Adversaries may use Impacket tools to exfiltrate data or establish command and control by creating suspicious files with specific naming patterns. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify potential lateral movement or data exfiltration activities early.
Detection Rule
title: HackTool - Impacket File Indicators
id: 03f4ca17-de95-428d-a75a-4ee78b047256
related:
- id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
type: similar
status: experimental
description: Detects file creation events with filename patterns used by Impacket.
references:
- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
- https://github.com/fortra/impacket
author: "The DFIR Report, IrishDeath"
date: 2025-05-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_names_re:
TargetFilename|re: '\\sessionresume_[a-zA-Z]{8}$' # https://github.com/fortra/impacket/blob/ead516a1209742efc7ac550707a9304ba08681e9/impacket/examples/secretsdump.py#L1925C38-L1925C51
condition: selection_names_re
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName matches regex "\\\\sessionresume_[a-zA-Z]{8}$"Scenario: Scheduled Job Using Impacket for Secure File Transfer
Description: A scheduled task runs smbclient or smbmap as part of a legitimate file transfer process.
Filter/Exclusion: Exclude files created by processes with CommandLine containing smbclient or smbmap and with a known file extension like .txt or .log.
Scenario: Admin Task to Generate Temporary Files for Debugging
Description: An administrator creates temporary files using Impacket tools (e.g., rpcclient, ntdsutil) for debugging or forensic analysis.
Filter/Exclusion: Exclude files created by processes with User set to a privileged account (e.g., Administrator) and with a temporary file pattern like temp_*.tmp.
Scenario: Legitimate File Creation via PowerShell Script
Description: A PowerShell script generates files with Impacket-like naming conventions (e.g., file_*.bin) as part of a legitimate data processing task.
Filter/Exclusion: Exclude files created by processes with ProcessName powershell.exe and with a file extension commonly used in scripts (e.g., .ps1, .log).
Scenario: Backup Job Using Impacket for Network File Access
Description: A backup tool uses Impacket to access network files, creating temporary files with Impacket-like patterns.
Filter/Exclusion: Exclude files created by processes with CommandLine containing backup or restore and with a file extension like .bak or .tmp.
Scenario: User-Initiated File Upload via Web Interface
Description: A user uploads a file with an Impacket-like filename (e.g., file_1234.bin) via a web interface, which is then stored on the server.