Detectionhightest

Possible Impacket SecretDump Remote Activity - Zeek

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir BousseadenCreated Thu Mar 19Updated Sat Nov 2792dae1ed-1c9d-4eff-a567-33acbd95b00enetwork

Log Source

Zeek (Bro)smb_files

ProductZeek (Bro)← raw: zeek

Servicesmb_files← raw: smb_files

Detection Logic

detection:
    selection:
        path|contains|all:
            - '\'
            - 'ADMIN$'
        name|contains: 'SYSTEM32\'
        name|endswith: '.tmp'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.002 · Security Account Manager T1003.004 · LSA Secrets T1003.003 · NTDS

Rule Metadata

Rule ID

92dae1ed-1c9d-4eff-a567-33acbd95b00e

Status

test

Level

high

Type

Detection

Created

Thu Mar 19

Modified

Sat Nov 27

Author

Samir Bousseaden

Path

rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

Raw Tags

attack.credential-accessattack.t1003.002attack.t1003.004attack.t1003.003

View on GitHub