← Library
sigmaDRL-1.1from SigmaHQ/sigma

HackTool - Impacket Tools Execution

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

Quality
52
FP risk
Forks
0
Views
0
ATT&CK techniques
T1557.001
Rule sourcerules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml
title: HackTool - Impacket Tools Execution
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
status: test
description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
references:
    - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-07
tags:
    - attack.collection
    - attack.execution
    - attack.credential-access
    - attack.t1557.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
              - '\goldenPac'
              - '\karmaSMB'
              - '\kintercept'
              - '\ntlmrelayx'
              - '\rpcdump'
              - '\samrdump'
              - '\secretsdump'
              - '\smbexec'
              - '\smbrelayx'
              - '\wmiexec'
              - '\wmipersist'
        - Image|endswith:
              - '\atexec_windows.exe'
              - '\dcomexec_windows.exe'
              - '\dpapi_windows.exe'
              - '\findDelegation_windows.exe'
              - '\GetADUsers_windows.exe'
              - '\GetNPUsers_windows.exe'
              - '\getPac_windows.exe'
              - '\getST_windows.exe'
              - '\getTGT_windows.exe'
              - '\GetUserSPNs_windows.exe'
              - '\ifmap_windows.exe'
              - '\mimikatz_windows.exe'
              - '\netview_windows.exe'
              - '\nmapAnswerMachine_windows.exe'
              - '\opdump_windows.exe'
              - '\psexec_windows.exe'
              - '\rdp_check_windows.exe'
              - '\sambaPipe_windows.exe'
              - '\smbclient_windows.exe'
              - '\smbserver_windows.exe'
              - '\sniff_windows.exe'
              - '\sniffer_windows.exe'
              - '\split_windows.exe'
              - '\ticketer_windows.exe'
              # - '\addcomputer_windows.exe'
              # - '\esentutl_windows.exe'
              # - '\getArch_windows.exe'
              # - '\lookupsid_windows.exe'
              # - '\mqtt_check_windows.exe'
              # - '\mssqlclient_windows.exe'
              # - '\mssqlinstance_windows.exe'
              # - '\ntfs-read_windows.exe'
              # - '\ping_windows.exe'
              # - '\ping6_windows.exe'
              # - '\raiseChild_windows.exe'
              # - '\reg_windows.exe'
              # - '\registry-read_windows.exe'
              # - '\services_windows.exe'
              # - '\wmiquery_windows.exe'
    condition: selection
falsepositives:
    - Legitimate use of the impacket tools
level: high