Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Impacket
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Impacket
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)
ID: S0357
Type: TOOL
Platforms: Windows
Version: 1.7
Created: 31 Jan 2019
Last Modified: 07 Oct 2024

Techniques Used
Domain ID Name Use
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.(Citation: Impacket Tools)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)
.002 OS Credential Dumping: Security Account Manager

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)

.003 OS Credential Dumping: NTDS

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.(Citation: Impacket Tools)

.004 OS Credential Dumping: LSA Secrets

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.(Citation: Impacket Tools)
.005 Steal or Forge Kerberos Tickets: Ccache Files

Impacket tools – such as getST.py or ticketer.py – can be used to steal or forge Kerberos tickets using ccache files given a password, hash, aesKey, or TGT.(Citation: Kerberos GNU/Linux)(Citation: on security kerberos linux)

Enterprise T1569 .002 System Services: Service Execution

Impacket contains various modules emulating other service execution tools such as PsExec.(Citation: Impacket Tools)

Groups That Use This Software
ID Name References
G1016 FIN13

(Citation: Sygnia Elephant Beetle Jan 2022)

G0059 Magic Hound

(Citation: DFIR Phosphorus November 2021)

G0096 APT41

(Citation: apt41_dcsocytec_dec2022)

(Citation: Microsoft Albanian Government Attacks September 2022)

G0074 Dragonfly 2.0

(Citation: US-CERT TA18-074A) (Citation: US-CERT APT Energy Oct 2017) (Citation: Core Security Impacket)

(Citation: Crowdstrike TELCO BPO Campaign December 2022)

G0125 HAFNIUM

(Citation: Tarrask scheduled task)

G0027 Threat Group-3390

(Citation: Unit42 Emissary Panda May 2019)

G0035 Dragonfly

(Citation: Core Security Impacket) (Citation: US-CERT TA18-074A)

G1021 Cinnamon Tempest

(Citation: Microsoft Ransomware as a Service) (Citation: Sygnia Emperor Dragonfly October 2022)

G1017 Volt Typhoon

(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Microsoft Volt Typhoon May 2023) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)

(Citation: FoxIT Wocao December 2019)

G0016 APT29

(Citation: Mandiant APT29 Eye Spy Email Nov 22)

G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017)

G0034 Sandworm Team

(Citation: Microsoft Prestige ransomware October 2022)

G1003 Ember Bear

(Citation: Cadet Blizzard emerges as novel threat actor) (Citation: CISA GRU29155 2024)

(Citation: Mandiant Cutting Edge Part 2 January 2024)

G0116 Operation Wocao

(Citation: FoxIT Wocao December 2019)

G0061 FIN8

(Citation: Bitdefender Sardonic Aug 2021) (Citation: Bitdefender FIN8 July 2021)

References

  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  3. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  4. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  5. SecureAuth. (n.d.). Retrieved January 15, 2019.
  6. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  7. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  8. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  9. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  10. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  11. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  12. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  13. Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery Compendium (GNU/Linux). Retrieved September 17, 2024.
  14. Boal, Calum. (2020, January 28). Abusing Kerberos From Linux - An Overview of Available Tools. Retrieved September 17, 2024.
  15. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  16. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  17. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  18. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  19. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  20. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  21. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  22. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  23. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  24. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  25. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  26. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  27. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  28. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  29. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.