Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)

Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
 2id: 187ac7b5-f919-446b-93b3-cde8a6506d64
 3status: experimental
 4description: Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/
 7author: RedCanary, Sigma formatting by Micah Babinski
 8date: 2023/05/10
 9tags:
10    - attack.lateral_movement
11    - attack.t1021.002
12logsource:
13    category: registry_add
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\services.exe'
18        EventType: 'CreateKey'
19        TargetObject: 'HKLM\System\CurrentControlSet\Services\BTOBTO'
20    condition: selection
21falsepositives:
22    - Unknown
23level: low```

References

Related rules

to-top