aalfaifi Aug 15, 2020 19:39 0 0

Impacket Remote Execution Tools - smbexec.py

smbexec.py is a script that comes with Impacket. It allows remote code execution through a semi-interactive shell by creating services that execute commands sent by the attacker. This blog post is a post from a series of posts to analyze Impacket remote execution tools (the previous post was the analysis of the atexec.py). In this blog post we will take a look at how this tool work, analyze it's artifacts and write Rhaegal rules to automate detection. 

Lab Environment

This lab environment does not have any kind of additional monitoring or logging (the default config) to simulate worst case scenario. The following table lists the lab environment specifications:

HostnameIPOperating SystemRole
LAB-DC01 10.10.10.2Microsoft Windows Server 2012 R2 Standard

Domain Controller (lab.com)

PC10.10.10.138
KaliAttacking Machine
The user used for remote code execution is dcadmin which is a Domain Admin user.

Analysis

You can download Impacket along with smbexec.py from HERE. Let's start by executing the following command:

After executing this command a connection will be established with the remote server and three Windows Event Logs will be recorded, The first is successful login (Security Event ID 4624) with the login type 3. The second is a service creation on the System log with the Event ID 7045. Finally an event in the System log with the Event ID 7009. The following is the service creation event in the System log (Event ID 7045):


The service name is set to BTOBTO which is a hard coded service name. The Service File Name or the binPath for the service is the command to be executed. The above command will do the following:

  1. Write the command cd > \\127.0.0.1\C$\__output 2> &1 to the file %TEMP%\execute.bat which is C:\windows\temp\execute.bat because it is running as SYSTEM.
  2. Execute C:\windows\temp\execute.bat.
  3. Delete C:\windows\temp\execute.bat.
  4. Get command results from C:\__output ( same as \\127.0.0.1\C$\__output).
  5. Delete C:\__output.

When you first connect cd will be executed so it will show up as the current working directory on the semi-interactive shell (C:\windows\system32 in this case). Some time the command will fail before clean up which will result in the file execute.bat and __output not being deleted. In this example I ran the command ping -n 50 127.0.0.1 that crashed smbexec.py with the following error message:

If we go to the server we can see the file execute.bat and __output still on the system:

The file execute.bat will contain the full command executed:

And the file __output will contain the results for execute.bat:

Keep in mind all of these name BTOBTO, __output and executable.bat could be changed easily. The following is a snippet from the source code for smbexec.py:

  1. # TRUNCATED
  2. OUTPUT_FILENAME = '__output'
  3. BATCH_FILENAME = 'execute.bat'
  4. SMBSERVER_DIR = '__tmp'
  5. DUMMY_SHARE = 'TMP'
  6. SERVICE_NAME = 'BTOBTO'
  7. # TRUNCATED

The service name can also be changed using the switch -service-name.

Artifacts

The following is all artifacts generated by smbexec:

Windows Event Logs

Event IDChannelDetails
4624SecuritySuccessful login with the login type 3. You can find the source IP and username user.
4634SecuritySuccessful logoff with the same login id as the successful login above. This log along with the above log will show the semi-interactive shell session time.
4672SecuritySpecial privileges assigned to new logon. The logon ID is the same as the one in the event 4624.
7045System

A new service will be created that contains the attacker command in the binPath field. By default the service name is BTOBTO. This event contains the most important data:
1. Malicious Service name
2. The command executed.
3. The user that executed this command (You can find the user SID in the XML view in System > Security > UserID).
4. The time when the command executed (Event time).

7009SystemA timeout was reached with the same service name.

File System (MFT)

PathDetails
C:\windows\temp\execute.batThe command to be executed will be written here. The default file name is execute.bat.
C:\__outputThis file contains the command results. The default file name is __output.

Rhaegal Rules

  1. private SMBExecServiceCreated
  2. {
  3. metadata:
  4. author: "AbdulRhman Alfaifi"
  5. reference: "internal research"
  6. creationDate: "10/08/2020"
  7. score: 200
  8. description: "Detected remote execution tool smbexec.py"
  9. Channel: "System"
  10. include:
  11. EventID: "7045"
  12. returns:
  13. - "Data.ServiceName"
  14. - "Data.ImagePath"
  15. - "Security.UserID"
  16. - "Channel"
  17. }
  18. private SMBExecServiceTimeout
  19. {
  20. metadata:
  21. author: "AbdulRhman Alfaifi"
  22. reference: "internal research"
  23. creationDate: "10/08/2020"
  24. score: 200
  25. description: "Detected remote execution tool smbexec.py"
  26. Channel: "System"
  27. include:
  28. EventID: "7009"
  29. returns:
  30. - "Data.param2"
  31. - "Channel"
  32. }
  33. public SMBExecDetected
  34. {
  35. metadata:
  36. author: "AbdulRhman Alfaifi"
  37. reference: "internal research"
  38. creationDate: "10/08/2020"
  39. score: 200
  40. description: "Detected remote execution tool smbexec.py"
  41. include:
  42. rule:
  43. - "SMBExecServiceCreated"
  44. - "SMBExecServiceTimeout"
  45. if:
  46. within: 500
  47. }
  48. public SMBExecSessionStarted
  49. {
  50. metadata:
  51. author: "AbdulRhman Alfaifi"
  52. reference: "internal research"
  53. creationDate: "10/08/2020"
  54. score: 200
  55. description: "Detected remote execution tool smbexec.py"
  56. Channel: "System"
  57. include:
  58. EventID: "7045"
  59. Data.ImagePath: "*echo cd*"
  60. returns:
  61. - "Data.ServiceName"
  62. - "Data.ImagePath"
  63. - "Security.UserID"
  64. - "Channel"
  65. }

The above is two Rhaegal rules:

  1. SMBExecDetected: This is a public rule that contains two private rules (SMBEexecServiceCreated and SMBExecServiceTimeout) which will detect all command executed even if the default names changed.
  2. SMBExecSessionStart: This is a single public rule that detects echo cd in the service image path value which indicates the beginning of the session.

These rules has been added to Rhaegal Github repo, You can try this rule along with the other rules from HERE.



Comments

No Comments - Yet 😁

Write a comment

You need to login to write comments - you can login from HERE or register from HERE