Possible Impacket DCOMExec Connection Attempt - Zeek

calendar Sep 1, 2023 · attack.s0357 attack.execution attack.lateral_movement attack.t1021 attack.t1021.003  ·
Share on: linkedin copy

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.

Sigma rule (View on GitHub)

 1title: Possible Impacket DCOMExec Connection Attempt - Zeek
 2id: f6127748-4656-435f-b07c-c624f8f18812
 3status: experimental
 4description: Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.
 5references:
 6    - https://github.com/fortra/impacket/blob/master/impacket/dcerpc/v5/dcomrt.py
 7    - https://tools.thehacker.recipes/impacket
 8    - https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/
 9    - https://wadcoms.github.io/wadcoms/Impacket-DCOMExec/
10author: Micah Babinski
11date: 2023/01/08
12tags:
13    - attack.s0357
14    - attack.execution
15    - attack.lateral_movement
16    - attack.t1021
17    - attack.t1021.003
18logsource:
19    product: zeek
20    service: dce_rpc
21detection:
22    selection:
23        operation: RemoteCreateInstance
24        endpoint: IRemoteSCMActivator
25        id.resp_p: 135
26        named_pipe: 135
27    condition: selection
28fields:
29    - id.orig_h
30falsepositives:
31    - Unknown
32level: low```

References

  • impacket/impacket/dcerpc/v5/dcomrt.py at master · fortra/impacket

    Impacket is a collection of Python classes for working with network protocols. - fortra/impacket


    Read More

  • Impacket | The Hacker Tools

    ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script ca...


    Read More

  • Hunting for Impacket

    Introduction Tools secretsdump.py wmiexec.py dcomexec.py Final Words Introduction During an attack, lateral movement is crucial in order to achieve the operation’s objectives. Primarly, two main strategies exist that would allow an attacker to execute code or exfiltrate data from other hosts after obtaining a foothold within an environment: Operate from...


    Read More

  • impacket dcomexec | WADComs

    .. / Impacket-DCOMExec Exploitation Username Password DCOM Linux Windows Impacket’s dcomexec.py provides an interactive shell on the Windows host similar to wmiexec.py, but using varying DCOM endpo...


    Read More

Related rules

to-top