SecretsDump File Modification
Impacket’s SecretsDump utility consistently involves the Windows Service Host (svchost.exe) writing randomly named .tmp files to the System32 directory. The following pseudo-detector should offer defenders a reliable method of detecting Impacket's SecretsDump utility. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: SecretsDump File Modification
2id: 88de04f6-c443-40ec-a592-72c31a55810b
3status: experimental
4description: |
5 Impacket’s SecretsDump utility consistently involves the Windows Service Host
6 (svchost.exe) writing randomly named .tmp files to the System32 directory. The
7 following pseudo-detector should offer defenders a reliable method of detecting
8 Impacket's SecretsDump utility. Part of the RedCanary 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/os-credential-dumping/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.credential_access
15 - attack.t1003
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\svchost.exe'
22 ImageLoaded|endswith: '\regsvc.dll'
23 # TargetFilename|contains: 'windows\system32' # need to join file creation events on process id
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
Adversaries employ OS Credential Dumping to acquire account credentials that they can subsequently leverage for lateral movement.
Read More
Related rules
- Mimikatz Module Names
- Secretsdump.py Execution
- Suspicious Export Functionalities - Rundll32
- Possible Impacket Secretsdump.py Activity
- Mimikatz Command Line With Ticket Export