Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Impacket is an open-source collection of tools for manipulating packets and network protocols such as SMB/CIFS. An attacker with local administrator privileges can run the SecretsDump tool to steal account names and cached credentials and move laterally across the network.
Kill Chain
Risk Score
78
Impacket is a toolset that includes SecretsDump, a python script that can remotely retrieve cached credentials from the Security Account Manager (SAM) and Local Security Authority (LSA) Windows registry hives. SAM is a database file that stores local accounts for the host. LSA stores plaintext passwords and credentials, such as credentials for service accounts.
An attacker that has obtained local administrator privileges can run SecretsDump to access SAM and LSA. The script sends a Microsoft remote procedure call (MS-RPC) command to dump cached credentials from the Windows registry hive into a temporary file. The attacker can then read the temporary file over SMB to retrieve credentials.
Disable or restrict NTLM authentication
Limit the caching of plaintext credentials by adding users to the Protected Users Active Directory security group
Limit the number of cached credentials stored in the Windows registry (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)
Restrict file share access in Windows firewall settings to only authorized IP addresses
Do not allow remote access by users with local administrator credentials
Do not allow user or admin domain accounts in the local Administrator group
Require separate administrator credentials for different types of remote activity
