Impacket - consoletornado.com

> [!Info] > This page is currently a work in progress. ## What is Impacket? Impacket is a collection of Python classes that leverages different network protocols such as SMB to remotely execute code (RCE). ## How does it work? It allows for RCE by creating temporary services which executes the commands on the victim endpoint, and then the services are deleted. ## Indicators of Compromise - New Service Installed - Source IP Address. - Source User. - Command Line like: - `cmd.exe /Q /c` - Parent Process is: - `wmiprvse.exe` - (`wmiexec.py`) - `mmc.exe` - (`dcomexec.py`) - `services.exe` - (`smbexec.py`) - `explorer.exe` - (`dcomexec.py`) - Windows Log Event ID's: - Event ID 7045: New Service Created - Event ID 4624: An account was successfully logged on - Network Activity: - SMB/RPC Ports: - 135 - 139 - 445 - RDP Ports: - 3389 - WinRM / Remote PowerShell Ports: - 80 - 5985 - 5986 - File Activity: - Especially for `secretsdump.py` - `.tmp` files written to disk - File name: - {8 random characters}.tmp - File location: - `C:\Windows\system32\` or - `C:\Windows\Temp\` - Scheduled Tasks - `.tmp` file name written same as task name. --- ## Defending Against Impacket 1. Identify the source of the activity: 1. Source User Account (SID) 2. Source Device 2. Look at authentication events around cmd process execution times to identify user. 3. Remediate: 1. Disable impacted user accounts (On DC, disabled domain accounts) 2. If persistence located, remove (schtasks, services, etc) 3. Block source IP of activity in network 1. If managed host, isolate. --- ## Main Modules - [[Impacket-atexec.py|atexec.py]] - - [[Impacket-psexec.py|psexec.py]] - - [[Impacket-regsecrets.py|regsecrets.py]] - - [[Impacket-secretsdump.py|secretsdump.py]] - - [[Impacket-smbexec.py|smbexec.py]] - - [[Impacket-wmiexec.py|wmiexec.py]] - --- ## Other Modules - addcomputer.py - dcomexec.py - dpapi.py - esentutl.py - exchanger.py - findDelegation.py - GetADUsers.py - getArch.py - GetNPUsers.py - getPac.py - getST.py - getTGT.py - GetUserSPNs.py - goldenPac.py - karmaSMB.py - keylistattack.py - kintercept.py - lookupsid.py - machine_role.py - mimikatz.py - mqtt_check.py - mssqlclient.py - mssqlinstance.py - netview.py - nmapAnswerMachine.py - ntfs-read.py - ntlmrelayx.py - ping.py - ping6.py - psexec.py - raiseChild.py - rbcd.py - rdp_check.py - reg.py - registry-read.py - rpcdump.py - rpcmap.py - sambaPipe.py - samrdump.py - services.py - smbclient.py - smbpasswd.py - smbrelayx.py - smbserver.py - sniff.py - sniffer.py - split.py - ticketConverter.py - ticketer.py - wmipersist.py - wmiquery.py - Get-GPPPassword.py ## Resources - https://github.com/fortra/impacket