Detection rules › Splunk
Impacket atexec.py Execution (Sysmon)
Impacket's atexec.py is a tool designed for executing commands on a target system via the Windows Task Scheduler to run arbitrary commands with the privileges of the account under which the scheduler is running, often providing a method for remote command execution which can be used by attackers during post-exploitation activities. This use case process creation events matching characteristics of Impacket atexec.py executions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053.005 Scheduled Task/Job: Scheduled Task, T1059.003 Command and Scripting Interpreter: Windows Command Shell |
| Persistence | T1053.005 Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1053.005 Scheduled Task/Job: Scheduled Task |
| Stealth | T1027 Obfuscated Files or Information |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '29739.53745'
title: Impacket atexec.py Execution
description: Impacket's atexec.py is a tool designed for executing commands on a target
system via the Windows Task Scheduler to run arbitrary commands with the privileges
of the account under which the scheduler is running, often providing a method for
remote command execution which can be used by attackers during post-exploitation
activities. This use case process creation events matching characteristics of Impacket
atexec.py executions.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
("cmd.exe" OR "powershell.exe" OR "pwsh.exe") " /c " "\\Windows\\Temp" ("2>&1"
OR "2&>1") | regex parent_process="(?i)Temp\x5c[A-Za-z]{8}\.tmp" | table _time,
host, user, process, parent_process_name, process_* | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- execution:scheduled task/job
- execution:command and scripting interpreter
- execution:scheduled task/job:scheduled task
- persistence:scheduled task/job:scheduled task
- privilege-escalation:scheduled task/job:scheduled task
- execution:command and scripting interpreter:windows command shell
- defense-evasion:obfuscated files or information
technique_id:
- T1053
- T1059
- T1053.005
- T1059.003
- T1027
data_category:
- Windows Sysmon
- Process command-line parameters
references:
- https://u0041.co/blog/post/1
- https://github.com/fortra/impacket/blob/master/examples/atexec.py
- https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") ("cmd.exe" OR "powershell.exe" OR "pwsh.exe") " /c " "\\Windows\\Temp" ("2>&1" OR "2&>1")
Stage 2: regex
| regex parent_process="(?i)Temp\x5c[A-Za-z]{8}\.tmp"
Stage 3: table
| table _time, host, user, process, parent_process_name, process_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
parent_process | regex_match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "cmd.exe" |
| 1 | "powershell.exe" |
| 1 | "pwsh.exe" |
| 1 | " /c " |
| 1 | "\\Windows\\Temp" |
| 1 | "2>&1" |
| 1 | "2&>1" |