Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.
Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method.
Detects execution from Impacket's smbexec.py. Part of the RedCanary 2023 Threat Detection Report.
Detects execution from Impacket's wmiexec.py. Part of the RedCanary 2023 Threat Detection Report.
Detects execution from Impacket's atexec.py. Part of the RedCanary 2023 Threat Detection Report.
Detect Atexec.py (Impacket) usage to send command output to attacker.
Detects attempts to create vulnerable Kerberos Ticket Granting Service (TGS) tickets using the RC4-HMAC encryption type.
Detects named pipes created as a result of Impacket PSExec.py usage.
Detects PSExec.py (Impacket) suspicious .exe file creation in Windows directory.
Detects Atexec.py (Impacket) suspicious registry key addition.
Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory.
Detect Impacket atexec.py usage in Windows task scheduler logs. If detected, these events will appear to be logged simultaneously and will all contain the same eight-letter task name.