HackTool - Potential Impacket Lateral Movement Activity
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
Sigma rule (View on GitHub)
1title: HackTool - Potential Impacket Lateral Movement Activity
2id: 10c14723-61c7-4c75-92ca-9af245723ad2
3related:
4 - id: e31f89f7-36fb-4697-8ab6-48823708353b
5 type: obsolete
6status: stable
7description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
8references:
9 - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py
10 - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
11 - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
12 - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
13 - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
14author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
15date: 2019-09-03
16modified: 2023-02-21
17tags:
18 - attack.execution
19 - attack.t1047
20 - attack.lateral-movement
21 - attack.t1021.003
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_other:
27 # *** wmiexec.py
28 # parent is wmiprvse.exe
29 # examples:
30 # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
31 # cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
32 # *** dcomexec.py -object MMC20
33 # parent is mmc.exe
34 # example:
35 # "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
36 # *** dcomexec.py -object ShellBrowserWindow
37 # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe
38 # example:
39 # "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1
40 # *** smbexec.py
41 # parent is services.exe
42 # example:
43 # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
44 ParentImage|endswith:
45 - '\wmiprvse.exe' # wmiexec
46 - '\mmc.exe' # dcomexec MMC
47 - '\explorer.exe' # dcomexec ShellBrowserWindow
48 - '\services.exe' # smbexec
49 CommandLine|contains|all:
50 - 'cmd.exe'
51 - '/Q'
52 - '/c'
53 - '\\\\127.0.0.1\\'
54 - '&1'
55 selection_atexec:
56 ParentCommandLine|contains:
57 - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
58 - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
59 # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
60 CommandLine|contains|all:
61 - 'cmd.exe'
62 - '/C'
63 - 'Windows\Temp\'
64 - '&1'
65 condition: 1 of selection_*
66fields:
67 - CommandLine
68 - ParentCommandLine
69falsepositives:
70 - Unknown
71level: high
References
-
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More -
Suspicious Cmd Execution via WMI edit Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral move...
Read More
Related rules
- PSExec and WMI Process Creations Block
- Remote DCOM/WMI Lateral Movement
- Suspicious WSMAN Provider Image Loads
- T1047 Wmiprvse Wbemcomn DLL Hijack
- Wmiprvse Wbemcomn DLL Hijack