Breaking Through Encrypted East-West Traffic

“We’ve been breached! We know some of the hosts, and have identified the initial attack vector. However, we’re blind to what they are doing now. We see some logs in our SIEM but we’re clearly missing something!”

As the cat and mouse game between attackers and defenders has intensified, adversaries have increasingly turned to using living-of-the-land (LOTL) techniques and tools already inside the network to achieve their goals.

The logic being that it will be more difficult to detect or distinguish malicious activity when it blends with the normal. As a result, adversaries are increasingly using PowerShell, Windows Management Instrumentation (WMI), and common administrative tools and utilities, such as PsExec and Netsh as part of their tactics, techniques, and procedures (TTPs).

SOC analysts that rely solely on host-based solutions like EDR to catch adversaries, have two choices: Flood their detections with false positives or, worse, tune it all out.

Gone are what most analysts have been using to catch the bad guys: Custom tools, rootkits, out of date signed drivers, and malware hashes. As attackers make their activity look just like that of any other user or administrator, analysts have to look elsewhere, beyond the host, and expand their detection surface to include the full internal network and its underlying protocols.

How Threat Actors Use Impacket Today

Impacket is an open-source collection of Python scripts originally created by SecureAuth in 2012 but currently hosted and maintained by Fortra. It is a popular tool among both penetration testers and adversaries, and was the second most detected threat in 2023 and 2024 according to Red Canary.

Its popularity is due to its versatility and because it simply works. Impacket implements low-level networking protocols, such as SMB, NETBios, LDAP, and provides programmatic access to packets that allows adversaries to blend in the background noise. It is a go-to tool for anyone that wants to enumerate a network using already existing protocols to identify network shares and users, and to move laterally into other hosts on the network using common tools like WMIExec, SMBExec and PSExec, which are virtually indistinguishable from anything a network administrator would use.

Detecting Impacket and its many tools is critical in early response because it is most often used by adversaries as they are attempting to escalate their privileges, reconnaissance for additional targets, and move laterally. Detecting the use of Impacket will enable you to limit the extent and impact of a breach.

Detecting Impacket

While Impacket has over 50 Python scripts, often referred to as tools, there are four that are used by adversaries the most: smbexec.py, wmiexec.py, psexec.py, and secretsdump.py.

SMBExec

MITRE ATT&CK: T1021: Remote Services, T1021.002: Remove Services: SMB/Windows Admin Shares; T1569: System Services, T1569.002 System Services: Service Execution; T1059.003: Command and Scripting Interpreter: Python

Fig 1. Diagram on the use of smbexec.py

Impacket’s smbexec.py script works by creating and deleting a temporary Windows service via SMB on the target machine for every command executed. The SMB protocol is used for communication and Windows Remote Procedure Calls (MSRPC) is used to control the services, allowing it to execute commands remotely without uploading a persistent binary.

The temporary services are created by calling the Service Control Manager (SCM) and authenticated using either valid credentials, password hash, or Kerberos Ticket. The service name is typically a randomly generated string to avoid patterned detections. The command is executed on service start and will typically redirect the output to a share the attacker has access to, such as C$ with normal user credentials.

As part of its execution flow, SMBExec will fetch the file and print it back on the attacker’s machine, then delete the file once printed and call the SCM to delete the service.

Fig 2. SMBExec session encrypted making detection impossible

As seen during a routine packet capture. The SMBExec setup, payload delivery, and file read are all encrypted. This is the default case for most traffic going E-W since SMBv2 which makes detection difficult to impossible. Using RevealX with its native decryption capabilities we can see the difference in the payload that allows us to detect it.

Fig 3. SMBExec decrypted using RevealX’s Packet Viewer to show the results file accessed on the C$ Share

Fig 4. The Binary Path containing the command line script that is executing is clearly visible.

Above you can see the decrypted traffic, which has in clear text the Binary Path containing the command line the script is executing. It then pulls the results back from the C$ where it was written.

In a real-world case as detailed by Mandiant in a blog post published in 2024, ransomware group BlackCat / ALPHV used Impacket’s smbexec.py for lateral movement. The threat actors used SMBExec to create a new local admin account named “Admin,” which they then added to the local administrator’s group on a different internal host. They then used RDP to leverage the new Admin account and access another system.

While Mandiant does not provide the exact commands, it is likely that the attackers executed commands very close to these:

net user Admin <password> /add

net localgroup administrators Admin /add

In encrypted traffic the details of the attackers activity gets lost and the new user account could go undetected leaving the attackers a second way in even if the attackers initial intrusion path is mitigated and the compromise cleaned up.

WMIExec

MITRE ATT&CK: T1021: Remote Services, T1021.002: Remote Services: SMB/Windows Admin Shares, T1047: Windows Management Instrumentation (WMI), T1059.003: Command and Scripting Interpreter: Python

Fig 5. Diagram on the use of wmiexec.py

Impackets wmiexec.py uses Windows Management Instrumentation (WMI) to remotely execute a command and redirect its output to a temporary file on the target machine’s ADMIN$ share. It then reads the contents of this file over SMB and deletes it.

WMIExec requires valid user credentials with admin privileges, provided through a username and password, NTLM hash, or Kerberos token for authentication. However, once successfully authenticated, it provides a semi-interactive shell on the remote system.

WMIExec is slightly more cloaked than SMBExec due to it using RPC on port 135, and then connecting on a high TCP port to execute the call and only reading the files back on SMB.

Fig 6. The RPC Remote Create Instance data is encrypted, hiding the activity

As seen in the encrypted capture above, it's making the RPC call to RemoteCreateInstance, however all the parameters are encrypted. This makes it impossible to tell apart from other WMIC commands run by any valid administrator.

Fig 7. WMIExec decrypted using RevealX’s Packet Viewer

Seen above shows WMICExec reading the results of the file that was called by the WMI Process. The script connects via the ADMIN$ share to pull the results, similar to SMBExec.

Fig 8. WMIExec commands from RevealX’s Packet Viewer

Contrary to the other popular scripts mentioned in this article, wmiexec.py wasn’t added to Impacket until after its disclosure by Rapid7 in 2018.

It was very quickly adopted by threat actors, becoming the most popular script along with smbexec.py. Its popularity is likely due to being exceptionally stealthy and easily blending with legitimate administrative tasks. Contrary to the other scripts, it does not create new services or drop binaries to disk, allowing actors to remotely execute commands on the target system.

WMIExec has reportedly been used by APT actors from China (APT 20, APT41, Bronze Starlight, Moshen Dragon, and Velvet Ant), Russia (RomCom) and Iran (APT42), as well as several cybercrime actors, such as FIN8 and BlackCat/ALPHV.

In one of these instances reported by Kaspersky in July 2025, an actor they attributed to APT41 (also known as Brass Typhoon (Microsoft), Wicked Panda (Crowdstrike)) began their post-compromise activity by using Impacket’s WMIExec and the output of executed commands being written onto a file on an admin network share. The observed command being:

cmd.exe /Q /c cd \ 1>\\ 127.0.0.1\ADMIN$\__1722785076.134465 2>&1

After running the command and another Impacket script, atexec, the attacker laid low in the network for a time period before continuing the intrusion eventually dropping a stealer and collecting sensitive data that was exfiltrated from the network via compromised SharePoint server.

Kaspersky confessed that the investigation was difficult because not all hosts had their endpoint agent on them and their visibility had holes. This is common; enterprises have servers and other devices that for one reason or another don’t have endpoint protection and become blind spots without an NDR.

NDR provides a second vantage point to corroborate activity like the use of Impacket, providing visibility on hosts that lack endpoint protection or where attackers are able to evade endpoint protection. In the encrypted traffic example above, you don’t have visibility into the command itself without decryption, which in turn means you miss the filename:

__1722785076.134465

This is a unique naming pattern; the double underscore followed by a Unix timestamp is distinct for wmiexec, as legitimate Windows processes do not create files with this pattern.

In the case detailed by Kaspersky, an NDR with decryption would have seen the use of Impacket and alerted on the behavior potentially allowing the enterprise to halt the attack in its tracks.

PsExec

MITRE ATT&CK: T1021: Remote Services, T1569: System Services

Fig 9. Diagram on the use of psexec.py using Impacket

Impackets psexec.py script works by replicating the functionality of the native Sysinternals PsExec tool for Windows. It utilizes the SMB protocol to create a Windows service on a remote host, upload a payload, and establish communication via a named pipe. This allows it to achieve interactive remote command execution.

This is very similar in fact to SMBExec, however the psexec.py tool creates named pipes (RemCom_stdin, RemCom_stdout, and RemCom_stderr) for interprocess communication. This removes the requirement for writing results back to a file on a specific share.

Fig 10. Encrypted SMB traffic setting up a PsExec connection

When we view the attack traffic in Wireshark [Figure 10], we can see a successful SMB connection over TCP port 445, however, it is followed by encrypted SMB3 traffic. Most enterprises encrypt SMB traffic to defend against interception, man-in-the-middle (MitM) attacks, and relay attacks. Because of the encryption, there are no indications of an attack and the traffic looks no different from a normal SMB connection.

Fig 11. Unencrypted PsExec traffic creating the RemCom Named Pipe

In Figure 11, you can see the same traffic, but unencrypted and viewed in the RevealX Packet Viewer. The unencrypted traffic clearly shows indications of the use of psexec.py, establishing a connection to the ADMIN$ share followed by upload of an executable file to the target host and the creation of named pipes.

After a successful upload, the attacker will now be able to run remote commands on the victim machine using the named pipes redirection of standard in, out and err.

SecretsDump

MITRE ATT&CK: T1021.003: Remote Services: DCOM, T1003.003: OS Credential Dumping: NTDS

Fig 12. Diagram on the use of secretsdump.py using Impacket

Impackets secretsdump.py is a tool used to dump secrets from a remote machine. It first sets up an SMB session with a client, issues an SCManager request for the service “winreg”, which opens the SAM and LSA secrets from the registry and writes the data into a randomly generated file in Temp.

Fig 13. Encrypted SecretsDump command

Just like PSExec, and SMBExec, the session is encrypted and detection is impossible.

As seen from figure 14, we can readily identify the traffic that is occurring, parse it and detect the HKeys being opened and the secrets being dumped. The attacker can now freely pivot to any host in the domain with the enumerated user, deepening their stranglehold on the network.

Fig 14. Decrypted command via RevealX Packet Viewer requesting to open the LSA key preparing to dump the hashes

Conclusions

As adversaries increasingly leverage legitimate, built-in tools like Impacket to move laterally across networks, they are able to hide in plain sight. This “living off the land” approach leaves critical blind spots for security teams, as their malicious commands and file transfers are often hidden within encrypted east-west traffic.

This is why a Network Detection and Response (NDR) solution is a necessity. By providing native decryption, ExtraHop RevealX shines a light into these dark corners of your network. It exposes the hidden commands and behaviours of threats like Kerberoasting, relay attacks, and Active Directory enumeration techniques performed using Impacket and similar tools. All of this would otherwise go undetected.

Detecting these advanced tactics is just one powerful example of the broader need for visibility into encrypted lateral movement. With RevealX, you gain the high-fidelity insights needed to detect threats early, accelerate your response, and prevent a minor incident from becoming a major breach.