64 lines
1.7 KiB
YAML
64 lines
1.7 KiB
YAML
|
|
title: Impacket Tool Execution
|
|
author: Florian Roth
|
|
date: 2021/07/24
|
|
description: Detects the execution of different compiled Windows binaries of the impacket
|
|
toolset (based on names or part of their names - could lead to false positives)
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image:
|
|
- '*\goldenPac*'
|
|
- '*\karmaSMB*'
|
|
- '*\kintercept*'
|
|
- '*\ntlmrelayx*'
|
|
- '*\rpcdump*'
|
|
- '*\samrdump*'
|
|
- '*\secretsdump*'
|
|
- '*\smbexec*'
|
|
- '*\smbrelayx*'
|
|
- '*\wmiexec*'
|
|
- '*\wmipersist*'
|
|
SELECTION_3:
|
|
Image:
|
|
- '*\atexec_windows.exe'
|
|
- '*\dcomexec_windows.exe'
|
|
- '*\dpapi_windows.exe'
|
|
- '*\findDelegation_windows.exe'
|
|
- '*\GetADUsers_windows.exe'
|
|
- '*\GetNPUsers_windows.exe'
|
|
- '*\getPac_windows.exe'
|
|
- '*\getST_windows.exe'
|
|
- '*\getTGT_windows.exe'
|
|
- '*\GetUserSPNs_windows.exe'
|
|
- '*\ifmap_windows.exe'
|
|
- '*\mimikatz_windows.exe'
|
|
- '*\netview_windows.exe'
|
|
- '*\nmapAnswerMachine_windows.exe'
|
|
- '*\opdump_windows.exe'
|
|
- '*\psexec_windows.exe'
|
|
- '*\rdp_check_windows.exe'
|
|
- '*\sambaPipe_windows.exe'
|
|
- '*\smbclient_windows.exe'
|
|
- '*\smbserver_windows.exe'
|
|
- '*\sniffer_windows.exe'
|
|
- '*\sniff_windows.exe'
|
|
- '*\split_windows.exe'
|
|
- '*\ticketer_windows.exe'
|
|
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
|
|
falsepositives:
|
|
- Legitimate use of the impacket tools
|
|
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1557.001
|
|
ruletype: SIGMA
|