sigmahighHunting

Possible Impacket SecretDump Remote Activity - Zeek

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

MITRE ATT&CK

T1003.002 T1003.004 T1003.003

credential-access

Detection Query

selection:
  path|contains|all:
    - \
    - ADMIN$
  name|contains: SYSTEM32\
  name|endswith: .tmp
condition: selection

Author

Samir Bousseaden, @neu5ron

Created

2020-03-19

Data Sources

zeeksmb_files

Platforms

zeek

References

https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html

Tags

attack.credential-accessattack.t1003.002attack.t1003.004attack.t1003.003

Raw Content

title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.003
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path|contains|all:
            - '\'
            - 'ADMIN$'
        name|contains: 'SYSTEM32\'
        name|endswith: '.tmp'
    condition: selection
falsepositives:
    - Unknown
level: high