Adversaries may be using CrackMapExec or Impacket-secretsdump to exfiltrate credentials from compromised endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential dumping activities and prevent lateral movement.
Detection Rule
title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
- https://github.com/Porchetta-Industries/CrackMapExec
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
author: SecurityAura
date: 2022-11-16
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
# CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\svchost.exe" and TargetFileName matches regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$"Scenario: Scheduled Credential Dump for Compliance Audit
Description: A scheduled job runs Impacket-secretsdump as part of a compliance audit to verify user credentials for internal security checks.
Filter/Exclusion: Exclude processes where the command line includes --local or --target with internal IP ranges used for internal audits.
Scenario: Admin Task to Retrieve Domain Credentials for Troubleshooting
Description: An admin uses CrackMapExec to dump domain credentials on a test VM to troubleshoot authentication issues.
Filter/Exclusion: Exclude processes where the user is a domain admin and the target is a known test VM or lab environment.
Scenario: Automated Security Tool Integration
Description: A security tool integrates with Impacket-secretsdump to periodically check for credential leaks in a controlled environment.
Filter/Exclusion: Exclude processes where the command line includes --no-pass or --hashes and the source is a known security tool or SIEM integration.
Scenario: User-Initiated Credential Dump for Password Reset
Description: An admin manually runs CrackMapExec to dump credentials for a user who has forgotten their password, to assist in resetting it.
Filter/Exclusion: Exclude processes where the user is a domain admin and the target is a user account with a known password change request.
Scenario: Backup Job Using Impacket for Credential Verification
Description: A backup job uses Impacket-secretsdump to verify that credentials are correctly stored in the backup system.
Filter/Exclusion: Exclude processes where the command line includes --backup or --verify and the source is a known backup server or service account.