LoFP / although uncommon, administrators may leverage impackets tools to start a process on remote systems for system administration or automation use cases.

Techniques

• T1021
• T1021.002
• T1021.003
• T1047
• T1543.003

Sample rules

Impacket Lateral Movement smbexec CommandLine Parameters

• source: splunk
• technicques:
  • T1021
  • T1021.002
  • T1021.003
  • T1047
  • T1543.003

Description

The following analytic identifies suspicious command-line parameters associated with the use of Impacket’s smbexec.py for lateral movement. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of Impacket tool usage. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement. If confirmed malicious, this activity could allow attackers to execute commands on remote endpoints, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process,"(?i)echo\s+cd") AND match(process, "(?i)\\__output") AND  match(process, "(?i)C:\\\\Windows\\\\[a-zA-Z]{1,8}\\.bat")  AND match(process, "\\\\127\.0\.0\.1\\.*") 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `impacket_lateral_movement_smbexec_commandline_parameters_filter`

Impacket Lateral Movement WMIExec Commandline Parameters

• source: splunk
• technicques:
  • T1021
  • T1021.002
  • T1021.003
  • T1047
  • T1543.003

Description

The following analytic detects the use of Impacket’s wmiexec.py tool for lateral movement by identifying specific command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned by wmiprvse.exe with command-line patterns indicative of Impacket usage. This activity is significant as Impacket tools are commonly used by adversaries for remote code execution and lateral movement within a network. If confirmed malicious, this could allow attackers to execute arbitrary commands on remote systems, potentially leading to further compromise and data exfiltration.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process, "\\\\127\.0\.0\.1\\.*") AND match(process, "__\\d{1,10}\\.\\d{1,10}") 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`

Impacket Lateral Movement Commandline Parameters

• source: splunk
• technicques:
  • T1021
  • T1021.002
  • T1021.003
  • T1047
  • T1543.003

Description

The following analytic identifies the use of suspicious command-line parameters associated with Impacket tools, such as wmiexec.py, smbexec.py, dcomexec.py, and atexec.py, which are used for lateral movement and remote code execution. It detects these activities by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns. This activity is significant because Impacket tools are commonly used by adversaries and Red Teams to move laterally within a network. If confirmed malicious, this could allow attackers to execute commands remotely, potentially leading to further compromise and data exfiltration.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = "*/Q /c * \\\\127.0.0.1\\*$*" AND Processes.process IN ("*2>&1*","*2>&1*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `impacket_lateral_movement_commandline_parameters_filter`