NetWitness Community

Netwitness Content Discussed in this Article

• Possible Impacket Host Activity (psexec.py)
• Possible Impacket Host Activity (atexec.py)
• Possible Impacket Host Activity (wmiexec.py)
• Possible Impacket Host Activity (dcomexec.py)
• Possible Impacket Host Activity (smbexec.py)

All content can be found in Netwitness by navigating to Configure ➡ Live Content ➡ Keyword Search for “Impacket”

 

Introduction:

As attack sophistication increases, adversaries are able to spend more time in compromised environments.  This makes it increasingly possible for attackers to stealthily move laterally within the network, execute commands, and collect victim information in ways that leave little to no trace of their existence.  Impacket is a tool often used by Advance Persistent Threat (APT) groups to achieve these aims.  This legitimate Linux based tool is used by red teams for working with Windows network protocols, but Impacket’s powerful framework of Python modules are also misused by attackers to perform remote execution, protocol manipulation, password gathering, man-in-the-middle attacks, vulnerability exploits, and other malicious activities. Once an attacker has gained access to an environment, many of the available uses of Impacket require no additional deployment of agents on targeted victim systems, making it a stealthy option for lateral movement.

 

This blog post will introduce Impacket, detail how adversaries have used this tool in attacks, and demonstrate how Netwitness Endpoint can help you detect its usage.

 

A special thanks to Neil Fox and Riccardo Ancarani, whose previous research on Impacket can be found here and here respectively.

 

Background:

Impacket is an open-source collection of Python scripts, maintained by SecureAuth, that allows for programmatic manipulation and construction of network protocols. Originally released in 2012, Impacket has added support for dozens of network protocols including SMBv1-3, NetBIOS, HTTP, Authentications (Plain, NTLM and Kerberos), and others.  Impacket has become a favorite tool of red teamers and attackers alike due to its ease of use (the use of preconfigured Python classes eliminates the need for extensive programmatic command line knowledge) and its ability for agentless remote execution.

 

Adversarial Usage of Impacket:

Impacket has been a useful tool in the arsenal of threat actors for many years. Primarily seen in attacks carried out by Chinese hacking groups, Impacket gives adversaries a ready-made set of scripts to dump credentials, sniff packets, and remotely execute commands on Windows systems without the need to install additional payloads/tools on victim systems. Documented instances of Impacket usage are broad and varied.

• Once establishing an initial foothold, APT10/Stone Panda has used 2 Impacket scripts, atexec.py and psexec.py, to retrieve credentials and move laterally within a host environment. By using these scripts from a "staging" server, APT10 can proxy remote commands to desired target systems while remaining relatively quiet on victim networks.
• During a supply chain attack against Taiwan's financial industry dubbed Operation Cache Panda, APT10 used Impacket script wmiexec.py to move laterally from system to system in an attempt to drop backdoors across the internal environment.
• In attacks targeting the SharePoint servers of Government Organizations in the Middle East, APT27/Emissary Panda was observed using psexec.py to pivot to systems identified as vulnerable to EternalBlue (CVE-2017-0144).
• The financially motivated threat group FIN8 used wmiexec.py in combination with valid domain credentials to bypass command line defenses and execute code downloaded from its dropper address. All of this was accomplished without the need for installation of services or agents on the target system.
• To avoid uploading final payloads to target machines, UNC1945 has been observed using Impacket script smbexec.py to remotely execute commands.

Impacket Detection with Netwitness

While there are currently 50+ Python scripts that make up Impacket, we will be focusing on 5 tools that have come up repeatedly during our research:

• psexec.py
• atexec.py
• wmiexec.py
• dcomexec.py
• smbexec.py

For more information on other Python classes included with Impacket, please visit SecureAuth Labs’ website.

 

psexec.py

This Impacket script grants users PsExec-like functionality by using the RemComSvc utility, allowing for remote execution of processes and commands on target systems without the need for installing software. Provided with valid domain credentials (username and password/hash), psexec.py provides a lightweight method for moving laterally. 

 

Once run, psexec.py will connect to the target system over TCP/445, look for writeable shares, and use the Windows NT operating system kernel (ntoskrnl.exe) to drop a service binary with a random name (in this case ‘BuJfHyVx.exe’) in ‘C:\\Windows’ on the desired host. If run without errors, the attacker will now be able to run remote commands on the victim machine. 

Figure 1 - Psexec.py run in Threat Lab Environment

 

Pivoting to the Netwitness stack set up in our Threat Lab, we can see that Netwitness Endpoint captures ntoskrnl.exe creating the arbitrary binary ‘BuJfHyVx.exe’:

 

Figure 2 - NWE Captures Psexec.py Attempt

 

To detect attempts of psexec.py against systems in your environment, the new App Rule “Possible Impacket Host Activity (psexec.py)” is now posted to Netwitness Live.

 

atexec.py

Like the Windows command “at”, atexec.py leverages the Task Scheduler service on a remote host to execute commands. All connections will be over TCP/445. Once run, atexec.py will create a Windows task, trigger the task, and then delete it. This added defense evasion step could make atexec.py an attractive option for adversaries who are trying to cover their tracks.

 

In the example below, we use atexec.py to run a “whoami” command on the target system in our lab environment. Once executed, atexec.py:

1. Creates a scheduled task to run “whoami” with random name ‘lzsIFqjV’.
2. Runs the task, which executes the command  “cmd.exe /C whoami > C:\Windows\Temp\lzsIFqjV.tmp 2>&1”.
3. Deletes any trace of task creation.
4. Reads the output of “whoami” from Temp file with the same name as the scheduled task.

Figure 3 - Atexec.py Run in Threat Lab

 

The execution of atexec.py is detected by our Threat Lab Netwitness Endpoint stack when svchost.exe spawns cmd.exe with launch argument “cmd.exe /C whoami > C:\Windows\Temp\lzsIFqjV.tmp 2>&1” (registered under param.dst metakey).

 

Figure 4 - NWE Detection of Atexec.py

 

“Possible Impacket Host Activity (atexec.py)” has been posted to Netwitness Live to detect possible usage of atexec.py.

 

wmiexec.py

Through wmiexec.py, Impacket will use the Windows Management Instrumentation (WMI) interface of a target system to launch a semi-interactive shell. All commands run through wmiexec.py will Run as Administrator. Due to its use of multiple ports (TCP/135, TCP/445, and TCP/50911) per connection, it is slightly noisier than some of the other Remote Execution Impacket scripts.

 

While running wmiexec.py in our Threat Lab, we are able to successfully execute 3 commands from the semi-interactive shell, “net use”, “net group”, and “tasklist”.

 

Figure 5 - Wmiexec.py Run in Threat Lab

 

Netwitness Endpoint detects wmiprvse.exe spawning cmd.exe to run our supplied commands and force any errors to the standard output. As an example, our “tasklist” command generates “param.dst = ‘cmd.exe /Q /c tasklist 1> \\127.0.0.1\ADMIN$\__1649952134.3804488 2>&1’”.

 

Figure 6 - NWE Detection of Wmiexec.py

 

We have created App Rule “Possible Impacket Host Activity (wmiexec.py)” to detect attempts of wmiexec.py against network hosts. This rule is currently posted to Netwitness Live.

 

dcomexec.py

This Impacket script uses the DCOM endpoints MMC20.Application, ShellWindows or ShellBrowserWindow to open a semi-interactive shell on remote systems. Like wmiexec.py, dcomexec.py uses multiple ports for connection (TCP/135, TCP/445, and TCP/49751).

For this example, we use dcomexec.py with an MMC20 endpoint selection to gain shell access to the target system in our threat lab. Once on the victim system, the command “wmic useraccount” is successfully executed.

 

Figure 7 - Dcomexec.py MMC20 Shell to Run 'wmic useraccount'

 

The artifacts left behind in Netwitness Endpoint by dcomexec.py were very similar to the activity seen with wmiexec.py, with the only difference being mmc.exe, as opposed to wmiprvse.exe, spawning cmd.exe.

 

Figure 8 - NWE Detecting Dcomexec.py

 

You can detect dcomexec.py usage with Netwitness Live rule “Possible Impacket Host Activity (dcomexec.py)”.

 

smbexec.py

smbexec.py takes advantage of Windows built-in SMB protocol to execute commands on remote systems. This script works similarly to psexec.py, however it does not use RemComSvc. There are 2 modes for running smbexec.py. In Share mode, the user specifies a share and all commands are run through the designated share. In Server mode, a local SMB server will be launched locally with output of commands sent to a locally shared folder. With either mode, execution is agentless making detection more difficult.

In this example from our lab environment, smbexec.py is used to run a “net localgroup” command. To avoid detection, smbexec.py:

1. Writes our command to the file ‘C:\Windows\TEMP\execute.bat’.
2. Executes the batch script containing the “net localgroup” command.
3. Deletes the BAT file.
4. Writes all command results to ‘C:\__output’, displays these results in our “attacker” console, and then deletes ‘C:\__output’.

Figure 9 - Successful Execution of 'net localgroup' via Smbexec.py

 

When looking for artifacts with Netwitness Endpoint, we are able to see cmd.exe create the file ‘execute.bat’ from the above-mentioned steps with the command “cmd.exe /Q /c echo net share ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat” (registered under param.src metakey).

 

Figure 10 - Detection of Smbexec.py with NWE

 

The App Rule “Possible Impacket Host Activity (smbexec.py)” on Netwitness Live will detect smbexec.py usage.

 

Conclusion:

Our hope is that this blog will aid and enable analysts in their efforts to more quickly identify and respond to information gathering/lateral movement activity conducted with Impacket. By focusing on this group of Impacket scripts that have come up during research of different real-world attacks, the Netwitness Application Rules in this post should provide defenders with alerts that can be used as strong indicators of suspicious activity within their own environments.

 

MITRE Techniques:

• T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 
• T1040 - Network Sniffing             
• T1003.001 - OS Credential Dumping: LSASS Memory        
• T1003.002 - OS Credential Dumping: Security Account Manager 
• T1003.003 - OS Credential Dumping: NTDS          
• T1003.004 - OS Credential Dumping: LSA Secrets              
• T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting          
• T1569.002 - System Services: Service Execution  
• T1047 - Windows Management Instrumentation

References:

• https://www.secureauth.com/labs/open-source-tools/impacket/
• https://neil-fox.github.io/Impacket-usage-&-detection/
• https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/
• https://attack.mitre.org/software/S0357/