Skip to content

S0357 Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.1

Item Value
ID S0357
Associated Names
Type TOOL
Version 1.8
Created 31 January 2019
Last Modified 04 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.1
enterprise T1570 Lateral Tool Transfer Impacket has used its wmiexec command, leveraging Windows Management Instrumentation, to remotely stage and execute payloads in victim networks.4
enterprise T1040 Network Sniffing Impacket can be used to sniff network traffic via an interface or raw socket.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1
enterprise T1003.002 Security Account Manager SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1
enterprise T1003.003 NTDS SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.1
enterprise T1003.004 LSA Secrets SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.1
enterprise T1558.005 Ccache Files Impacket tools – such as getST.py or ticketer.py – can be used to steal or forge Kerberos tickets using ccache files given a password, hash, aesKey, or TGT.23
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Impacket contains various modules emulating other service execution tools such as PsExec.1
enterprise T1047 Windows Management Instrumentation Impacket’s wmiexec module can be used to execute commands through WMI.14

Groups That Use This Software

ID Name References
G1053 Storm-0501 Storm-0501 has used Impacket to extract credentials over the network and from victim devices.10
G1016 FIN13 11
G0059 Magic Hound 12
G0096 APT41 APT41 used Impacket to dump LSA secrets on one of the domain controllers in the victim network.13
G0125 HAFNIUM 14
G0030 Lotus Blossom Lotus Blossom has used Impacket during operations.15
G0027 Threat Group-3390 16
G0129 Mustang Panda Mustang Panda leveraged Impacket to gather information about the network, discover devices, users and query directories on remote machines to identify files to exfiltrate.17
G0035 Dragonfly 1918
G1046 Storm-1811 Storm-1811 has used Impacket for lateral movement activity.20
G1021 Cinnamon Tempest 2221
G1017 Volt Typhoon 242523
G0016 APT29 26
G0045 menuPass 27
G0034 Sandworm Team 28
G1003 Ember Bear Ember Bear has used Impacket for lateral movement and process execution in victim environments.2930
G1047 Velvet Ant Velvet Ant used Impacket for lateral tool transfer and remote process execution.4
G0061 FIN8 3231
G1001 HEXANE HEXANE probed victim infrastructure in support of HomeLand Justice.5
G1015 Scattered Spider 6

References

  1. SecureAuth. (n.d.). Retrieved January 15, 2019. 

  2. Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery Compendium (GNU/Linux). Retrieved September 17, 2024. 

  3. Boal, Calum. (2020, January 28). Abusing Kerberos From Linux - An Overview of Available Tools. Retrieved September 17, 2024. 

  4. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. 

  5. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. 

  6. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. 

  7. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025. 

  8. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  9. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. 

  10. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. 

  11. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. 

  12. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  13. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. 

  14. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. 

  15. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  16. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  17. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  18. Core Security. (n.d.). Impacket. Retrieved November 2, 2017. 

  19. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  20. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. 

  21. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. 

  22. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  23. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  24. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. 

  25. NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. 

  26. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. 

  27. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  28. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  29. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  30. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. 

  31. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  32. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.