At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools, including post-exploitation and vulnerability-scanning products, to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts
dcomexec are used directly without referring to Impacket, as they are versatile and easily implemented code samples. This is the first year that Impacket made it into our top 10 threat rankings, which we attribute to increased use by adversaries and testers alike.
Impacket is an interesting tool as we consider it “dual-use”—it’s leveraged by both adversaries and legitimate users. It’s often used “behind the scenes” by administration and vulnerability-scanning applications, including Linux tools that manage or scan Windows environments. While Impacket is fairly easy to detect, it can be challenging to determine if it is malicious or benign without additional context and understanding of what is normal in an environment. While threats such as FIN8 malware BADHATCH and multiple ransomware operators have used Impacket, approximately one third of the Impacket detections we saw in 2021 were from confirmed testing. We recommend all organizations have a clear understanding of authorized use of Impacket in their environments, and consider any activity outside of that to be malicious until proven otherwise.
Throughout 2021, operators of Conti, SunCrypt, Yanluowang, Cring, and Vice Society ransomware all used Impacket at some point during intrusions. Impacket acted as a sort of swiss army knife during intrusions, allowing adversaries to:
- retrieve credentials using
secretsdump.py functionality (SunCrypt)
- issue commands on remote systems during lateral movement (SunCrypt)
- deliver a ransomware binary using
smbexec.py (Cring and Vice Society)
Responding to Impacket
Response actions may vary depending on the Impacket script component the adversary is leveraging. If you detect a malicious instance of Impacket, seriously consider isolating the endpoint because there’s likely an active adversary in your environment.
Once the endpoint is isolated, evaluate if the adversary loaded other tools, if they were able to move laterally from the device, and if they stole credentials. If the adversary moved laterally, isolate any devices they may have accessed. If there is evidence of credential theft, reset passwords for the impacted accounts. Please note that if the adversary leveraged Kerberos, passwords will need a double reset over the course of 10 hours (based on the default 10-hour ticket Time to Live setting) to reset and invalidate existing tickets.
Following the initial response steps above, stop any active processes associated with Impacket, remove any malicious files written to disk, and remove any changes to the device made by the adversary. Reimaging impacted devices is not out of the question, since an adversary may have installed other tools or established persistence.