Key Points
- Impacket is a versatile, dual-use tool that uses Python-based scripts to exploit legitimate Windows services and protocols.
- While it has legitimate purposes, Impacket is used by threat actors to move laterally within networks undetected and escalate privileges. Impacket’s ability to mimic genuine activities complicates detection and mitigation.
- Threat actors frequently use psexec.py, smbexec.py, and wmiexec.py scripts within Impacket to execute code remotely on Windows systems without additional payloads or tools.
- AI will likely automate Impacket script execution, enabling complex attacks by less experienced attackers.
- Organizations should implement stringent access controls, conduct regular security audits, and maintain real-time monitoring to detect and respond to misuse of dual-use tools like Impacket.
Impacket is a versatile Python-based toolkit widely used in both penetration testing and malicious hacking efforts. For penetration testers, Impacket facilitates the simulation of realistic attack scenarios, allowing for identification and remediation of vulnerabilities within an organization’s network. Adversaries often use Impacket to exploit Windows services and protocols, move laterally within networks, escalate privileges, and access sensitive data. Impacket is a favored tool for threat actors including ransomware groups due to its comprehensive suite of capabilities for reconnaissance, credential dumping, and unauthorized command execution.
The key defensive takeaway from this report is the imperative to implement stringent access controls, conduct regular security audits, and maintain real-time monitoring to detect and respond to any misuse of dual-use tools like Impacket. Given Impacket’s versatile nature, its abuse poses a significant threat to all businesses, regardless of sector. Understanding how threat actors exploit tools such as Impacket is crucial for implementing effective security measures and enhancing an organization’s overall threat detection and response capabilities.
In this report, we examine how attackers repurpose Impacket features for malicious uses. While Impacket includes over 50 Python scripts, this report will specifically focus on three—psexec.py, smbexec.py, and wmiexec.py—that are frequently exploited and discussed by threat actors. We offer practical defensive recommendations and explore how ReliaQuest’s GreyMatter helps customers to identify and mitigate related threats.
Impacket Capabilities and Use Cases
Impacket can execute remote commands, moving laterally across networks and extracting sensitive information. It provides adversaries with a comprehensive set of scripts to dump credentials, sniff packets, and remotely execute commands on Windows systems without the need to install additional payloads or tools on victim systems. These capabilities support the following use cases.
- Protocol Support: Impacket’s support for a variety of network protocols like Server Message Block (SMB) and authentication mechanisms such as New Technology LAN Manager (NTLM) make it a versatile tool for pentesters, helping them identify and mitigate security weaknesses. Cybercriminals often leverage this versatility to exploit weaknesses in multiple protocols, facilitating diverse attack vectors including executing remote commands, dumping credentials, and moving laterally across networks.
- Packet Manipulation: Pentesters rely on Impacket to craft and manipulate packets at a low level, essential for understanding protocol operations and simulating real-world attack scenarios. Meanwhile, threat actors often take advantage of this low-level access to modify packet contents and exploit specific vulnerabilities within a protocol, which enables them to bypass security measures and execute sophisticated attacks.
- Password Attacks and Cracking: Impacket includes modules for password attacks and cracking, making it an indispensable tool for testing the strength of authentication mechanisms in a network. Attackers use these tools to perform brute-force and dictionary attacks, potentially compromising user credentials and gaining access.
Impacket Scripts on Dark Web Forums
We have observed threat actors on dark web forums actively discussing the use of Impacket scripts to infiltrate systems, underscoring the significance of these tools in cybercriminal activities. For instance, one user on RAMP, a notorious cybercriminal forum frequented by initial access brokers (IABs) and ransomware groups, writes: “Impacket is a great suite of scripts, but you have to know their behavior before executing them, otherwise you will get caught” (see Figure 1).
Threat actors most commonly discuss and exploit the following Impacket scripts, which we’ll explore in more detail below.
- psexec.py
- smbexec.py
- wmiexec.py
Figure 1: RAMP user in January 2024 advising other forum users on the utility of different Impacket scripts
psexec.py
The psexec.py script is designed to facilitate remote code execution on Windows systems. Unlike smbexec.py and wmiexec.py, psexec.py uniquely utilizes the SMB protocol to create a Windows service on a remote machine with the privileges of a certain user account, which then runs the specified command. This script is particularly potent for gaining administrative control and performing tasks that require elevated privileges, all while blending in with normal network activity to evade detection.
How Threat Actors Use psexec.py
While highly useful for legitimate administrative tasks and penetration testing, psexec.py is also frequently exploited by threat actors to gain access, escalate privileges, and move laterally within a compromised network, making it a critical tool in both defense and attack scenarios.
Adversaries use psexec.py to execute commands on remote Windows systems without needing to install additional payloads or tools on the victim’s machine. By exploiting the SMB protocol, attackers can use psexec.py to run processes disguised as a specified user account, often with elevated privileges. This capability enables attackers to deploy malicious software, execute scripts, and manipulate system configurations remotely. One of the primary advantages for attackers is the ability to maintain a low profile, as the use of legitimate tools like psexec.py can blend in with regular network activity, thereby reducing the likelihood of detection by security monitoring systems.
Threat actors also use psexec.py to move laterally within compromised networks. Once initial access is gained, attackers can use stolen credentials or exploit vulnerabilities to execute psexec.py on other machines within the network, thereby expanding their reach and control. For customers, this means that a single point of compromise can quickly escalate into a widespread network infiltration, resulting in significant operational disruptions, financial losses, and reputational damage. In one notable instance, the ransomware group “AlphV” used psexec.py to deploy its payload within a victim’s network.
- In October 2023, a user on the prominent Russian-language cybercriminal forum XSS published a guide on how to pentest Fortinet virtual private networks (VPNs). In the post, the user described setting up two servers: a scanning server for reconnaissance and brute forcing, and an attacking server to establish a stable connection through a virtual machine running FortiClient. The user claimed that, upon breaching the victim’s network, they could use the psexec.py script to execute commands on remote machines, effectively moving laterally across the network. This method would allow the attacker to gain administrative control and deploy further exploits.
- To mitigate similar threats, organizations should harden avenues of initial access, such as vulnerability exploitation, through regular patching, robust authentication, and continuous monitoring.
Mitigations
- Segment your network and restrict SMB and Impacket-related traffic to essential systems only, using network access controls and firewalls to block unauthorized access
- Activate detailed logging for command-line activities and SMB events and use a SIEM system to detect and alert on indicators of compromise (IoCs) related to psexec.py in real time
smbexec.py
smbexec.py is designed for remote code execution on Windows systems via the SMB protocol. However, unlike psexec.py, which sets up and runs services on a remote computer, smbexec.py works by using Microsoft Remote Procedure Call (MSRPC) to control services on Windows systems. This method enables the execution of commands without needing to upload additional binaries. Security professionals use smbexec.py for penetration testing to simulate attacks and assess network defenses.
How Threat Actors Use smbexec.py
By leveraging the MSRPC to interact with the Service Control Manager (SCM) over SMB pipes, attackers can run commands and scripts with elevated privileges on target machines. This capability allows them to perform a wide range of actions, such as deploying malware, gathering sensitive information, and manipulating system configurations, all while minimizing their footprint to avoid detection by security systems.
smbexec.py is a powerful tool for lateral movement within a compromised network, distinctively leveraging the SMB protocol to execute commands without creating new services or requiring additional software installation. Once attackers gain initial access, they can use this script to move from one machine to another, escalating their control and expanding their reach within the network. Because smbexec.py executes commands directly, the likelihood of triggering security alerts tied to service creation is reduced.
-
In July 2024, an XSS user published a guide for using smbexec.py. The threat actor advised other users to exploit known vulnerabilities in a VPN service by using anonymized connections and virtual servers. The user then stated that by brute-forcing login credentials and using the smbexec.py script, they could execute commands remotely, facilitating lateral movement and data extraction.
The exploitation of smbexec.py by threat actors presents unique challenges. The script’s ability to blend seamlessly with legitimate SMB traffic makes it exceptionally difficult to detect, allowing attackers to maintain a low profile. This stealthy approach is particularly advantageous for spreading ransomware, exfiltrating sensitive data, and establishing persistent access without raising immediate suspicion. For organizations, this means that a single compromised endpoint can quickly lead to widespread infiltration, causing significant operational disruptions, financial losses, and reputational damage. The direct execution of commands without service creation or additional software installation makes smbexec.py a preferred tool for threat actors looking to evade detection and maintain persistent access.
In 2023, ReliaQuest assisted a customer with a breach investigation in which a threat actor exploited the CVE-2022-40684 vulnerability to bypass authentication on the organization’s Fortinet VPN and gain initial access. Using various Windows tools and services, including smbexec.py from the Impacket toolkit, the attacker executed commands and moved laterally across the network. Notably, this sophisticated attack used smbexec.py to blend malicious activities with legitimate network traffic, effectively impersonating a legitimate user and executing commands through the SMB protocol without raising immediate red flags. This facilitated the deployment of additional tools like Mimikatz for credential dumping and the installation of TeamViewer for persistent access, all while evading detection by disguising malicious traffic as internal activity. The attacker’s objective was likely financial gain, but the methodical approach and careful evasion techniques highlighted the need for improved detection mechanisms.
Mitigations
- Enforce strict access controls and ensure users and services have only the minimum permissions necessary. This limits the credentials and privileges that threat actors can exploit using smbexec.py.
- Utilize advanced endpoint protection solutions that can monitor for specific tools like smbexec.py and detect and block unauthorized command executions. Enable detailed logging and continuous monitoring of network activities to identify and respond to suspicious behavior in real time.
wmiexec.py
wmiexec.py enables remote code execution on Windows systems using Windows Management Instrumentation (WMI).
How Threat Actors Use wmiexec.py
Unlike psexec.py, which requires creating a new Windows service, and smbexec.py, which leverages the SMB protocol but leaves traces in network traffic, wmiexec.py exploits WMI, a built-in Windows feature, to run commands directly on remote machines without additional software installations. wmiexec.py is exceptionally stealthy because it blends seamlessly with legitimate administrative tasks and has a minimal footprint, making it harder for security teams to detect. It facilitates remote command execution without leaving obvious logs or traces, bypassing many traditional security measures that focus on abnormal service creation or network traffic patterns. Additionally, wmiexec.py offers flexibility and versatility, using WMI’s functionalities for system reconnaissance, data exfiltration, and persistent access. These advantages enable threat actors to maintain prolonged, undetected access within compromised networks, posing significant risks to organizational security and integrity.
- In June 2024, XSS forum members were observed discussing using the wmiexec.py script. A user asked for help after exploiting a vulnerable Domain Controller (DC) using a known vulnerability. In response, the user provided a step-by-step guide for further exploitation. The instructions involved dumping password hashes and using wmiexec.py to execute commands remotely. This user also detailed how to save and retrieve important system files, clean up attack traces, and restore original passwords.This exchange shows how cybercriminals collaborate and use tools like wmiexec.py to infiltrate and control compromised systems, highlighting the sophisticated tactics used to breach security defenses.
Mitigations
- Identify and disable WMI on systems where it is not required for legitimate administrative tasks. This reduces the attack surface and prevents attackers from leveraging wmiexec.py to execute commands remotely. However, it is important to note that certain applications and management tools depend on WMI for functionality. Disabling WMI might cause these applications to malfunction or lose certain capabilities.
- Activate detailed logging and continuous monitoring of all WMI activities. Quickly identify and respond to suspicious behavior using a centralized logging system that makes it harder for attackers to clean up traces and restore original passwords.
What ReliaQuest Is Doing
The ReliaQuest Threat Research team closely monitors cybercriminal activities and their discussions on cybercrime forums. We frequently observe abuse of Impacket scripts after initial access. To help your organization better combat Impacket abuse, ReliaQuest offers detection rules to their customers. Implementing these rules will enable defenders to identify suspicious activity or traffic in real time. It is important to calibrate the rules to your organization’s specific environment and business needs to achieve higher fidelity and reduce false positives.
By integrating the following GreyMatter Respond plays into your incident response plan, ReliaQuest can expedite and automate your response to Impacket abuse incidents. For the fastest remediation, automate cybersecurity playbooks to contain threats automatically. Automation can significantly improve your mean time to contain (MTTC), ensuring threats are promptly remediated and limiting the potential for damage and ongoing compromise.
Threat Forecast
Impacket is likely to remain a favored tool among threat actors due to its versatility and its ability to exploit legitimate network protocols and features for malicious purposes, enabling attackers to execute commands, move laterally, and extract sensitive data with minimal detection. Unlike many other tools such as Metasploit, Cobalt Strike, and PowerShell Empire, Impacket offers a comprehensive suite of more than 50 Python scripts designed to interact with protocols like SMB, WMI, and MSRPC, all of which are integral to Windows environments. Impacket’s scripts operate with minimal footprint as they do not require additional software installations or new service creations, thus evading traditional security measures. Impacket’s open-source nature and ease of use make it accessible to a wide range of threat actors, lowering the barrier to entry for sophisticated attacks. Organizations must therefore have a clear understanding of the authorized use of such tools within their environments and treat any unconfirmed use as potentially malicious.
Furthermore, AI could automate and optimize the execution of Impacket scripts, enabling less experienced attackers to exploit Impacket effectively and leading to more frequent and varied attack attempts. Threat actors are likely to explore additional purposes for Impacket, including advanced data exfiltration techniques, persistence mechanisms, and methods of bypassing newer security controls. Although some attackers may not currently integrate Impacket with other sophisticated tools due to a lack of technical expertise or the complexity involved, this is likely to change as comprehensive guides and automated frameworks become more accessible. We expect attackers to increasingly combine Impacket with tools such as Mimikatz for credential dumping, Cobalt Strike for post-exploitation activities, and Metasploit for exploiting vulnerabilities and facilitating lateral movement. This integration will create more complex and resilient attack chains, making it significantly harder for security defenses to detect and mitigate these evolving threats.