Impacket Overview
Welcome back. This is part two of our blog series covering the Impacket example tools. Impacket is a collection of Python classes focused on providing tools to understand and manipulate low-level network protocols. This capability enables you to craft or decode packets of a wide variety of protocols such as IP, TCP, UDP, ICMP, and even higher-level protocols like SMB, MSRPC, NetBIOS, and others.
Moreover, Impacket provides several command-line tools as practical examples of what can be achieved using its classes. These example tools include scripts for executing commands on remote systems, transferring files, port scanning, and gathering system information, etc. Tools such as smbexec, wmiexec, and psexec are particularly notable for their widespread use to perform remote command execution on Windows systems, demonstrating the power and flexibility of Impacket in real-world scenarios. Register for a FREE community account to access the tons of content included in this blog post, as well as thousands of other community detections.
In the previous post we covered psexec, smbexec, and atexec scripts. This time we are going to look at wmiexec, dcomexec, and wmipersist. This will round out what we consider to be the remote code execution tools.
Wmiexec.py
powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc
sourcetype: bro:dce_rpc:json
operation: RemoteCreateInstance
endpoint: IRemoteSCMActivator
named_pipe: 135
id_resp_p: 135
EventCode: 1
ParentProcessName: WmiPrvSE.exe
CommandLine: cmd.exe /Q /c powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAiADsAdwBoAG8AYQBtAGkA 1> \\127.0.0.1\ADMIN$\__1709834834.6321354 2>&1
ParentUser: NT AUTHORITY\NETWORK SERVICE
EventCode: 1
ParentProcessName: WmiPrvSE.exe
CommandLine: cmd.exe /Q /c whoami 1\> \\127.0.0.1\ADMIN$\__1707943085.0702221 2>&1
ParentUser: NT AUTHORITY\NETWORK SERVICE
EventCode: 5145
AccessList: %%4416
ObjectType: File
ShareName:
ShareLocalPath: \\?\C:\Windows
RelativeTargetName: __1709834834.6321354
For more logs and details, we have captured this activity in our platform: Impacket Wmiexec (Powershell) & Impacket Wmiexec
For Detections check out this Collection: Hunting Impacket WMIEXEC
MITRE
T1047: Windows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
T1048: Exfiltration Over Alternative Protocol
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.
T1059.006: Command and Scripting Interpreter: Python
Adversaries may abuse Python commands and scripts for execution.
T1078.002: Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Dcomexec.py
This one is fairly similar to the wmiexec technique. This utility facilitates command execution without requiring SMB server-side components, making it an effective alternative for environments where SMB is restricted or monitored. Here is the basic usage to run a command on a target host.
if self.__dcomObject == 'ShellWindows':
# ShellWindows CLSID (Windows 7, Windows 10, Windows Server 2012R2)
iInterface = w.CoCreateInstanceEx(string_to_bin('9BA05972-F6A8-11CF-A442-00A0C90A8F39'), IID_IDispatch)
iMMC = IDispatch(iInterface)
resp = iMMC.GetIDsOfNames(('Item',))
resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_METHOD, dispParams, 0, [], [])
iItem = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))
resp = iItem.GetIDsOfNames(('Document',))
resp = iItem.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])
pQuit = None
elif self.__dcomObject == 'ShellBrowserWindow':
# ShellBrowserWindow CLSID (Windows 10, Windows Server 2012R2)
iInterface = dcom.CoCreateInstanceEx(string_to_bin('C08AFD90-F2A1-11D1-8455-00A0C91F3880'), IID_IDispatch)
iMMC = IDispatch(iInterface)
resp = iMMC.GetIDsOfNames(('Document',))
resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])
pQuit = iMMC.GetIDsOfNames(('Quit',))[0]
elif self.__dcomObject == 'MMC20':
iInterface = dcom.CoCreateInstanceEx(string_to_bin('49B2791A-B1AE-4C90-9B8E-E860BA07F889'), IID_IDispatch)
iMMC = IDispatch(iInterface)
resp = iMMC.GetIDsOfNames(('Document',))
resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])
pQuit = iMMC.GetIDsOfNames(('Quit',))[0]
else:
logging.fatal('Invalid object %s' % self.__dcomObject)
return
ShellWindows
MMC20
sourcetype: bro:dce_rpc:json
operation: unknown-6
endpoint: IDispatch
id.resp_p: 53203
sourcetype: bro:dce_rpc:json
operation: unknown-5
endpoint: IDispatch
id.resp_p: 53203
sourcetype: bro:dce_rpc:json
operation: RemoteCreateInstance
endpoint: IRemoteSCMActivator
id.resp_p: 135
sourcetype: bro:dce_rpc:json
operation: DRSUnbind
endpoint: drsuapi
id.resp_p: 49667
sourcetype: bro:dce_rpc:json
operation: DRSCrackNames
endpoint: drsuapi
id.resp_p: 49667
sourcetype: bro:dce_rpc:json
operation: DRSBind
endpoint: drsuapi
id.resp_p: 49667
sourcetype: bro:dce_rpc:json
operation: ept_map
endpoint: epmapper
id.resp_p: 135
EventCode: 1
ParentProcessName: explorer.exe
CommandLine: "C:\Windows\System32\cmd.exe" /Q /c whoami 1\> \\127.0.0.1\ADMIN$\TEMP\__17077 2\>&1
ParentUser: SNAPATTACK\user
And then finally the requests to that same temporary file.
EventCode: 5145
AccessList: %%1537, %%4423
ObjectType: File
ShareName: \\*\ADMIN$
ShareLocalPath: \??\C:\Windows
RelativeTargetName: TEMP\__17077
EventCode: 5145
AccessList: %%4416
ObjectType: File
ShareName: \\*\ADMIN$
ShareLocalPath: \??\C:\Windows
RelativeTargetName: TEMP\__17077
EventCode: 5145
AccessList: %%1538, %%1541, %%4417, %%4418, %%4420, %%4423, %%4424
ObjectType: File
ShareName: \\*\ADMIN$
ShareLocalPath: \??\C:\Windows
RelativeTargetName: TEMP\__17077
EventCode: 5145
AccessList: %%4417
ObjectType: File
ShareName: \\*\ADMIN$
ShareLocalPath: \??\C:\Windows
RelativeTargetName: TEMP\__17077
For more logs and details, we have captured this activity in our platform: Impacket DCOMExec (MMC20) & Impacket DCOMExec
For Detections check out this Collection: Hunting Impacket DCOMEXEC
MITRE
T1021.002: Remote Services: SMB/Windows Admin Shares
Adversaries may use valid accounts to interact with a remote network share using Server Message Block (SMB).
T1021.003: Remote Services: Distributed Component Object Model
Adversaries may use valid accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM).
T1059.006: Command and Scripting Interpreter: Python
Adversaries may abuse Python commands and scripts for execution.
T1059: Command and Scripting Interpreter
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1078: Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Wmipersist.py
Here, we’ll walk through basic usage of wmipersist.py to create a persistent execution of a vbs script. There are a few different methods that can be used to trigger the execution, most commonly a timer or when a seperate process is launched.
Timer Based
Process Trigger
sourcetype: bro:dce_rpc:json
operation: RemoteCreateInstance
endpoint: IRemoteSCMActivator
named_pipe: 135
id.resp_p: 135
sourcetype: bro:dce_rpc:json
operation: NTLMLogin
endpoint: IWbemLevel1Login
named_pipe: 64017
id.resp_p: 64017
sourcetype: bro:dce_rpc:json
operation: RemRelease
endpoint: IRemUnknown
named_pipe: 64017
id.resp_p: 64017
sourcetype: bro:dce_rpc:json
operation: DeleteClass
endpoint: IWbemServices
named_pipe: 64017
id.resp_p: 64017
sourcetype: bro:dce_rpc:json
operation: unknown-6
endpoint: IWbemCallResult interface
named_pipe: 64017
id.resp_p: 64017
EventCode: 20
EventType: WmiConsumerEvent
Operation: Created
User: BUILTIN\Administrators
Name: "SNAP"
Type: Script
Destination: "CreateObject(wscript.shell).Run(calc.exe)"
EventCode: 19
EventType: WmiFilterEvent
Operation: Created
User: BUILTIN\Administrators
EventNamespace: "root\subscription"
Name: “EF_SNAP"
Query: "select * from __TimerEvent where TimerID = \TI_SNAP\ "
EventCode: 21
EventType: WmiBindingEvent
Operation: Created
User: BUILTIN\Administrators
Consumer: "ActiveScriptEventConsumer.Name=\SNAP\"
Filter: "__EventFilter.Name=\EF_SNAP\"
EventCode: 5861
Consumer: ActiveScriptEventConsumer="SNAP"
ESS: EF_SNAP
PossibleCause: Binding EventFilter:
instance of __EventFilter
{
CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
EventNamespace = "root\subscription";
Name = "EF_SNAP";
Query = "select * from __TimerEvent where TimerID = \"TI_SNAP\"";
QueryLanguage = "WQL";
};
Perm. Consumer:
instance of ActiveScriptEventConsumer
{
CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
KillTimeout = 0;
MaximumQueueSize = 0;
Name = "SNAP";
ScriptingEngine = "VBScript";
ScriptText = "CreateObject(\"wscript.shell\").Run(\"calc.exe\")";
};
EventCode: 1
Description: WMI Standard Event Consumer - scripting
CommandLine: C:\Windows\system32\wbem\scrcons.exe -Embedding
User: NT AUTHORITY\SYSTEM
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p
EventCode: 1
Description: Windows Calculator
CommandLine: "C:\Windows\System32\calc.exe"
User: NT AUTHORITY\SYSTEM
ParentCommandLine: C:\Windows\system32\wbem\scrcons.exe -Embedding
For more logs and details, we have captured this activity in our platform: Impacket WMIPersist
For Detections check out this Collection: Hunting Impacket WMIPERSIST
MITRE
T1021: Remote Services
Adversaries may use valid accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC.
T1047: Windows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
T1059.005: Command and Scripting Interpreter: Visual Basic
Adversaries may abuse Visual Basic (VB) for execution.
T1059.006: Command and Scripting Interpreter: Python
Adversaries may abuse Python commands and scripts for execution.
T1078: Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
Conclusion
SnapAttack is the threat hunting, detection engineering, and detection validation platform for proactive threat-informed defense. Register for a FREE community account to access the tons of content included in this blog post, as well as thousands of other community detections. Subscribers also get advanced features like a no-code detection builder, one-click deployments to leading SIEMs and EDRs like Chronicle, Sentinel, Splunk, CrowdStrike and SentinelOne, advanced threat profiles to prioritize relevant threats, and customized reports that track MITRE ATT&CK coverage and more!
About SnapAttack: SnapAttack is an innovator in proactive, threat-informed security solutions. The SnapAttack platform helps organizations answer their most pressing question: “Are we protected against the threats that matter?”
By rolling threat intelligence, adversary emulation, detection engineering, threat hunting, and purple teaming into a single, easy-to-use product with a no-code interface, SnapAttack enables companies to get more from their tools and more from their teams so they can finally stay ahead of the threat.