From b941f6411f711a408899c519baa562687a3b5700 Mon Sep 17 00:00:00 2001
From: sbousseaden <bousseaden.samir@gmail.com>
Date: Wed, 3 Apr 2019 15:18:42 +0200
Subject: [PATCH] Create win_impacket_secretdump.yml

---
 .../builtin/win_impacket_secretdump.yml       | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/builtin/win_impacket_secretdump.yml

diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml
new file mode 100644
index 00000000..959d0494
--- /dev/null
+++ b/rules/windows/builtin/win_impacket_secretdump.yml
@@ -0,0 +1,21 @@
+title: Possible Impacket SecretDump remote activity
+description: Detect AD credential dumping using impacket secretdump HKTL
+author: Samir Bousseaden
+references:
+    - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+tags:
+    - attack.credential_access
+    - attack.T1003
+logsource:
+    product: windows
+    service: security
+    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+detection:
+    selection:
+        EventID: 5145
+        ShareName: \\*\ADMIN$
+        RelativeTargetName: 'SYSTEM32\*.tmp'
+    condition: selection
+falsepositives: 
+    - pentesting
+level: high