SigmaHQ/rules/windows/builtin/win_impacket_secretdump.yml

27 lines
809 B
YAML
Raw Normal View History

2020-01-30 16:26:09 +00:00
title: Possible Impacket SecretDump Remote Activity
2019-11-12 22:12:27 +00:00
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
2019-04-03 13:18:42 +00:00
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
date: 2019/04/03
2019-04-03 13:18:42 +00:00
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
2019-04-03 19:49:30 +00:00
- attack.t1003
2020-06-16 20:46:08 +00:00
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
2019-04-03 13:18:42 +00:00
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
RelativeTargetName: 'SYSTEM32\\*.tmp'
2019-04-03 13:18:42 +00:00
condition: selection
falsepositives:
2019-04-03 13:18:42 +00:00
- pentesting
level: high