SigmaHQ/rules/windows/builtin/win_impacket_secretdump.yml

title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
date: 2019/04/03
references:
    - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
    - attack.credential_access
    - attack.t1003          # an old one
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.003
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5145
        ShareName: \\*\ADMIN$
        RelativeTargetName: 'SYSTEM32\\*.tmp'
    condition: selection
falsepositives:
    - pentesting
level: high
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Possible Impacket SecretDump Remote Activity`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 252902e3-5830-4cf6-bf21-c22083dfd5cf`
Create win_impacket_secretdump.yml 2019-04-03 13:18:42 +00:00			`description: Detect AD credential dumping using impacket secretdump HKTL`
			`author: Samir Bousseaden`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2019/04/03`
Create win_impacket_secretdump.yml 2019-04-03 13:18:42 +00:00			`references:`
			`- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html`
			`tags:`
			`- attack.credential_access`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1003 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.002`
			`- attack.t1003.004`
			`- attack.t1003.003`
Create win_impacket_secretdump.yml 2019-04-03 13:18:42 +00:00			`logsource:`
			`product: windows`
			`service: security`
Update additional rules to have correct logsource attributes 2020-07-13 21:02:17 +00:00			`definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'`
Create win_impacket_secretdump.yml 2019-04-03 13:18:42 +00:00			`detection:`
			`selection:`
			`EventID: 5145`
			`ShareName: \\*\ADMIN$`
Fixed wrong backslash escaping of * Fixes issue #466 2019-10-07 20:09:53 +00:00			`RelativeTargetName: 'SYSTEM32\\*.tmp'`
Create win_impacket_secretdump.yml 2019-04-03 13:18:42 +00:00			`condition: selection`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`falsepositives:`
Create win_impacket_secretdump.yml 2019-04-03 13:18:42 +00:00			`- pentesting`
			`level: high`