Techniques
Sample rules
HackTool - Impacket Tools Execution
- source: sigma
- technicques:
- t1557
- t1557.001
Description
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
Detection logic
condition: selection
selection:
- Image|contains:
- \goldenPac
- \karmaSMB
- \kintercept
- \ntlmrelayx
- \rpcdump
- \samrdump
- \secretsdump
- \smbexec
- \smbrelayx
- \wmiexec
- \wmipersist
- Image|endswith:
- \atexec_windows.exe
- \dcomexec_windows.exe
- \dpapi_windows.exe
- \findDelegation_windows.exe
- \GetADUsers_windows.exe
- \GetNPUsers_windows.exe
- \getPac_windows.exe
- \getST_windows.exe
- \getTGT_windows.exe
- \GetUserSPNs_windows.exe
- \ifmap_windows.exe
- \mimikatz_windows.exe
- \netview_windows.exe
- \nmapAnswerMachine_windows.exe
- \opdump_windows.exe
- \psexec_windows.exe
- \rdp_check_windows.exe
- \sambaPipe_windows.exe
- \smbclient_windows.exe
- \smbserver_windows.exe
- \sniff_windows.exe
- \sniffer_windows.exe
- \split_windows.exe
- \ticketer_windows.exe