Threat
Impacket
Both testers and ransomware groups make frequent use of the Impacket library of Python scripts for post-exploitation.
Pairs with this song #2
OVERALL RANK
5.6%
CUSTOMERS AFFECTED
Threat Sounds
While about half of the Impacket behavior we run into comes from customer-confirmed testing, ransomware operators and other adversaries use the library of Python scripts for post-exploitation activity.
Analysis
At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts smbexec, wmiexec, or dcomexec are used directly without having been downloaded via Impacket, as they are versatile and easily implemented code samples. This year Impacket continued to rise in our top 10 threat rankings, which we attribute to increased use by adversaries and testers alike.
In fact, more than half of the Impacket threats we detected were explicitly marked by our customers as testing. While Impacket is fairly easy to detect, it can be challenging to determine if it is malicious or benign without additional context and understanding of what is normal in an environment. It’s often used “behind the scenes” by administration and vulnerability-scanning applications, including Linux tools that manage or scan Windows environments. However, Impacket is known to be used by threats such as Vice Society/DEV-0832 as well as multiple other ransomware operators, so it should not be immediately considered benign. We recommend all organizations have a clear understanding of authorized use of Impacket in their environments, and consider any activity outside of that to be malicious until proven otherwise.
In 2022 Impacket continued to be used by a variety of adversaries, such as IRIDIUM, Lazarus, and initial access brokers tied to LAPSUS$ and Yanluownag. It is sometimes seen deployed with other tools such as Cobalt Strike, PowerSploit, and Mimikatz—and therefore should prompt a deeper look into infected systems.
take action
Response actions may vary depending on which component of the Impacket script the adversary is leveraging. If you detect a malicious instance of Impacket, seriously consider isolating the endpoint because there’s likely an active adversary in your environment.
Once the endpoint is isolated, evaluate if the adversary loaded other tools, if they were able to move laterally from the device, and if they stole credentials. If the adversary moved laterally, isolate any devices they may have accessed. If there is evidence of credential theft, reset passwords for the impacted accounts. Please note that if the adversary leveraged Kerberos, passwords will need a double reset over the course of 10 hours (based on the default 10-hour ticket Time to Live setting) to reset and invalidate existing tickets.
Following the initial response steps above, stop any active processes associated with Impacket, remove any malicious files written to disk, and remove any changes to the device made by the adversary. Reimaging impacted devices is not out of the question, since an adversary may have installed other tools or established persistence.
Detection opportunities
Compiled Impacket execution
Compiling Impacket isn’t totally necessary in most cases, as scripts can be run through the Python interpreter. However, threat actors such as the Yanluowang ransomware group have been observed compiling Python scripts from Impacket such as psexec.py and wmiexec.py.
filemod == '.pyd'
&&
filemod == 'impacket'atexec.py execution
This detection analytic identifies Impacket’s atexec.py script on a target host. atexec.py is remotely run on an adversary’s machine to execute commands on the victim via scheduled task. The command is commonly executed by a non-interactive cmd.exe with the output redirected to an eight-character TMP file.
parent_process == ('svchost.exe' || 'taskeng.exe' )
&&
command_includes ('cmd.exe' && '/c' && 'windows\temp' && ' > ' && '2>&1')
&&
file_path_includes ('windows\temp' && '.tmp')WMIexec execution
This detection analytic uses a regular expression to identify commands from the Impacket wmiexec script, which allows a semi-interactive shell used via WMI. This analytic shows output being redirected to the localhost ADMIN$ share. The regular expression identifies an output file named as a Unix timestamp (similar to 1642629756.323274) generated through the script.
parent_process == wmiprvse.exe
&&
process == cmd.exe
&&
command_includes ('/(?i)cmd.exe \/Q \/c .*\\\\127.0.0.1\\ADMIN\$\\__[0-9]{1,10}\.[0-9]{1,10} 2>&1/)')SMBexec execution
This detection analytic uses a regular expression to identify commands from the Impacket smbexec script, which allows a semi-interactive shell used through SMB. The regular expression identifies the name of a file share used to store output from the commands for interaction.
parent_process == services.exe
&&
process == cmd.exe
&&
command_includes ('/(?i)cmd.exe \/Q \/c echo cd \^> \\\\127.0.0.1\\[a-zA-Z]{1,}\$\\__output 2\^>\^&1 > .* & /')
Testing
Atomic test #3 for T1569.002: System Services: Service Execution executes a command on a remote host with Impacket’s psexec.py script.