Dissecting Impacket (Impacket-IoCs)

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/ThatTotallyRealMyth/Impacket-IoCs
• Blog Title: Dissecting Impacket (Impacket-IoCs)
• Suggested Section: Basic Forensic Methodology -> Baseline Monitoring (or a new subsection under Windows/AD such as 'Active Directory Methodology -> Detection & Fingerprinting Offensive Tooling (Impacket quirks)'; cross-link from NTLM and Kerberos sections)

🎯 Content Summary

Title/Type
“Dissecting Impacket” is a public detection-engineering reference (GitHub repo) that documents protocol-level and implementation-level Indicators of Compromise (IoCs) that fingerprint Impacket-driven activity beyond easy-to-change surface artifacts (filenames, service names, temp paths, command strings). The content is derived from the author’s notes during an internal rewrite/fork of Impacket, focusing on signals that often remain even if...

🔧 Technical Details

Protocol/implementation fingerprinting of offensive tooling: Instead of relying on operator-controlled artifacts (service names, file paths, script names), detect tools like Impacket by measuring how their library implementations construct/authenticate protocol traffic differently than Windows (Kerberos/NTLMSSP/SPNEGO/SMB/LDAP/DCE-RPC/WMI/DCOM). Practical examples of high-signal quirks include DCE/RPC auth_context_id = 79231 + ctx_id, DCE/RPC auth padding 0xff, SPNEGO wrapping differences (raw Kerberos AP-REQ placed in mechToken), SMB2/3 negotiate with ASCII-letter ClientGuid, non-compliant WMI namespace //./root/cimv2, and a hardcoded Kerberos nonce.

Cluster-based correlation to raise confidence: Treat weaker single features as scoring inputs and alert when multiple Impacket-like traits co-occur in the same host/user/session/time window (e.g., sparse AS-REQ etypes, unusual/missing Kerb...

🤖 Agent Actions

I’m mapping the repository first and checking existing Windows/forensics coverage so the Impacket fingerprinting content lands in the right page without duplicating what HackTricks already has.
I have the top-level layout. Next I’m narrowing candidate pages by searching for existing Impacket, Kerberos, NTLM, SMB, WMI, and baseline-monitoring coverage before picking a single file.
I’ve read the broad AD, Kerberos, NTLM, MSRPC, and PCAP pages. I’m checking the likely landing zones for any existing baseline-monitoring or fingerprinting language so I can avoid forcing this into the wrong section.
I’ve narrowed this to two realistic landing zones: the generic PCAP/Zeek page or the broad AD methodology page. I’m checking which one can absorb cross-protocol Impacket fingerprinting cleanly with the least duplication.
The best fit is src/windows-hardening/active-directory-methodology/README.md. The content is AD-centric, spans Kerberos/NTLM/SMB/LDAP/DCE-RPC/WMI, and the existing README already has a defensive section where a compact Impacket fingerprinting subsection can live without fragmenting the same idea across multiple files.

Plan:

• Add one new defensive subsection under ## Some General Defenses.
• Keep it concise and technical: explain library-level protocol fingerprinting, separate high-confidence vs correlation vs enrichment-only signals, and include baseline/telemetry caveats.
• Update the existing ## References section with the Impacket-IoCs source.
• Re-read the rendered markdown area and diff to make sure the new content is non-duplicative and only touches this single file.
  I’m editing the AD methodology README now. The change will stay in a single file and add one defensive subsection plus the new source reference, without touching NTLM/Kerberos pages separately.
  The section is in place. I’m doing a quick cleanup pass and then I’ll run diff/sanity checks so the single-file change stays clean.
  Updated README.md under ## Some General Defenses with a new Protocol-level fingerprinting of Impacket activity subsection. It adds concise, non-duplicative guidance on detecting Impacket via stable protocol quirks, separates high-confidence signals from cluster/scoring features and enrichment-only artifacts, and includes the baseline/telemetry caveats needed to operationalize it in AD environments.

I kept the change to this single file and appended the source repo to the existing ## References section. Validation is clean: the internal PCAP link target exists, the file still ends with the training banner, and git diff --check returned no issues.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/ThatTotallyRealMyth/Impacket-IoCs

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology -> Baseline Monitoring (or a new subsection under Windows/AD such as 'Active Directory Methodology -> Detection & Fingerprinting Offensive Tooling (Impacket quirks)'; cross-link from NTLM and Kerberos sections)".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0