Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries, thanks in large part to its versatility.

Pairs with this song






At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools, including post-exploitation and vulnerability-scanning products, to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts smbexec, wmiexec, or dcomexec are used directly without referring to Impacket, as they are versatile and easily implemented code samples. This is the first year that Impacket made it into our top 10 threat rankings, which we attribute to increased use by adversaries and testers alike.

Impacket is an interesting tool as we consider it “dual-use”—it’s leveraged by both adversaries and legitimate users. It’s often used “behind the scenes” by administration and vulnerability-scanning applications, including Linux tools that manage or scan Windows environments. While Impacket is fairly easy to detect, it can be challenging to determine if it is malicious or benign without additional context and understanding of what is normal in an environment. While threats such as FIN8 malware BADHATCH and multiple ransomware operators have used Impacket, approximately one third of the Impacket detections we saw in 2021 were from confirmed testing. We recommend all organizations have a clear understanding of authorized use of Impacket in their environments, and consider any activity outside of that to be malicious until proven otherwise.

Throughout 2021, operators of Conti, SunCrypt, Yanluowang, Cring, and Vice Society ransomware all used Impacket at some point during intrusions. Impacket acted as a sort of swiss army knife during intrusions, allowing adversaries to:

  • retrieve credentials using functionality (SunCrypt)
  • issue commands on remote systems during lateral movement (SunCrypt)
  • deliver a ransomware binary using (Cring and Vice Society)

Responding to Impacket

Response actions may vary depending on the Impacket script component the adversary is leveraging. If you detect a malicious instance of Impacket, seriously consider isolating the endpoint because there’s likely an active adversary in your environment.

Once the endpoint is isolated, evaluate if the adversary loaded other tools, if they were able to move laterally from the device, and if they stole credentials. If the adversary moved laterally, isolate any devices they may have accessed. If there is evidence of credential theft, reset passwords for the impacted accounts. Please note that if the adversary leveraged Kerberos, passwords will need a double reset over the course of 10 hours (based on the default 10-hour ticket Time to Live setting) to reset and invalidate existing tickets.

Following the initial response steps above, stop any active processes associated with Impacket, remove any malicious files written to disk, and remove any changes to the device made by the adversary. Reimaging impacted devices is not out of the question, since an adversary may have installed other tools or established persistence.

Detection opportunities

WMIexec execution

This detection analytic uses a regular expression to identify commands from the Impacket wmiexec script, which allows a semi-interactive shell used via WMI. This analytic shows output being redirected to the localhost ADMIN$ share. The regular expression identifies an output file named as a Unix timestamp (similar to 1642629756.323274) generated through the script.

parent_process == wmiprvse.exe
process == cmd.exe
command_line_includes ('/(?i)cmd.exe \/Q \/c .*\\\\\\ADMIN\$\\__[0-9]{1,10}\.[0-9]{1,10} 2>&1/)')

SMBexec execution

This detection analytic uses a regular expression to identify commands from the Impacket smbexec script, which allows a semi-interactive shell used through SMB. The regular expression identifies the name of a file share used to store output from the commands for interaction.

parent_process == services.exe
process == cmd.exe
command_line_includes  ('/(?i)cmd.exe \/Q \/c echo cd \^> \\\\\\[a-zA-Z]{1,}\$\\__output 2\^>\^&1 > .* & /')