Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
2id: 187ac7b5-f919-446b-93b3-cde8a6506d64
3status: experimental
4description: Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.lateral_movement
11 - attack.t1021.002
12logsource:
13 category: registry_add
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\services.exe'
18 EventType: 'CreateKey'
19 TargetObject: 'HKLM\System\CurrentControlSet\Services\BTOBTO'
20 condition: selection
21falsepositives:
22 - Unknown
23level: low```
References
Related rules
- File Writes Within Admin Shares (RedCanary Threat Detection Report)
- Process Execution from Admin Share (RedCanary Threat Detection Report)
- Failed Mounting of Hidden Share
- Metasploit Or Impacket Service Installation Via SMB PsExec
- Remote Service Creation