Skip to content

S0357 Impacket SecretdumpSMB2

S0357 - Impacket Secretdump with SMB2

DESCRIPTION

Actor may use Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:\Windows) containing an epoch timestamp in its name.

Example:

cmd.exe /Q /c dir 1> \127.0.0.1\ADMIN$__1684944005.9400265 2>&1

Related

Volt Typhoon activity

Reference:

https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml

ATT&CK TACTICS

S0357 - Impacket

Data Source(s): Process, Command

SENTINEL RULE QUERY

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
(union isfuzzy=true
  (SecurityEvent
  | where EventID == '5145'
  | where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @".tmp"
  | where ShareName has "\\\\*\\ADMIN$"
  ),
  (WindowsEvent
  | where EventID == '5145' 
  | extend RelativeTargetName= tostring(EventData.RelativeTargetName)
  | extend ShareName= tostring(EventData.ShareName)
  | where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @".tmp"
  | where ShareName has "\\\\*\\ADMIN$"
  | extend Account =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  )
  )
  | extend timestamp = TimeGenerated 
  | extend NTDomain = split(Account, '\\', 0)[0], UserName = split(Account, '\\', 1)[0]
  | extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')
  | extend Account_0_Name = UserName
  | extend Account_0_NTDomain = NTDomain
  | extend Host_0_HostName = HostName
  | extend Host_0_DnsDomain = DnsDomain

Triage

  1. Identify user/service triggering the activity
  2. Validate .tmp file names and location
  3. Investigate further if the activity is expected and approved

VERSION

Version 1.1 (date: 26/10/2023)