smbexec.py is a script that comes with Impacket. It allows remote code execution through a semi-interactive shell by creating services that execute commands sent by the attacker. This blog post is a post from a series of posts to analyze Impacket remote execution tools (the previous post was the analysis of the atexec.py). In this blog post we will take a look at how this tool work, analyze it's artifacts and write Rhaegal rules to automate detection.
This lab environment does not have any kind of additional monitoring or logging (the default config) to simulate worst case scenario. The following table lists the lab environment specifications:
Hostname | IP | Operating System | Role |
LAB-DC01 | 10.10.10.2 | Microsoft Windows Server 2012 R2 Standard | Domain Controller (lab.com) |
PC | 10.10.10.138 | Kali | Attacking Machine |
You can download Impacket along with smbexec.py from HERE. Let's start by executing the following command:
After executing this command a connection will be established with the remote server and three Windows Event Logs will be recorded, The first is successful login (Security Event ID 4624) with the login type 3. The second is a service creation on the System log with the Event ID 7045. Finally an event in the System log with the Event ID 7009. The following is the service creation event in the System log (Event ID 7045):
The service name is set to BTOBTO which is a hard coded service name. The Service File Name or the binPath for the service is the command to be executed. The above command will do the following:
When you first connect cd will be executed so it will show up as the current working directory on the semi-interactive shell (C:\windows\system32 in this case). Some time the command will fail before clean up which will result in the file execute.bat and __output not being deleted. In this example I ran the command ping -n 50 127.0.0.1 that crashed smbexec.py with the following error message:
If we go to the server we can see the file execute.bat and __output still on the system:
The file execute.bat will contain the full command executed:
And the file __output will contain the results for execute.bat:
Keep in mind all of these name BTOBTO, __output and executable.bat could be changed easily. The following is a snippet from the source code for smbexec.py:
# TRUNCATED
OUTPUT_FILENAME = '__output'
BATCH_FILENAME = 'execute.bat'
SMBSERVER_DIR = '__tmp'
DUMMY_SHARE = 'TMP'
SERVICE_NAME = 'BTOBTO'
# TRUNCATED
The service name can also be changed using the switch -service-name.
Event ID | Channel | Details |
4624 | Security | Successful login with the login type 3. You can find the source IP and username user. |
4634 | Security | Successful logoff with the same login id as the successful login above. This log along with the above log will show the semi-interactive shell session time. |
4672 | Security | Special privileges assigned to new logon. The logon ID is the same as the one in the event 4624. |
7045 | System | A new service will be created that contains the attacker command in the binPath field. By default the service name is BTOBTO. This event contains the most important data: |
7009 | System | A timeout was reached with the same service name. |
Path | Details |
C:\windows\temp\execute.bat | The command to be executed will be written here. The default file name is execute.bat. |
C:\__output | This file contains the command results. The default file name is __output. |
private SMBExecServiceCreated
{
metadata:
author: "AbdulRhman Alfaifi"
reference: "internal research"
creationDate: "10/08/2020"
score: 200
description: "Detected remote execution tool smbexec.py"
Channel: "System"
include:
EventID: "7045"
returns:
- "Data.ServiceName"
- "Data.ImagePath"
- "Security.UserID"
- "Channel"
}
private SMBExecServiceTimeout
{
metadata:
author: "AbdulRhman Alfaifi"
reference: "internal research"
creationDate: "10/08/2020"
score: 200
description: "Detected remote execution tool smbexec.py"
Channel: "System"
include:
EventID: "7009"
returns:
- "Data.param2"
- "Channel"
}
public SMBExecDetected
{
metadata:
author: "AbdulRhman Alfaifi"
reference: "internal research"
creationDate: "10/08/2020"
score: 200
description: "Detected remote execution tool smbexec.py"
include:
rule:
- "SMBExecServiceCreated"
- "SMBExecServiceTimeout"
if:
within: 500
}
public SMBExecSessionStarted
{
metadata:
author: "AbdulRhman Alfaifi"
reference: "internal research"
creationDate: "10/08/2020"
score: 200
description: "Detected remote execution tool smbexec.py"
Channel: "System"
include:
EventID: "7045"
Data.ImagePath: "*echo cd*"
returns:
- "Data.ServiceName"
- "Data.ImagePath"
- "Security.UserID"
- "Channel"
}
The above is two Rhaegal rules:
These rules has been added to Rhaegal Github repo, You can try this rule along with the other rules from HERE.
Sir can u pls elaborate this command m new to this about what it is doing and meaning of 2>&1 command cd > \127.0.0.1\C$__output 2> &1 to the file %TEMP%\execute.bat which is C:\windows\temp\execute.bat
And where can I find the file execute.bat
Hello Gaura,The command that you want to execute will be written to C:\windows\temp\execute.bat. For example, you want to execute the command whoami then the content of execute.bat will be whoami > \127.0.0.1\C$_output 2> &1 which means execute whoami and retirect stdout & stderr to C:_output.
That file is written and deleted tooo what else can be done to retrieve that file
Please reply sir
smbexec.py perform cleanup after execution is completed by deleting __output and execute.bat. In some cases were smbexec.py fails before cleanup the file will be available in disk. In case the cleanup was successful you can check windows event id 7045 in the system log. For more info refer to the artifacts section in this blog. Good luck !
Write a comment
You need to login to write comments - you can login from HERE or register from HERE