HackTool - Impacket Tools Execution

calendar Dec 4, 2023 · attack.execution attack.t1557.001  ·
Share on: linkedin copy

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

Sigma rule (View on GitHub)

 1title: HackTool - Impacket Tools Execution
 2id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
 3status: test
 4description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
 5references:
 6    - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
 7author: Florian Roth (Nextron Systems)
 8date: 2021/07/24
 9modified: 2023/02/07
10tags:
11    - attack.execution
12    - attack.t1557.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|contains:
19              - '\goldenPac'
20              - '\karmaSMB'
21              - '\kintercept'
22              - '\ntlmrelayx'
23              - '\rpcdump'
24              - '\samrdump'
25              - '\secretsdump'
26              - '\smbexec'
27              - '\smbrelayx'
28              - '\wmiexec'
29              - '\wmipersist'
30        - Image|endswith:
31              - '\atexec_windows.exe'
32              - '\dcomexec_windows.exe'
33              - '\dpapi_windows.exe'
34              - '\findDelegation_windows.exe'
35              - '\GetADUsers_windows.exe'
36              - '\GetNPUsers_windows.exe'
37              - '\getPac_windows.exe'
38              - '\getST_windows.exe'
39              - '\getTGT_windows.exe'
40              - '\GetUserSPNs_windows.exe'
41              - '\ifmap_windows.exe'
42              - '\mimikatz_windows.exe'
43              - '\netview_windows.exe'
44              - '\nmapAnswerMachine_windows.exe'
45              - '\opdump_windows.exe'
46              - '\psexec_windows.exe'
47              - '\rdp_check_windows.exe'
48              - '\sambaPipe_windows.exe'
49              - '\smbclient_windows.exe'
50              - '\smbserver_windows.exe'
51              - '\sniff_windows.exe'
52              - '\sniffer_windows.exe'
53              - '\split_windows.exe'
54              - '\ticketer_windows.exe'
55              # - '\addcomputer_windows.exe'
56              # - '\esentutl_windows.exe'
57              # - '\getArch_windows.exe'
58              # - '\lookupsid_windows.exe'
59              # - '\mqtt_check_windows.exe'
60              # - '\mssqlclient_windows.exe'
61              # - '\mssqlinstance_windows.exe'
62              # - '\ntfs-read_windows.exe'
63              # - '\ping_windows.exe'
64              # - '\ping6_windows.exe'
65              # - '\raiseChild_windows.exe'
66              # - '\reg_windows.exe'
67              # - '\registry-read_windows.exe'
68              # - '\services_windows.exe'
69              # - '\wmiquery_windows.exe'
70    condition: selection
71falsepositives:
72    - Legitimate use of the impacket tools
73level: high

References

Related rules

to-top