SigmaHQ/rules/windows/builtin/win_impacket_secretdump.yml

22 lines
683 B
YAML
Raw Normal View History

2019-04-03 13:18:42 +00:00
title: Possible Impacket SecretDump remote activity
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
2019-04-03 19:49:30 +00:00
- attack.t1003
2019-04-03 13:18:42 +00:00
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
RelativeTargetName: 'SYSTEM32\\*.tmp'
2019-04-03 13:18:42 +00:00
condition: selection
falsepositives:
- pentesting
level: high