Impacket -> atexec.py
Original research credit: u0041
In this report we will learn about the “atexec” tool of Impacket, about what artifacts it generates, and what detection rules can be created based on those artifacts. As always, I recommend reading the entire original research at the top of the page.
TL;DR Summary
- atexec.py can be used to create and run an immediate scheduled task on a remote target via SMB in order to execute commands on a target system. It works only on version of Windows higher than Vista.
- Running “atexec.py” creates a task, runs it, and then deletes it immediately. The task name follows the regex pattern: \\[a-zA-Z]{8}
- We also get a good command execution pattern for “Process created” events on Windows which we can utilize for rule creation.
Windows Event Logs Artifacts
| Event ID | Channel | Details |
| 106 | Microsoft-Windows-TaskScheduler/Operational | New Task Creation. in this log you will find the task name and the username used to create the task. |
| 110 | Microsoft-Windows-TaskScheduler/Operational | Task triggered by user. After the task creation the task will be trigger manually. |
| 141 | Microsoft-Windows-TaskScheduler/Operational | Task Deleted. |
| 4624 | Security | Logon type 3 and NTLM protocol used – 2 logins one for the task creation and the second is for retrieving the results. |
| 4634 | Security | Logoff with the same login ID as the login event above. The time between the first login and it’s logoff indicates the time taken to run the command. |
| 4698 | Security | New Task Creation. in this log you will find the task name and the username used to create the task. |
| 4699 | Security | Task Deleted. |
| 1015 | Microsoft-Windows-SMBServer/Security | Contains the attacking IP |
Detection Rules
| Rule Name | Description | Detection Logic |
| ATExec Task Creation/Deletion within a short period | Detects ATExec task creation and deletion within a short timeframe, which is a confirmed artifact of ATExec. | “Task Created”: IF “Task Name” MATCH “\\[a-zA-Z]{8}” AND “Task Deleted”: IF “Task Name” MATCH “\\[a-zA-Z]{8}” WITHIN 1 MINUTE WITH SAME TASK NAME |
| ATExec Detected Output Redirection | This detection analytic identifies Impacket’s atexec.py script on a target host. atexec.py is remotely run on an adversary’s machine to execute commands on the victim via scheduled task. The command is commonly executed by a non-interactive cmd.exe with the output redirected to an eight-character TMP file. | “Task Created”: IF “Command” INCLUDES ALL OF: (“cmd” && “/c” && “temp” && “>” && “2>&1”) |