-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Expand file tree
/
Copy pathPotentialImpacketExecution.yaml
More file actions
61 lines (61 loc) · 2.2 KB
/
PotentialImpacketExecution.yaml
File metadata and controls
61 lines (61 loc) · 2.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
id: 24ae555c-5e33-4b5d-827a-44206e39f6b4
name: Potential Impacket Execution
description: |
'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.'
description-detailed: |
'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.
Refrence: https://twitter.com/SBousseaden/status/1286750095296335883'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
tactics:
- CredentialAccess
relevantTechniques:
- T1557.001
- T1040
- T1003.001
- T1003.002
- T1003.003
- T1003.004
- T1558.003
query: |
(union isfuzzy=true
(SecurityEvent
| where EventID == '5145'
| where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @".tmp"
| where ShareName has "\\\\*\\ADMIN$"
),
(WindowsEvent
| where EventID == '5145'
| extend RelativeTargetName= tostring(EventData.RelativeTargetName)
| extend ShareName= tostring(EventData.ShareName)
| where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @".tmp"
| where ShareName has "\\\\*\\ADMIN$"
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
)
)
| extend timestamp = TimeGenerated
| extend NTDomain = split(Account, '\\', 0)[0], UserName = split(Account, '\\', 1)[0]
| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')
| extend Account_0_Name = UserName
| extend Account_0_NTDomain = NTDomain
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserName
- identifier: NTDomain
columnName: NTDomain
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
version: 1.0.1