Possible Impacket SecretDump Remote Activity - Zeek

 1title: Possible Impacket SecretDump Remote Activity - Zeek
 2id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
 3status: test
 4description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
 5references:
 6    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
 7author: 'Samir Bousseaden, @neu5ron'
 8date: 2020-03-19
 9modified: 2021-11-27
10tags:
11    - attack.credential-access
12    - attack.t1003.002
13    - attack.t1003.004
14    - attack.t1003.003
15logsource:
16    product: zeek
17    service: smb_files
18detection:
19    selection:
20        path|contains|all:
21            - '\'
22            - 'ADMIN$'
23        name|contains: 'SYSTEM32\'
24        name|endswith: '.tmp'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

• Threat Huting #9 - Impacket\Secretdump remote execution using EventId 5145

  

  Secretdump.py performs various techniques to dump hashes from the remote machine without executing any agent there. If executed against a A...

  
  Read More

Related rules

• Cred Dump Tools Dropped Files
• Possible Impacket SecretDump Remote Activity
• Copying Sensitive Files with Credential Data
• Credential Dumping Tools Service Execution - Security
• Credential Dumping Tools Service Execution - System