title: Impacket Lateralization Detection
author: Ecco, oscd.community, Jonhnathan Ribeiro
date: 2019/09/03
description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        CommandLine: '*\\\\127.0.0.1\\*'
    SELECTION_11:
        ParentCommandLine: '*svchost.exe -k netsvcs*'
    SELECTION_12:
        ParentCommandLine: '*taskeng.exe*'
    SELECTION_13:
        CommandLine: '*/C*'
    SELECTION_14:
        CommandLine: '*Windows\Temp\\*'
    SELECTION_2:
        CommandLine: '*cmd.exe*'
    SELECTION_3:
        CommandLine: '*&1*'
    SELECTION_4:
        ParentImage: '*\wmiprvse.exe'
    SELECTION_5:
        ParentImage: '*\mmc.exe'
    SELECTION_6:
        ParentImage: '*\explorer.exe'
    SELECTION_7:
        ParentImage: '*\services.exe'
    SELECTION_8:
        CommandLine: '*/Q*'
    SELECTION_9:
        CommandLine: '*/c*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (((SELECTION_4 or
        SELECTION_5 or SELECTION_6 or SELECTION_7) and SELECTION_8 and SELECTION_9
        and SELECTION_10) or ((SELECTION_11 or SELECTION_12) and SELECTION_13 and
        SELECTION_14)))
falsepositives:
- pentesters
fields:
- CommandLine
- ParentCommandLine
id: 10c14723-61c7-4c75-92ca-9af245723ad2
level: critical
logsource:
    category: process_creation
    product: windows
modified: 2020/09/01
references:
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
- attack.t1175
- attack.t1021.003
- attack.t1021
yml_filename: win_impacket_lateralization.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation