S0357 Impacket
Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.1
| Item | Value |
|---|---|
| ID | S0357 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 31 January 2019 |
| Last Modified | 07 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1557 | Adversary-in-the-Middle | - |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.1 |
| enterprise | T1040 | Network Sniffing | Impacket can be used to sniff network traffic via an interface or raw socket.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1 |
| enterprise | T1003.002 | Security Account Manager | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1 |
| enterprise | T1003.003 | NTDS | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.1 |
| enterprise | T1003.004 | LSA Secrets | SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.1 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.003 | Kerberoasting | Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Impacket contains various modules emulating other service execution tools such as PsExec.1 |
| enterprise | T1047 | Windows Management Instrumentation | Impacket‘s wmiexec module can be used to execute commands through WMI.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0035 | Dragonfly | 23 |
| G0027 | Threat Group-3390 | 4 |
| G0061 | FIN8 | 5 |
| G0045 | menuPass | 6 |
| G0116 | Operation Wocao | 7 |
References
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Core Security. (n.d.). Impacket. Retrieved November 2, 2017. ↩
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩
-
Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩