Suspicious Exe File Event With System Image

Apr 16, 2023 · attack.lateral_movement attack.t1105 ·

Detects potential SMB file creation activity associated with Impacket smbclient.py.

Sigma rule (View on GitHub)

 1title: Suspicious Exe File Event With System Image
 2id: 2ace112a-1717-4648-b0f8-51796f36c58e
 3status: experimental
 4description: Detects potential SMB file creation activity associated with Impacket smbclient.py.
 5references:
 6    - https://github.com/fortra/impacket/blob/impacket_0_10_0/examples/smbclient.py
 7author: Micah Babinski
 8date: 2023/04/16
 9tags:
10    - attack.lateral_movement
11    - attack.t1105
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        TargetFilename|endswith: '.exe'
18        Image: System
19        User: 'NT Authority\Sytem'
20    condition: selection
21falsepositives:
22    - Unknown
23level: low```

References

impacket/examples/smbclient.py at impacket_0_10_0 · fortra/impacket

Impacket is a collection of Python classes for working with network protocols. - fortra/impacket

Read More

Suspicious Exe File Event With System Image

Sigma rule (View on GitHub)

References

impacket/examples/smbclient.py at impacket_0_10_0 · fortra/impacket

Related rules