Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)

May 10, 2023 · attack.lateral_movement attack.t1021.002 ·

Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
 2id: 187ac7b5-f919-446b-93b3-cde8a6506d64
 3status: experimental
 4description: Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/
 7author: RedCanary, Sigma formatting by Micah Babinski
 8date: 2023/05/10
 9tags:
10    - attack.lateral_movement
11    - attack.t1021.002
12logsource:
13    category: registry_add
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\services.exe'
18        EventType: 'CreateKey'
19        TargetObject: 'HKLM\System\CurrentControlSet\Services\BTOBTO'
20    condition: selection
21falsepositives:
22    - Unknown
23level: low```

References

SMB/Windows Admin Shares - Red Canary Threat Report

Adversaries abuse Windows Admin Shares and the Server Message Block (SMB) protocol to move laterally and stage payloads for execution.

Read More

Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)

Sigma rule (View on GitHub)

References

SMB/Windows Admin Shares - Red Canary Threat Report

Related rules