HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
Sigma rule (View on GitHub)
1title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
2id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
3status: test
4description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
5references:
6 - https://github.com/Porchetta-Industries/CrackMapExec
7 - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
8author: SecurityAura
9date: 2022-11-16
10modified: 2024-06-27
11tags:
12 - attack.credential-access
13 - attack.t1003
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith: '\svchost.exe'
20 # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
21 TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
A swiss army knife for pentesting networks. Contribute to byt3bl33d3r/CrackMapExec development by creating an account on GitHub.
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials
- HackTool - Rubeus Execution