Impacket is a powerful penetration testing toolkit widely abused by various APT groups and ransomware actors for remote command execution and lateral movement. This article focuses on three key Impacket tools—WmiExec, SmbExec, and PsExec—detailing their execution methods and detection strategies. #Impacket #WmiExec #SmbExec #PsExec #APT28 #APT29 #MustangPanda #ALPHV #Rhysida
Keypoints
- Impacket serves as a versatile toolkit for remote command execution, commonly misused by threat actors including APT28, APT29, Mustang Panda, ALPHV, and Rhysida.
- WmiExec exploits Windows Management Instrumentation (WMI) over SMB and DCOM protocols to execute commands remotely without dropping binaries or creating services, enhancing stealth.
- SmbExec executes commands via remotely created, randomized Windows services that run batch files, enabling lateral movement with output redirected to temporary files.
- PsExec uploads a binary payload and installs a temporary Windows service, using named pipes for real-time command input/output, but is less stealthy due to detectable file presence.
- Detection strategies leverage Windows event logs, Sysmon data, and command line auditing by focusing on process creation patterns, service installation events, and named pipe usage.
- Correlating logon events with process creation and file access allows defenders to identify lateral movement and command execution indicative of Impacket tools.
- Recommended defenses include network segmentation, Defense-in-Depth strategies, comprehensive logging and monitoring, and well-prepared incident response plans.
MITRE Techniques
- [T1021] Remote Services – Impacket tools leverage remote execution via SMB and WMI, as shown in “WmiExec initiates SMB session followed by DCERPC communication.”
- [T1071] Application Layer Protocol – Communication occurs over DCOM using DCE/RPC protocol on port 135 (“WmiExec initiates a Bind request to the ISystemActivator interface using DCOM over port 135”).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – All three tools execute commands remotely via cmd.exe with silent flags “/Q /c” and output redirection.
- [T1106] Execution through API – PsExec uploads and executes payloads by creating services and communicating over named pipes RemCom_stdin/stdout/stderr (“PsExec establishes a DCE/RPC connection to Service Control Manager”).
- [T1027] Obfuscated Files or Information – WmiExec and SmbExec delete temporary output files immediately after reading outputs to maintain stealth (“WmiExec deletes the output file from ADMIN$ share”).
Indicators of Compromise
- [File Names] Temporary output and batch files – e.g., “1746603268.41452″ for WmiExec output file, random 8-character bat files used by SmbExec, and 8-character .exe payloads by PsExec.
- [Services] Randomized Windows service names – SmbExec creates 8-character randomized service names, PsExec creates 4-character randomized service names for execution.
- [Named Pipes] PsExec communication uses named pipes such as “RemComstdin,” “RemComstdout,” and “RemCom_stderr” for command exchange.
- [Event IDs] Windows Event Logs and Sysmon events like 4624 (logon), 5145 (file access over SMB), 7045 (new service installation), 17 and 18 (named pipe creation and connection) are critical for detection.