title: Impacket Tool Execution
author: Florian Roth
date: 2021/07/24
description: Detects the execution of different compiled Windows binaries of the impacket
  toolset (based on names or part of their names - could lead to false positives)
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\goldenPac*'
    - '*\karmaSMB*'
    - '*\kintercept*'
    - '*\ntlmrelayx*'
    - '*\rpcdump*'
    - '*\samrdump*'
    - '*\secretsdump*'
    - '*\smbexec*'
    - '*\smbrelayx*'
    - '*\wmiexec*'
    - '*\wmipersist*'
  SELECTION_3:
    Image:
    - '*\atexec_windows.exe'
    - '*\dcomexec_windows.exe'
    - '*\dpapi_windows.exe'
    - '*\findDelegation_windows.exe'
    - '*\GetADUsers_windows.exe'
    - '*\GetNPUsers_windows.exe'
    - '*\getPac_windows.exe'
    - '*\getST_windows.exe'
    - '*\getTGT_windows.exe'
    - '*\GetUserSPNs_windows.exe'
    - '*\ifmap_windows.exe'
    - '*\mimikatz_windows.exe'
    - '*\netview_windows.exe'
    - '*\nmapAnswerMachine_windows.exe'
    - '*\opdump_windows.exe'
    - '*\psexec_windows.exe'
    - '*\rdp_check_windows.exe'
    - '*\sambaPipe_windows.exe'
    - '*\smbclient_windows.exe'
    - '*\smbserver_windows.exe'
    - '*\sniffer_windows.exe'
    - '*\sniff_windows.exe'
    - '*\split_windows.exe'
    - '*\ticketer_windows.exe'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Legitimate use of the impacket tools
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
status: experimental
tags:
- attack.execution
- attack.t1557.001
ruletype: SIGMA