Threat
Impacket
Both testers and ransomware groups make frequent use of the Impacket library of Python scripts for post-exploitation.
Pairs with this song #2
OVERALL RANK
5.6%
CUSTOMERS AFFECTED
Threat Sounds
Ranking second for the second year in a row, the Impacket library of Python classes showed no signs of calming down in 2023, with significant changes made to its code repository.
Analysis
At its core, Impacket is a collection of Python classes that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts smbexec, wmiexec, or dcomexec are used directly without having been downloaded via Impacket, as they are versatile and easily implemented code samples. This year Impacket continued to rise in our top 10 threat rankings, which we attribute to increased use by adversaries and testers alike.
In fact, more than half of the Impacket threats we detected were explicitly marked by our customers as testing. While Impacket is fairly easy to detect, it can be challenging to determine if it is malicious or benign without additional context and understanding of what is normal in an environment. It’s often used “behind the scenes” by administration and vulnerability-scanning applications, including Linux tools that manage or scan Windows environments, similar to Block64. However, Impacket is known to be used by threats such as BlackCat Spyhnx as well as multiple other ransomware operators, so it should not be immediately considered benign. We recommend all organizations have a clear understanding of authorized use of Impacket in their environments, and consider any activity outside of that to be malicious until proven otherwise.
In 2023, Impacket continued to be used by a variety of adversaries, such as Volt Typhoon, and LockBit 3.0 ransomware affiliates. It is sometimes seen deployed with other malicious tools such as Cobalt Strike, Truebot, and Mimikatz. Additionally, Impacket use has also been observed with benign IT applications like PingCastle, SoftPerfect NetScan and various RMM tools—and therefore should prompt a deeper look into infected systems.
Red Canary observed some elements of Impacket change in 2023, specifically smbexec.py. The default hardcoded value (execute.bat) for the .bat file changed to a random eight-string value.
Similarly, the default hardcoded service name (BTOBTO) was also replaced by a random eight-string value.
With open source offensive tools, it’s important to monitor for any code changes within the associated code repository. This will help guide your detection strategies as tools evolve over time and aid in alleviating detection drift.
take action
Response actions may vary depending on which component of the Impacket script the adversary is leveraging. If you detect a malicious instance of Impacket, seriously consider isolating the endpoint because there’s likely an active adversary in your environment. It’s important to keep in mind that Impacket execution on an endpoint is a symptom of malicious activity and not the source.
Once the endpoint is isolated, you’ll want to locate the source of the activity, which often comes from an unmonitored endpoint in the intrusions we have observed. To do this, you can perform the following pseudo-query in your EDR or SIEM platform. We recommend executing this query because Impacket leverages SMB (port 445) and MRPC (port 135) network protocols for remote execution. Impacket has also been seen to send data over the Windows default dynamic port range (49152-65535).
endpoint_name:NAME AND (network_port:135 OR network_port:445 OR network_port:[49152 To *]Once the source of the activity is identified, you can then start to evaluate if the adversary loaded other tools, if they were able to move laterally from the device, and if they stole credentials. If the adversary moved laterally, isolate any devices they may have accessed. If there is evidence of credential theft, reset passwords for the impacted accounts. Please note that if the adversary leveraged Kerberos, passwords will need a double reset over the course of 10 hours (based on the default 10-hour ticket Time to Live setting) to reset and invalidate existing tickets.
Following the initial response steps above, stop any active processes associated with Impacket, remove any malicious files written to disk, and remove any changes to the device made by the adversary. Reimaging impacted devices is not out of the question, since an adversary may have installed other tools or established persistence. Impacket’s initial access is commonly associated with an external-facing appliance (VPN, Citrix, VOIP, VNC, RDP) that gives access to the internal network. Vulnerabilities might be present in these appliances, which would require patching in order to remediate.
Segmentation
There are two things an organization can do to decrease the attack surface for Impacket-based attacks. The first control is endpoint segmentation via the Windows Firewall. The common ports and protocols that should be blocked between workstation-to-workstation—and workstations to non-domain controllers
and non-file servers—include:
- SMB/RPC (TCP/445, TCP/135, TCP/139)
- Remote Desktop Protocol (TCP/3389)
- Windows Remote Management / Remote PowerShell (TCP/80, TCP/5985, TCP/5986)
- WMI (dynamic port range (49152 – 65535) assigned through DCOM)
Disable administrative/hidden shares
A second preventative measure would be to disable administrative and hidden shares on workstations. Impacket primarily targets the ADMIN$ share in order to remotely execute commands and move laterally within the environment. This can be achieved by modifying the registry, stopping the service, or Group Policy Objects (GPO).
There is a caveat with employing this control. Disabling administrative and hidden shares on servers, specifically domain controllers, may impact the operation and functionality of systems within a domain-based environment. Furthermore, if PsExec is used legitimately within the organization, disabling the admin (ADMIN$) may hinder the ability to remotely interact with endpoints.
More details on both controls can be found in this Mandiant containment guide.
Detection opportunities
secretsdump.py execution
This detection analytic identifies Impacket’s secretsdump.py script on a target host, which is the most common script we have observed in customer environments. secretsdump.py is remotely run on an adversary’s machine to steal credentials. The command is commonly executed by svchost.exe, where regsvc.dll is loaded which allows the export of credentials from the registry. The output is redirected to an eight-character TMP file within the System32 directory.
process == ('svchost.exe')
&&
module_name == ('regsvc.dll')
&&
filemod_path_includes ('/(?i)windows\\system32\\\w{8}\.tmp$/)atexec.py execution
This detection analytic identifies Impacket’s atexec.py script on a target host. atexec.py is remotely run on an adversary’s machine to execute commands on the victim via scheduled task. The command is commonly executed by a non-interactive cmd.exe with the output redirected to an eight-character TMP file.
parent_process == ('svchost.exe' || 'taskeng.exe' )
&&
command_includes ('cmd.exe' && '/c' && 'windows\temp' && ' > ' && '2>&1')
&&
file_path_includes ('windows\temp' && '.tmp')WMIexec execution
This detection analytic looks for wmiprvse.exe spawn cmd.exe with the following command line, `cmd.exe /Q /c ', ' 1 \\', ' 2 &1`. These strings are specific to the execution of wmiexe.py, which allows a semi-interactive shell used via WMI.
parent_process == wmiprvse.exe
&&
process == cmd.exe
&&
command_includes ('cmd.exe /Q /c ' || ' 1> \\' || ' 2>&1')
SMBexec execution
Similar to the wmiexec.py detector logic, this detection analytic is looking for services.exe spawning cmd.exe with a command line that has the following strings: '/Q', '/c', 'echo',' > ', ' 2>&1'. These strings are unique to the execution of smbexec.py, which allows a semi-interactive shell used through SMB. This script functions similar to psexec.py, but does not write a service binary to disk on the target machine.
parent_process == services.exe
&&
process == cmd.exe
&&
command_includes ('/Q' || '/c' || 'echo' || '^> ' || ' 2^>^&1 > ')
Testing
Start testing your defenses against Impacket using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
There are multiple Atomic Red Team tests that defenders can use to validate their detection controls for Impacket. In most environments, the following should be sufficient to generate a useful signal for defenders:
- Atomic test #3 for T1569.002: System Services: Service Execution executes a command on a remote host with Impacket’s
psexec.pyscript. - Atomic test #4 for T1021.002: Remote Services: SMB/Windows Admin Shares executes a command, writing the output to a local admin share. This technique is used by post-exploitation frameworks like Impacket.
- Atomic test #6 for T1047: Windows Management Instrumentation uses
wmic.exeto execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test. A common error message isNode - (provided IP or default) ERROR Description =The RPC server is unavailableif the default or provided IP is unreachable.
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.