|Enterprise||T1557||.001||Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay||
Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory|
|.002||OS Credential Dumping: Security Account Manager|
|.003||OS Credential Dumping: NTDS|
|.004||OS Credential Dumping: LSA Secrets|
|Enterprise||T1558||.003||Steal or Forge Kerberos Tickets: Kerberoasting||
Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.
|Enterprise||T1569||.002||System Services: Service Execution|
|Enterprise||T1047||Windows Management Instrumentation|
Groups That Use This Software
- SecureAuth. (n.d.). Retrieved January 15, 2019.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.