Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Impacket
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Impacket
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)
ID: S0357
Type: TOOL
Platforms: Windows
Version: 1.3
Created: 31 Jan 2019
Last Modified: 27 Sep 2022

Techniques Used
Domain ID Name Use
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.(Citation: Impacket Tools)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)
.002 OS Credential Dumping: Security Account Manager

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)

.003 OS Credential Dumping: NTDS

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.(Citation: Impacket Tools)

.004 OS Credential Dumping: LSA Secrets

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.(Citation: Impacket Tools)
Enterprise T1569 .002 System Services: Service Execution

Impacket contains various modules emulating other service execution tools such as PsExec.(Citation: Impacket Tools)

Groups That Use This Software
ID Name References
G0074 Dragonfly 2.0

(Citation: US-CERT TA18-074A) (Citation: US-CERT APT Energy Oct 2017) (Citation: Core Security Impacket)

G0125 HAFNIUM

(Citation: Tarrask scheduled task)

G0027 Threat Group-3390

(Citation: Unit42 Emissary Panda May 2019)

G0035 Dragonfly

(Citation: US-CERT TA18-074A) (Citation: Core Security Impacket)

(Citation: FoxIT Wocao December 2019)

G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017)

G0116 Operation Wocao

(Citation: FoxIT Wocao December 2019)

G0061 FIN8

(Citation: Bitdefender FIN8 July 2021)

References

  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  3. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  4. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  5. SecureAuth. (n.d.). Retrieved January 15, 2019.
  6. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  7. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  8. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  9. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  10. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.