Impacket Atexec.py Execution (RedCanary Threat Detection Report)
Detects execution from Impacket's atexec.py. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Impacket Atexec.py Execution (RedCanary Threat Detection Report)
2id: 6b588393-f45f-484b-8233-56bbc657c63c
3status: experimental
4description: Detects execution from Impacket's atexec.py. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/impacket/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0357
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 ParentImage|endswith:
17 - '\svchost.exe'
18 - '\taskeng.exe'
19 CommandLine|contains|all:
20 - 'cmd.exe'
21 - 'windows\temp'
22 - '2>&1'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
-
Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries.
Read More
Related rules
- Impacket AtExec Process Activity
- Possible Impacket GetUserSPNs Activity
- Suspicious Impacket PSExec Temp Executable File Creation
- Suspicious Impacket Pipe Creation - Psexec
- Impacket AtExec Suspicious Registry Modification