{"description": "Enterprise techniques used by Impacket, ATT&CK software S0357 (v1.8)", "name": "Impacket (S0357)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1557", "showSubtechniques": true}, {"techniqueID": "T1557.001", "comment": "[Impacket](https://attack.mitre.org/software/S0357) modules like ntlmrelayx and smbrelayx can be used in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040) and [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001) to gather NetNTLM credentials for [Brute Force](https://attack.mitre.org/techniques/T1110) or relay attacks that can gain code execution.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "[Impacket](https://attack.mitre.org/software/S0357) has used its `wmiexec` command, leveraging Windows Management Instrumentation, to remotely stage and execute payloads in victim networks.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[Impacket](https://attack.mitre.org/software/S0357) can be used to sniff network traffic via an interface or raw socket.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform credential dumping to obtain account and password information from NTDS.dit.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "[Impacket](https://attack.mitre.org/software/S0357) modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.005", "comment": "[Impacket](https://attack.mitre.org/software/S0357) tools \u2013 such as getST.py or ticketer.py \u2013 can be used to steal or forge Kerberos tickets using ccache files given a password, hash, aesKey, or TGT.(Citation: Kerberos GNU/Linux)(Citation: on security kerberos linux)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Impacket](https://attack.mitre.org/software/S0357) contains various modules emulating other service execution tools such as [PsExec](https://attack.mitre.org/software/S0029).(Citation: Impacket Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Impacket](https://attack.mitre.org/software/S0357)'s `wmiexec` module can be used to execute commands through WMI.(Citation: Impacket Tools)(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Impacket", "color": "#66b1ff"}]}