Impacket AtExec Process Activity

calendar Apr 16, 2023 · attack.s0357 attack.execution attack.t1053 attack.t1053.002  ·
Share on: linkedin copy

Detect Atexec.py (Impacket) usage to send command output to attacker.

Sigma rule (View on GitHub)

 1title: Impacket AtExec Process Activity
 2id: ceccdcd7-ab57-407c-bd8f-78b2427eb283
 3status: experimental
 4description: Detect Atexec.py (Impacket) usage to send command output to attacker.
 5references:
 6    - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf
 7    - https://www.hackingarticles.in/impacket-guide-smb-msrpc/
 8author: Micah Babinski
 9date: 2023/01/08
10tags:
11    - attack.s0357
12    - attack.execution
13    - attack.t1053
14    - attack.t1053.002
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4688
21        NewProcessName|endswith: '\cmd.exe'
22        CommandLine|contains|all|windash:
23            - 'cmd.exe'
24            - '/c'
25            - 2>&1
26        CommandLine|re: '^.*Temp\\[A-Za-z]{8}\.tmp.*$'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top