Secretsdump.py Execution

This detection analytic identifies Impacket’s secretsdump.py script on a target host, which is the most common script we have observed in customer environments. secretsdump.py is remotely run on an adversary’s machine to steal credentials. The command is commonly executed by svchost.exe, where regsvc.dll is loaded which allows the export of credentials from the registry. The output is redirected to an eight-character TMP file within the System32 directory. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Secretsdump.py Execution
 2id: 1337f1b5-8524-40f7-bf08-b0dec46cb764
 3status: experimental
 4description: |
 5    This detection analytic identifies Impacket’s secretsdump.py script on a target host, which is the most common script we have observed 
 6    in customer environments. secretsdump.py is remotely run on an adversary’s machine to steal credentials. The command is commonly 
 7    executed by svchost.exe, where regsvc.dll is loaded which allows the export of credentials from the registry. The output is redirected 
 8    to an eight-character TMP file within the System32 directory. Part of the RedCanary 2024 Threat Detection Report.    
 9references:
10    - https://redcanary.com/threat-detection-report/threats/impacket/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14    - attack.s0357
15    - attack.credential_access
16    - attack.t1003
17    - attack.t1003.003
18    - attack.t1003.006
19logsource:
20    category: file_event
21    product: windows
22detection:
23    selection:
24        Image|endswith: '\svchost.exe'
25        TargetFilename|re: '^.*:\\windows\\system32\\\w{8}\.tmp$'
26    condition: selection
27falsepositives:
28    - Unknown
29level: low```

References

Related rules

to-top