title: Impacket Lateralization Detection status: experimental description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py author: Ecco date: 2019/09/03 logsource: category: process_creation product: windows detection: selection_other: # *** wmiexec.py # parent is wmiprvse.exe # examples: # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 # cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 # *** dcomexec.py -object MMC20 # parent is mmc.exe # example: # "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1 # *** dcomexec.py -object ShellBrowserWindow # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe # example: # "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1 # *** smbexec.py # parent is services.exe # example: # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat ParentImage: - '*\wmiprvse.exe' # wmiexec - '*\mmc.exe' # dcomexec MMC - '*\explorer.exe' # dcomexec ShellBrowserWindow - '*\services.exe' # smbexec CommandLine: - '*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*' selection_atexec: ParentCommandLine: - '*svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") - 'taskeng.exe*' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 CommandLine: - 'cmd.exe /C *Windows\\Temp\\*&1' condition: (1 of selection_*) fields: - CommandLine - ParentCommandLine tags: - attack.lateral_movement - attack.t1047 - attack.t1175 falsepositives: - pentesters level: critical