Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Impacket is an open-source collection of tools for manipulating packets and network protocols such as Distributed Component Object Model (DCOM). An attacker with local administrator privileges can run commands with the SecretsDump tool to steal account names, account groups, password hashes and Kerberos keys and move laterally across the network.
Kill Chain
Risk Score
78
SecretsDump is a python script included with the Impacket toolset. An attacker that has obtained local administrator privileges can collect password hashes by specifying the MMCExec method in SecretsDump.
The MMCExec method interacts with the Microsoft Management Console (MMC) mmc20_application, which is a COM object that performs actions such as running remote commands on a Windows device. SecretsDump sends a DCOM request to invoke the mmc20_application COM object on a domain controller and run a series of Microsoft VSSAdmin tool commands that copy the contents of the NT Directory Services file (NTDS.dit), which contains Active Directory data such as users, groups, and password hashes.
Restrict RPC access in Windows firewall settings to only authorized IP addresses
Restrict file share access in Windows firewall settings to only authorized IP addresses
Do not allow remote access by users with local administrator credentials
Do not allow user or admin domain accounts to be in the local Administrator group
Require separate administrator credentials for different types of remote activity
Disable DCOM through the Windows Component Services (COM+) management tool
