Detectionhightest

Possible Impacket SecretDump Remote Activity

Detect AD credential dumping using impacket secretdump HKTL

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir Bousseaden, waggaCreated Wed Apr 03Updated Thu Aug 11252902e3-5830-4cf6-bf21-c22083dfd5cfwindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure

Detection Logic

detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\ADMIN$'  # looking for the string  \\*\ADMIN$
        RelativeTargetName|contains|all:
            - 'SYSTEM32\'
            - '.tmp'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.002 · Security Account Manager T1003.004 · LSA Secrets T1003.003 · NTDS

Rule Metadata

Rule ID

252902e3-5830-4cf6-bf21-c22083dfd5cf

Status

test

Level

high

Type

Detection

Created

Wed Apr 03

Modified

Thu Aug 11

Author

Samir Bousseaden, wagga

Path

rules/windows/builtin/security/win_security_impacket_secretdump.yml

Raw Tags

attack.credential-accessattack.t1003.002attack.t1003.004attack.t1003.003

View on GitHub