SMBexec.py Execution

 1title: SMBexec.py Execution
 2id: c250b516-78d8-4664-8b86-8f3c9c0b53c8
 3status: experimental
 4description: |
 5    Similar to the wmiexec.py detector logic, this detection analytic is looking for services.exe 
 6    spawning cmd.exe with a command line that has the following strings: '/Q', '/c', 'echo',' > ', 
 7    ' 2>&1'. These strings are unique to the execution of smbexec.py, which allows a semi-interactive 
 8    shell used through SMB. This script functions similar to psexec.py, but does not write a service 
 9    binary to disk on the target machine. Part of the RedCanary 2024 Threat Detection Report.    
10references:
11    - https://redcanary.com/threat-detection-report/threats/impacket/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15    - attack.s0357
16    - attack.execution
17    - attack.t1569
18    - attack.t1569.002
19    - attack.lateral_movement
20    - attack.t1021
21    - attack.t1021.003
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        ParentImage|endswith: '\services.exe'
28        Image|endswith: '\cmd.exe'
29        CommandLine|contains:
30            - '/Q'
31            - '/c'
32            - 'echo'
33            - '^> '
34            - ' 2^>^&1 > '
35    condition: selection
36falsepositives:
37    - Unknown
38level: low```