential theft.

PR.PS-05: Installation and execution of unauthorized software are prevented

When this rule is triggered, you're notified when hashcat is being used within the network. This enables you to take prompt action by executing workflows to stop the malicious process and place stronger access control measures.

PR.AA-03: Users, services, and hardware are authenticated

When this rule is triggered, you're notified when hashcat is being used within the network. This could mean credentials have been compromised and enables you to access compromised accounts and stopping lateral movement.

Known false positives: It is used by cybersecurity professionals and pentesters to assess the security posture of organizations.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement Multi-factor Authentication(MFA): Implement MFA to provide an additional layer of security to the network resources and data.