Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Impacket is an open-source collection of tools for manipulating packets and network protocols such as SMB. An attacker with local administrator privileges can run commands with the SMBExec tool to compromise remote devices, helping the attacker move laterally across the network.
Kill Chain
Risk Score
78
SMBExec is a python script included in the Impacket toolset. SMBExec creates a semi-interactive shell process that can start services on a remote device. Attacks with SMBExec, where commands are hidden in Windows service requests, can be difficult to detect because the attack does not require a malware download.
An attacker that has obtained local administrator privileges inside the network identifies a victim device they want to compromise. The attacker runs SMBExec, which sends an RPC request over SMB to the victim. This request opens Microsoft Service Control Manager (SCM), starts a new service with the default name BTOBTO, and instructs the service to run a command contained within the request. The service directs the output of the command to a temporary file and then the attacker retrieves the file. Finally, SMBExec deletes the file and the service to hide evidence of compromise.
Restrict file share access in Windows firewall settings to only authorized IP addresses
Do not allow remote access by users with local administrator credentials
Do not allow domain user accounts to be in the local Administrator group
Require separate administrator credentials for different types of remote activity
