Impacket
Impacket is an open-source Python toolkit for working with Windows and other network protocols that is widely abused by threat actors for post-compromise operations rather than being a traditional self-propagating malware family. Across the provided reporting, it is repeatedly associated with credential theft, lateral movement, remote command execution, reconnaissance, and Active Directory abuse in Windows environments. Observed modules and derivatives include secretsdump.py for extracting credentials and secrets over the network, smbexec.py and psexec.py for execution via SMB/ADMIN$ shares and service creation, wmiexec.py for command execution through WMI, and rpcdump.py for RPC endpoint enumeration. The content also notes use of secretsdump options such as -use-vss and -just-dc, and describes a portable executable variant of secretsdump.py named dump.exe used to harvest credentials without executing code on the target system.
The toolkit appears in numerous real intrusions and ransomware operations. It was used by menuPass/APT10 in MITRE Engenuity ATT&CK Evaluations Managed Services Round 2 alongside SigLoader, P8RAT, FYAnti, and QuasarRat. Microsoft and Sophos reporting tie Impacket to Warlock ransomware intrusions, including activity by Storm-2603/GOLD SALEM, where it was used for lateral movement and command execution before ransomware deployment via Group Policy Objects. Microsoft also observed Storm-1175 using Impacket during fast-moving Medusa ransomware campaigns. Other cited actors and clusters using Impacket include VOID MANTICORE/HomeLand Justice, UAT-8837, Elephant Beetle, Scattered Spider, Sandworm Team, and multiple APT actors in a CISA-investigated Defense Industrial Base compromise. The content also notes that Chinese nation-state operators and China-aligned actors have used Impacket, and that Microsoft ships detections for ongoing hands-on-keyboard attacks via the Impacket toolkit.
High-confidence behaviors in the content include use for SMB-based lateral movement through ADMIN$ shares, copying binaries and launching them remotely; WMI-based remote execution through wmiexec; credential dumping from LSASS-adjacent sources and remote registry interfaces; harvesting NTDS.DIT from domain controllers and decrypting it locally; DCSync-related abuse of Active Directory replication; and general Windows network protocol interaction. Several sources emphasize that Impacket has seen a major increase in abuse, with Sophos stating it became the most abused tool in 2024 and wmiexec.py appearing in 35% of attacks in its dataset.
The primary target environment described is enterprise Windows infrastructure, especially domain-joined systems, domain controllers, file servers, database servers, SharePoint servers after initial compromise, and critical infrastructure or managed-service environments. Sectors explicitly mentioned in associated campaigns include healthcare, defense, aerospace, finance, maritime, biotechnology, energy, government, manufacturing, education, construction, IT, healthcare again in ransomware reporting, and critical infrastructure in North America.
Detection-relevant indicators and artifacts directly mentioned in the content include command lines aligned with smbexec.py behavior; cmd.exe executions containing patterns such as "/Q /c", "echo cd", "__output", localhost UNC paths to 127.0.0.1, and short batch files under C:\Windows; service creation associated with SMB exec activity; services with names containing Unix epoch timestamps in some Impacket-based execution observed by CERT Intrinsec; inbound RPC activity tied to Remote Registry and Service Control Manager interfaces; and Defender hunting telemetry for InboundRemoteRpcCall. Sophos protections listed in the content include ATK/Impacket-A through ATK/Impacket-E.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Arctic Wolf observed a wave of CVE-2026-0257 exploitation activity in late May and early June 2026... CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect and Prisma Access.
Impacket is a versatile, dual-use tool that uses Python-based scripts to exploit legitimate Windows services and protocols... threat actors frequently use psexec.py, smbexec.py, and wmiexec.py scripts within Impacket to execute code remotely on Windows systems without additional payloads or tools.
Groups observed using it
50 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For Managed Services, menuPass used a suite of malware including Sigloader, P8RAT, FYAnti, Impacket, and QuasarRat.
Microsoft also observed the use of PsExec and Impacket for lateral movement and the use of Group Policy Objects (GPO) to deploy the Warlock payload.
Impacket activity was detected in the organization’s network, indicating its use of Windows network protocol interactions. The observed command lines align with Impacket's smbexec script, enabling a semi-interactive shell via SMB.
When compromising Windows Domain Controllers servers, the group harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised DC to locally decrypt it.
During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.
Additionally, Storm-1175 has leveraged Impacket for lateral movement. Impacket is a collection of open-source Python classes designed for working with network protocols, and it is popular with adversaries due to ease of use and wide range of capabilities.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
These are the the command syntax to PTH with wmiexec ... /usr/share/doc/python3-impacket/examples/wmiexec.py thm.loc/administrator@192.168.12.100 -hashes ...
After a successful connection, the NetrJobAdd() method is called, through which the scheduled task is added. It’s worth noting that to run the created task, we need to call a method from another interface listening on the same endpoint.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Credential Access
8 techniques
Credential Access
export KRB5CCNAME=Administrator@cifs_DC01.ctf.local@CTF.LOCAL.ccache /usr/share/doc/python3-impacket/examples/secretsdump.py -k -no-pass ctf.local/Administrator@DC01.ctf.local ... We have all the domain hashes.
Получение учётных данных Credential Access LSASS Memory (T1003.001) Mimikatz, secretsdump.py
I then used my newly created thm\Mishky account to run secretsdump and DCSync the domain. /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc Mishky:Password123@192.168.11.100 ... Alternatively you can simply copy/paste mimikatz ... lsadump::dcsync /domain:thm.loc /all
ad_enum.py and related scripts use the impacket library to enumerate internal Active Directory environments over LDAP — pulling... credentials carelessly stored in account-description fields.
The four attacks we will demonstrate are: Weak Password Hashing : Cracking NTLM hashes to recover plaintext passwords Pass-the-Hash : Authenticating with only the hash, no plaintext password required Kerberoasting : Extracting and cracking service account credentials Golden Ticket : Forging Kerberos tickets to impersonate any user
Golden Ticket Attacks : If an attacker obtains the KRBTGT account's password hash, they can forge TGS for any user in the domain, including Domain Admins, providing complete and persistent domain control.
Discovery
5 techniques
Discovery
LDAP and SMB scripts enumerate servers, hostnames, and Windows systems.
If you want to probe RPC remotely, the data set we can get is dramatically reduced. There are literally two options: query the Endpoint Mapper service or brute force UUIDs of known interfaces and then their methods by OpNum. | We can query the EpMapper service and find out the endpoints on which specific RPC interfaces are running... RpcMgmtEpEltInqBegin() to begin examining the list of endpoints from EpMapper and RpcMgmtEpEltInqNext() to get the next element of the list.
LDAP scripts query group membership, Domain Admins, DNSAdmins, and privileged-group indicators.
Lateral Movement
4 techniques
Lateral Movement
It’s worth noting that to run the created task, we need to call a method from another interface listening on the same endpoint. However, since it listens on the same endpoint, we can connect to the other interface using the alter_ctx() method of the DCERPC class.
smbclient.py thm.loc/claire:'Password123!'@192.168.11.51 ... shares use SHARE1 ... smbclient.py thm.loc/svc_printer:'password1!'@192.168.11.51 shares use SHARE5
I suggest uploading the file via nxc and launching it via dcomexec with the -nooutput flag. ... impacket-dcomexec.py -nooutput admin : admin @10.10.10.10 "c:\rpcmotion.exe"
A Python script recovered from the root of 217.144.189[.]136 serves as an exfiltration script built on the impacket library. Authentication to victim infrastructure via SMB pass-the-hash using hardcoded Administrator NTLM hashes targeted a Southeast Asian manufacturer...
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
86 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Набор постэксплуатационных инструментов; в тексте упомянут модуль smbexec для подключения к ADMIN$ по SMB, копирования бинаря и его запуска на удалённой системе.
A post-exploitation toolkit used for hands-on-keyboard attacks, credential dumping, and lateral movement over Windows protocols including RPC.
Referenced through detection names as part of the toolset associated with the threat activity, likely for remote execution, credential abuse, or lateral movement in Windows environments.
A toolkit for network protocol interaction and post-exploitation activity, referenced in the listed protections associated with this threat.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.