Impacket
Impacket is a dual-use, open-source Python toolkit for working with Microsoft and Windows network protocols. It is widely used by penetration testers and defenders, but is also frequently abused by threat actors for remote command execution, lateral movement, credential access, privilege escalation, and Active Directory abuse. The content specifically references common Impacket scripts and modules including wmiexec.py, smbexec.py, psexec.py, atexec, secretsdump.py, and rpcdump.py. Observed behaviors include semi-interactive shell access over SMB via smbexec, command execution through WMI via wmiexec, use of atexec to run commands with dumped credentials, elevated command execution, and use of secretsdump.py to harvest credentials, including options such as -use-vss and -just-dc. The toolkit was also used on compromised domain controllers to locally decrypt harvested NTDS.DIT data.
Impacket appears repeatedly across intrusion reporting as post-exploitation tooling rather than as a standalone malware family. It has been observed in ransomware, espionage, and destructive operations, including activity associated with Storm-1175, Storm-2603, VOID MANTICORE/HomeLand Justice, UAT-8837, Elephant Beetle, Sandworm-related reporting, Scattered Spider, FIN8, and multiple APT intrusions documented by CISA. Reported use cases include lateral movement over SMB and WMI, remote execution on Windows systems, credential dumping and domain compromise, and support for ransomware deployment such as Warlock, LockBit, Medusa, ROADSWEEP, and NailaoLocker/RansomHub/RA World contexts cited in the content. Targeted environments in the reporting include Windows enterprise networks, domain controllers, Exchange and SharePoint servers, and organizations in sectors such as defense industrial base, healthcare, finance, commerce, education, professional services, government, and critical infrastructure.
The content also includes defender-focused detections and artifacts associated with Impacket use. Splunk analytics describe command-line patterns for smbexec.py and wmiexec.py, including cmd.exe /Q /c, echo cd, __output artifacts, localhost UNC paths such as 127.0.0.1, batch files under C:\Windows\ with short randomized names, and wmiprvse.exe spawning processes consistent with wmiexec behavior. CERT Intrinsec notes that Impacket-based execution may create services with names containing Unix epoch timestamps. Sophos protections listed in the content include ATK/Impacket-A through ATK/Impacket-E. Because Impacket interacts with legitimate administrative protocols such as SMB, MSRPC, NTLM, and WMI, its activity can blend with normal administration, making detection dependent on process telemetry, command-line logging, and contextual analysis.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Impacket is a versatile, dual-use tool that uses Python-based scripts to exploit legitimate Windows services and protocols... threat actors frequently use psexec.py, smbexec.py, and wmiexec.py scripts within Impacket to execute code remotely on Windows systems without additional payloads or tools.
Groups observed using it
28 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Impacket activity was detected in the organization’s network, indicating its use of Windows network protocol interactions. The observed command lines align with Impacket's smbexec script, enabling a semi-interactive shell via SMB.
When compromising Windows Domain Controllers servers, the group harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised DC to locally decrypt it.
During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.
Additionally, Storm-1175 has leveraged Impacket for lateral movement. Impacket is a collection of open-source Python classes designed for working with network protocols, and it is popular with adversaries due to ease of use and wide range of capabilities.
"...offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket..."
"...offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket..."
“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell, Potato suite and Impacket...”
"...offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket..."
GOLD SALEM has been observed using PsExec and Impacket (WMI) for lateral movement within compromised environments.
GOLD SALEM has been observed using PsExec and Impacket (WMI) for lateral movement within compromised environments.
...open-source and dual-use tools as used and/or customized by the actors: ... Impacket ...
...move laterally to deploy Clop ransomware using OpenSSH and Impacket.
The following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Execution
4 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Example-script execution artifacts 7 psexec.py , smbexec.py , atexec.py , dcomexec.py , RemCom artifacts
Windows command shell (cmd.exe) was utilised extensively, particularly using Impacket, which relies on cmd.exe to facilitate command execution.
T1569.002 System Services: Service Execution PhantomCore использовали набор библиотек Impacket для удаленного выполнения вредоносных команд
Persistence
3 techniquesExample-script execution artifacts 7 psexec.py , smbexec.py , atexec.py , dcomexec.py , RemCom artifacts
LDAP and Active Directory objects 2 Default computer/object creation naming patterns
MSSQL 4 LOGIN7 metadata, PRELOGIN behavior, SQL Agent job creation
Privilege Escalation
1 techniqueDefense Impairment
1 techniqueLet’s give ourselves the right to add users to the group (WriteMembers). dacledit.py -dc-ip 10.10.11.41 -action write -rights WriteMembers -principal judith.mader -target Management
Credential Access
9 techniquesCredential Dumping - DCSync через secretsdump.py , OS Credential Dumping (T1003)
secretsdump, DRSUAPI, and VSS 4 DRSBind behavior, DRSGetNCChanges defaults, VSS execution patterns
«DCSync - это техника, при которой атакующий, имея права на репликацию, имитирует поведение контроллера домена и запрашивает у легитимного DC хэши паролей пользователей через протокол DRSUAPI» | «Основной метод: IDL_DRSGetNCChanges ... И среди этих атрибутов могут быть хэши паролей ... И если ты можешь запросить репликацию, ты можешь получить эти атрибуты.»
Coercion - целевой хост вынужден аутентифицироваться на подконтрольном сервере. Adversary-in-the-Middle (T1557, Credential Access) Relay - перехваченная аутентификация перенаправляется на AD CS, LDAP или SMB
NTLM Relay - Name Resolution Poisoning and SMB Relay (T1557.001). NTLMv1-сессия перенаправляется на другой сервер... В NTLMv1 такой привязки нет - relay тривиален.
Examples include: ... Hardcoded Kerberos noonce value ... forged ticket defaults | This research currently documents 73 Impacket-related IoCs across the following categories: Kerberos and ticketing 15 AS-REQ differences, TGS-REQ etype ordering, AP-REQ wrapping, forged ticket defaults
Kerberoast: GetUserSPNs.py "$DOMAIN/$AD_USER:$AD_PASSWORD" -dc-ip <DC_IP> -request -outputfile "$RECON/spn-hashes.txt"
AS-REP Roasting Attack Explained - MITRE ATT&CK T1558.004 ... It exploits a vulnerability in Kerberos when the 'Do not require Kerberos preauthentication' setting is enabled. This vulnerability allows adversaries to extract user hashes, enabling them to decrypt passwords offline.
relay на AD CS через HTTP выдал сертификат машинной учётной записи
Discovery
3 techniquesNowadays, most EDR, IDS or next gen firewalls can detect the use of impacket or remote use of the registry service.
Goal: full AD enumeration, ACLs, delegation, high-value targets, and lateral movement using Linux-native tools only.
Users: (objectClass=user) — sAMAccountName, memberOf, description, adminCount, userAccountControl
Lateral Movement
7 techniquesTable 1 lists Sophos protections related to this threat. ATK/Impacket-A ATK/Impacket-B ATK/Impacket-C ATK/Impacket-D ATK/Impacket-E
This process was likely executed remotely via Impacket, with the RestrictedAdmin mode enabled. This mode allowed the threat actor to perform a pass-the-hash to authenticate and establish an RDP session with just the password hash of an account.
SMB was leveraged to execute processes on remote hosts. The observed activity matched that of Impacket.
Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'
To carry out this attack, we would need a machine account password (or NTLM hash) in order to interact with the domain controller through NETLOGON.
Lateral Movement - Pass the Hash (T1550.002). Полученный NT-хеш работает для аутентификации на других серверах без знания пароля. CrackMapExec, impacket-psexec , impacket-wmiexec - выбор зависит от целевой машины.
Impacket is observed leveraging Windows Management Instrumentation to remotely stage and execute payloads
Collection
2 techniquesCoercion - целевой хост вынужден аутентифицироваться на подконтрольном сервере. Adversary-in-the-Middle (T1557, Credential Access) Relay - перехваченная аутентификация перенаправляется на AD CS, LDAP или SMB
Command and Control
1 techniquentlmrelayx HTTP, WebDAV, RDP, and SCCM 6 WPAD, WebDAV, RDP relay certificate, SCCM policy strings
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
79 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced through detection names as part of the toolset associated with the threat activity, likely for remote execution, credential abuse, or lateral movement in Windows environments.
A toolkit for network protocol interaction and post-exploitation activity, referenced in the listed protections associated with this threat.
Impacket is used for lateral movement and credential dumping, including facilitating LSASS credential theft in post-compromise stages.
Offensive toolkit used by the threat actors for post-exploitation and lateral movement, including use with the built-in administrator account.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.