Impacket SMBexec.py Execution (RedCanary Threat Detection Report)
Detects execution from Impacket's smbexec.py. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Impacket SMBexec.py Execution (RedCanary Threat Detection Report)
2id: 671651fd-62e1-48d7-b5e0-81b1746ec0dd
3status: experimental
4description: Detects execution from Impacket's smbexec.py. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/impacket/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0357
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 ParentImage|endswith: '\services.exe'
17 Image|endswith: '\cmd.exe'
18 CommandLine|re: '(?i)cmd.exe \/Q \/c echo cd \^> \\\\127.0.0.1\\[a-zA-Z]{1,}\$\\__output 2\^>\^&1 > .* & '
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
Related rules
- Impacket WMIExec.py Execution (RedCanary Threat Detection Report)
- Impacket Atexec.py Execution (RedCanary Threat Detection Report)
- Impacket AtExec Process Activity
- Possible Impacket GetUserSPNs Activity
- Suspicious Impacket PSExec Temp Executable File Creation