S0357 Impacket
Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.1
| Item | Value |
|---|---|
| ID | S0357 |
| Associated Names | |
| Type | TOOL |
| Version | 1.4 |
| Created | 31 January 2019 |
| Last Modified | 23 January 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1557 | Adversary-in-the-Middle | - |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.1 |
| enterprise | T1040 | Network Sniffing | Impacket can be used to sniff network traffic via an interface or raw socket.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1 |
| enterprise | T1003.002 | Security Account Manager | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1 |
| enterprise | T1003.003 | NTDS | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.1 |
| enterprise | T1003.004 | LSA Secrets | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.003 | Kerberoasting | Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Impacket contains various modules emulating other service execution tools such as PsExec.1 |
| enterprise | T1047 | Windows Management Instrumentation | Impacket‘s wmiexec module can be used to execute commands through WMI.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0125 | HAFNIUM | 3 |
| G0027 | Threat Group-3390 | 4 |
| G0035 | Dragonfly | 65 |
| G0061 | FIN8 | 7 |
| G0034 | Sandworm Team | 8 |
| G0045 | menuPass | 9 |
| G0059 | Magic Hound | 10 |
References
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. ↩
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩
-
Core Security. (n.d.). Impacket. Retrieved November 2, 2017. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. ↩
-
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. ↩