smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
Sigma rule (View on GitHub)
1title: smbexec.py Service Installation
2id: 52a85084-6989-40c3-8f32-091e12e13f09
3status: test
4description: Detects the use of smbexec.py tool by detecting a specific service installation
5references:
6 - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
7 - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
8 - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
9author: Omer Faruk Celik
10date: 2018-03-20
11modified: 2023-11-09
12tags:
13 - attack.lateral-movement
14 - attack.execution
15 - attack.t1021.002
16 - attack.t1569.002
17logsource:
18 product: windows
19 service: system
20detection:
21 selection_eid:
22 Provider_Name: 'Service Control Manager'
23 EventID: 7045
24 selection_service_name:
25 ServiceName: 'BTOBTO'
26 selection_service_image:
27 ImagePath|contains:
28 - '.bat & del '
29 - '__output 2^>^&1 >'
30 condition: selection_eid and 1 of selection_service_*
31falsepositives:
32 - Unknown
33level: high
References
-
Pentesters use PsExec style commands all the time, and in this post I’m going to explore and manually recreate the technique using native Windows tools.
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Metasploit Or Impacket Service Installation Via SMB PsExec
- PUA - CSExec Default Named Pipe
- PUA - RemCom Default Named Pipe