Impacket’s Atexec malicious execution

  • Updated on Mar 11, 2024
  • Published on Dec 17, 2023
Prev Next

Attack technique

Technique name: Impacket’s Atexec Malicious Execution

MITRE ATT&CK

  • Tactic: Lateral Movement, Execution
  • Technique: Scheduled Tasks

Technique description
Impacket includes different tools that can be used for conveniently utilizing different network protocols for lateral movement. One of the tools included in this set is Atexec, which can be used for remote execution of commands using a creation of remote scheduled tasks over SMB protocol.

Attackers (mainly from China and Korea) extensively use the impacket tools, so as specifically Atexec as part of malware distribution and lateral movement purposes.

Detection of usage of this tool can be useful for the detection of both real attacks and penetration testing/Red team assessments.

The usage of Atexec has been seen many times in the wild, and its characteristics tend to include some repetitive patterns including the following:

  • Creation of a scheduled task named with 8 character mixed-case alpha string.
  • The execution of the scheduled task leads to cmd execution on the victim host and the command line of it includes redirection to a “.tmp” file.
    • In the wild example #1 (DFIR Report): cmd.exe /C net group /domain > C:\Windows\Temp\aWatKmSa.tmp 2>&1
    • In the wild example #2 (DFIR Report): cmd.exe /C powershell Get-MpComputerStatus > C:\Windows\Temp\KMzFGwGn.tmp 2>&1

References
Here are multiple data sources related to the abuse of Impacket’s Atexec:

Threat hunting theses breakdown

In this Threat Hunting campaign, we looked at multiple characteristics that are known to be related to Impacket’s Atexec usage, also based on “in the wild” examples.
The campaign included multiple Threat-hunting theses, here is the full breakdown of them:

Thesis A: Identification of command line that includes Atexec.py

Relevant data sources:

  • Main data source: EDR Logs
  • Complementary data sources: -

Thesis explanation
In this hunting thesis, we hunted for process executions that included atexec.py as part of the command line of execution. Very straightforward thesis, to make sure to identify clear evidence of atexec usage from hosts that had EDR installed on.

Blind spots

  • Cases in which the tool had been renamed before execution.
  • There was no EDR agent installed on the host from which the execution had been conducted.

Thesis B: Creation of scheduled tasks with Atexec name pattern

Relevant data sources:

  • Main data source: EDR Logs
  • Complementary data sources: -

Thesis explanation
In this hunting thesis we looked for registrations of new scheduled tasks, that align with the naming convention of default Atexec scheduled task names.
By default, Atexec always registers scheduled tasks aligned with the following characteristics:

  • “\” followed by 8 characters long string
  • The 8 characters string is built from mixed alpha characters (A-Z|a-z).

For example, this is a potential name of Atexec scheduled Task: “\AjiPKonR”.

Note

The scheduled task names might be logged slightly differently by different EDR vendors. Hence, we used multiple queries, separating them by EDR vendors.

Blind Sspots
Cases in which the attacker modified the tool to modify the pattern used for scheduled task naming.

Thesis C: Atexec’s payload - command-line characteristics combined with relevant process’ parent-child relationship (victim host)

Relevant data sources:

  • Main data source: EDR Logs
  • Complementary data sources: -

Thesis explanation
In this hunting thesis, we looked for executions of cmd.exe process as a child process of one of the following: svchost.exe or taskeng.exe, where the cmd.exe execution command line included both the \windows\temp path and the redirection of errors to standard output (2>&1). All of the above are characteristics of normal Atexec execution (non-stealth-mode).

Blind spots
Stealth Mode execution. In those cases, the scheduled task created by Atexec doesn’t include the execution of cmd.exe as part of the command line. Hence, it can lead to the execution of any other binary.

Recommended investigation flow

When identifying a Scheduled task that is relevant to the pattern of Atexec naming convention we can look at multiple things to make sure it is a True-Positive and to investigate it:

  • Does the name of the scheduled task actually look like a random 8 mixed alpha string? or was it just “accidentally” suited to this convention? For example, was it: “AgrWTkaO“ (more likely Atexec) or “JustTest“ (Less likely).
  • Look for the command executed by the scheduled task.
    • Does it have characteristics that might indicate Atexec usage?
    • What is being conducted in the scheduled task? it will allow you to get an indication of the intentions of the attacker.
  • Look for the user account used for the registration of the scheduled task.
    • Where it had been used lately throughout the organizational network? → Try to identify the source host from which the Atexec execution had been conducted. (Identify lateral movement).
    • Are there any other characteristics related to it that might indicate malicious activity (EDR Alerts, suspicious executions, suspicious DNS Requests, etc.)

When identifying a suspicious execution of cmd that aligns with the characteristics of Atexec execution on the target/victim host:

  • Look for the command executed. What can it tell you about the attacker’s intentions? (recon, lateral movement, etc.)
  • Was there a scheduled task registered before the execution? if so, verify what the user account used for the scheduled task registration, and try to determine the host from which the Atexec execution had been conducted.
  • Atexec scheduled task can include different types of commands to execute (according to the attacker’s choice), look for potential child processes related to the executed process.
    • In case the execution had been conducted to create a reverse-shell connection, look for the processes related to it, and create a process tree of potentially related activities.
  • Map all recent logon events and executions conducted by the user used to create the relevant schedule task and/or execute the atexec tool, by identifying all the hosts to which this user had been accessed before the suspicious/malicious execution, so as by comparing them to previous logon activities conducted by this user, we can potentially identify the time in which the user had been compromised.
  • Were there any suspicious connections toward and/or from the host of interest over known ports that can be used for lateral movement? (445, 3389, 5985, 22 etc.)

Threat hunting queries

The following links include threat hunting queries to hunt against Atexec characteristics.
These queries are among the queries that had been used by Team Axon as part of the threat-hunting campaign (with timeframe adjustments).

  • Hunting Query A - Identification of source hosts from which Atexec was executed.
  • Hunting Queries B1, B2, B3 - Identification of Atexec Scheduled Tasks that had been registered on victim hosts.
  • Hunting Query C - Identification of Atexec Command-line Characteristics combined with Relevant Process’ Parent-Child Relationship.