HackTool - Impacket File Indicators
Detects file creation events with filename patterns used by Impacket.
Sigma rule (View on GitHub)
1title: HackTool - Impacket File Indicators
2id: 03f4ca17-de95-428d-a75a-4ee78b047256
3related:
4 - id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
5 type: similar
6status: experimental
7description: Detects file creation events with filename patterns used by Impacket.
8references:
9 - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
10 - https://github.com/fortra/impacket
11author: "The DFIR Report, IrishDeath"
12date: 2025-05-19
13tags:
14 - attack.credential-access
15 - attack.t1003.001
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection_names_re:
21 TargetFilename|re: '\\sessionresume_[a-zA-Z]{8}$' # https://github.com/fortra/impacket/blob/ead516a1209742efc7ac550707a9304ba08681e9/impacket/examples/secretsdump.py#L1925C38-L1925C51
22 condition: selection_names_re
23falsepositives:
24 - Unknown
25level: high
References
-
Key Takeaways The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this access…
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- HackTool - CrackMapExec File Indicators
- CreateDump Process Dump
- DumpMinitool Execution
- HackTool - HandleKatz Duplicating LSASS Handle
- HackTool - XORDump Execution