Possible Impacket SecretDump Remote Activity - Zeek

Oct 25, 2022 · attack.credential_access attack.t1003.002 attack.t1003.004 attack.t1003.003 ·

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Sigma rule (View on GitHub)

 1title: Possible Impacket SecretDump Remote Activity - Zeek
 2id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
 3status: test
 4description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
 5references:
 6    - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
 7author: 'Samir Bousseaden, @neu5ron'
 8date: 2020/03/19
 9modified: 2021/11/27
10tags:
11    - attack.credential_access
12    - attack.t1003.002
13    - attack.t1003.004
14    - attack.t1003.003
15logsource:
16    product: zeek
17    service: smb_files
18detection:
19    selection:
20        path|contains|all:
21            - '\'
22            - 'ADMIN$'
23        name|contains: 'SYSTEM32\'
24        name|endswith: '.tmp'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html

Read More

Possible Impacket SecretDump Remote Activity - Zeek

Sigma rule (View on GitHub)

References

https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html

Related rules