Changes to Impacket to remove default IOC
please note - this is not a complete list, just information I gathered from various sources (credit will be added where possible)
Tool link: https://github.com/fortra/impacket
Binary name / Service name
Credit: https://twitter.com/_bin_ash/status/1621627726321827840
PSExec by default create a random 4 letter string that is used as the service name and random 8 letter string as the binary name.
Service name: https://github.com/fortra/impacket/blob/master/impacket/examples/serviceinstall.py#L31
Binary Name:
https://github.com/fortra/impacket/blob/master/impacket/examples/serviceinstall.py#L34
Change the names to a known service name instead of a random string directly on the python script or by using the -service-name and the -remote-binary-name flags.
RemCom
Credit: https://twitter.com/_bin_Ash/status/1619756759345930240 , https://twitter.com/bugch3ck/status/1620007383899701250 and https://twitter.com/snovvcrash/status/1620171448982843395
RemCom is a an open-source utility available on Sourceforge. RemCom enables you to execute commands on remote Microsoft Windows hosts in a way similar to the Sysinternals PsExec utility. (Credit https://docs.bmc.com/docs/display/glossary/RemCom)
Impacket PSexec uses old version of RemCom based on kavika13 github project . The RemCom binary is embedded as a hex-encoded blob inside the remcomsvc.py script here:
https://github.com/fortra/impacket/blob/master/impacket/examples/remcomsvc.py#L63
You can use a newly compiled version using the -file flag.
RecmCom Pipe name: