Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
224 views1 page

Impacket Exec Commands Cheat Sheet Poster

The document is a cheat sheet for various Impacket execution commands, including atexec.py, dcomexec.py, psexec.py, smbexec.py, and wmiexec.py. It outlines the command syntax, functionality, and the Windows Event Log residues generated by each command. Additionally, it highlights detection capabilities by Windows Defender for each method.

Uploaded by

tuxbambi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
224 views1 page

Impacket Exec Commands Cheat Sheet Poster

The document is a cheat sheet for various Impacket execution commands, including atexec.py, dcomexec.py, psexec.py, smbexec.py, and wmiexec.py. It outlines the command syntax, functionality, and the Windows Event Log residues generated by each command. Additionally, it highlights detection capabilities by Windows Defender for each method.

Uploaded by

tuxbambi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

IMPACKET EXEC COMMANDS

CHEAT SHEET

ATEXEC.PY DCOMEXEC.PY

atexec.py domain/username:password@[hostname | IP] command dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command

• Requires a command to execute; shell not available • Can specify a command to run, or leave blank for shell
• Creates and subsequently deletes a Scheduled Task with a random 8-character mixed-case alpha string • Executes a semi-interactive shell using DCOM objects
• Runs cmd.exe with arguments of "/C" followed by the command specified by the user, followed by • Must specify 'ShellWindows', 'ShellBrowserWindow', 'MMC20' via the -object parameter
"C:\Windows\Temp\xxxxxxxx.tmp 2>&1" • Uses first 5 digits of UNIX Epoch Time in commands
o Where "xxxxxxxx" is the SAME random 8-character mixed-case alpha string used for the Scheduled Task name • NOT detected and blocked by Windows Defender by default
• Subsequently deletes the .tmp file containing command output from C:\Windows\Temp
• NOT detected and blocked by Windows Defender by default

Windows Event Log Residue:


Windows Event Log Residue:
• Two rounds of:
• Two rounds of: o Event ID 4776 in Security on target (for user specified in command)
o Event ID 4776 in Security on target (for user specified in command) o Event ID 4672 in Security on target (for user specified in command)
o Event ID 4672 in Security on target (for user specified in command) o Event ID 4624 Type 3 in Security on target (for user specified in command)
o Event ID 4624 Type 3 in Security on target (for user specified in command) • [IF ENABLED] Event ID 4688 in Security on target:
• [IF ENABLED] Event ID 4698 in Security on target o svchost.exe → mmc.exe -Embedding
• Event ID 106, 325, 129, 100, 200, 110, 141, 111, 201, 102 in Microsoft-Windows-TaskScheduler/Operational on target • Event ID 4776 in Security on target (for user specified in command)
• [IF ENABLED] Event ID 4688 in Security on target: • Event ID 4672 in Security on target (for user specified in command)
o svchost.exe → cmd.exe /C command > C:\Windows\Temp\xxxxxxxx.tmp 2>&1 • Event ID 4624 Type 3 in Security on target (for user specified in command)
• [IF ENABLED] Event ID 4688 in Security on target: • Always present:
o cmd.exe → conhost.exe 0xffffffff -ForceV1 o [IF ENABLED] Event ID 4688 in Security on target:
• [IF ENABLED] Event ID 4699 in Security on target mmc.exe → cmd.exe /Q /c cd \ 1> \)127.0.0.1\ADMIN$\__sssss 2>&1
• [IF ENABLED AND EXTERNAL BINARY IS CALLED] Event ID 4688 in Security on target: (where "s" is the first 5 digits of the UNIX Epoch Time at which the command ran)
o cmd.exe → xxx.exe (the command specified via atexec.py) o [IF ENABLED] Event ID 4688 in Security on target:
• Two rounds of: cmd.exe → conhost.exe 0xffffffff -ForceV1
o Event ID 4634 Type 3 in Security on target (for user specified in command) o [IF ENABLED] Event ID 4688 in Security on target:
• [IF EXTERNAL BINARY IS CALLED, 201/102 MAY APPEAR LATER] Event ID 201, 102 in mmc.exe → cmd.exe /Q /c cd 1> \)127.0.0.1\ADMIN$\__sssss 2>&1
Microsoft-Windows-TaskScheduler/Operational on target o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe → conhost.exe 0xffffffff -ForceV1
• User specified commands:
o [IF ENABLED] Event ID 4688 in Security on target:
mmc.exe → cmd.exe /Q /c command 1> \)127.0.0.1\ADMIN$\__sssss 2>&1
o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe → conhost.exe 0xffffffff -ForceV1

PSEXEC.PY
• Two rounds of:
o Event ID 4634 Type 3 in Security on target (for user specified in command)

psexec.py domain/username:password@[hostname | IP] command

• Can specify a command to run, or leave blank for shell


SMBEXEC.PY
• PSEXEC like functionality example using RemComSvc
• Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha
name referencing an 8-character mixed-case alpha .exe file in %systemroot%
• Detected and blocked by Windows Defender by default
smbexec.py domain/username:password@[hostname | IP]

• No option to specify a command to run; you only get shell


Windows Event Log Residue:
• Creates and subsequently deletes a Windows Service named "BTOBTO" referencing execute.bat
for EVERY command entered into the shell
• Event ID 4776 in Security on target (for user specified in command)
o In May of 2023, the default service name of "BTOBTO" for smbexec.py was replaced with a
• Event ID 4672 in Security on target (for user specified in command)
random 8-character mixed-case alpha string
• Event ID 4624 Type 3 in Security on target (for user specified in command)
• Detected and blocked by Windows Defender by default
• Event ID 7045 in System on target (service installation: 4-character mixed-case alpha name referencing an
8-character mixed-case alpha .exe file):
o %systemroot%\xxxxxxxx.exe
• Event ID 7036 in System on target Windows Event Log Residue:
• Event ID 7036 in System on target
• [IF ENABLED] Event ID 4688 in Security on target: • Event ID 4776 in Security on target (for user specified in command)
o services.exe → C:\Windows\xxxxxxxx.exe • Event ID 4672 in Security on target (for user specified in command)
• Event ID 4776 in Security on target (for user specified in command) • Event ID 4624 Type 3 in Security on target (for user specified in command)
• Event ID 4672 in Security on target (for user specified in command) • Event ID 7045 in System on target (service installation: "BTOBTO" or random 8-character mixed-case alpha
• Event ID 4624 Type 3 in Security on target (for user specified in command) string for the default service name, but can be changed to custom value):
• Event ID 4776 in Security on target (for user specified in command) o %COMSPEC% /Q /c echo cd ^> \)127.0.0.1\C�\__output 2^>^&1 >
• Event ID 4672 in Security on target (for user specified in command) %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del
• Event ID 4624 Type 3 in Security on target (for user specified in command) %TEMP%\execute.bat
• Event ID 4776 in Security on target (for user specified in command) • Always present:
• Event ID 4672 in Security on target (for user specified in command) o [IF ENABLED] Event ID 4688 in Security on target:
• Event ID 4624 Type 3 in Security on target (for user specified in command) services.exe → cmd.exe /Q /c echo cd ^> \)127.0.0.1\C�\__output
• [IF ENABLED] Event ID 4688 in Security on target: 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q
o C:\Windows\xxxxxxxx.exe → command /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
• [IF ENABLED] Event ID 4688 in Security on target: o [IF ENABLED] Event ID 4688 in Security on target:
o cmd.exe → conhost.exe 0xffffffff -ForceV1 cmd.exe → cmd.exe /Q /c C:\Windows\TEMP\execute.bat
• �)) numerous other 4624,4634,4672 events o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe → conhost.exe 0xffffffff -ForceV1
• Present if commands are issued in lieu of an interactive shell:
o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe /Q /c echo command ^> \)127.0.0.1\C�\__output 2^>^&1 >
C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c
C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat

WMIEXEC.PY
o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe → cmd.exe /Q /c C:\Windows\TEMP\execute.bat
o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe → conhost.exe 0xffffffff -ForceV1)
• If interactive shell is used, when shell exits:
o Event ID 4634 Type 3 in Security on target (for user specified in command)

wmiexec.py domain/username:password@[hostname | IP] command

• Can specify a command to run, or leave blank for shell


• Executes a semi-interactive shell using Windows Management Instrumentation
• Uses UNIX Epoch Time in commands
• NOT detected and blocked by Windows Defender by default

Windows Event Log Residue:


• Multiple rounds of:
o Event ID 4776 in Security on target (for user specified in command)
o Event ID 4672 in Security on target (for user specified in command)
o Event ID 4624 Type 3 in Security on target (for user specified in command)
• Always present:
o [IF ENABLED] Event ID 4688 in Security on target:
wmiprvse.exe → cmd.exe /Q /c cd \ 1>
\)127.0.0.1\ADMIN�\__ssssssssss.sssssss 2>&1)
(where "s" is the UNIX Epoch Time at which the command ran)
o [IF ENABLED] Event ID 4688 in Security on target:
cmd.exe → conhost.exe 0xffffffff -ForceV1
• [IF ENABLED] Event ID 4688 in Security on target:
o wmiprvse.exe → cmd.exe /Q /c cd 1>
\)127.0.0.1\ADMIN�\__ssssssssss.sssssss 2>&1
• [IF ENABLED] Event ID 4688 in Security on target:
o cmd.exe → conhost.exe 0xffffffff -ForceV1
• [IF ENABLED] Event ID 4688 in Security on target:
o wmiprvse.exe → cmd.exe /Q /c command 1> \)127.0.0.1\ADMIN�\__
ssssssssss.sssssss 2>&1)
• [IF ENABLED] Event ID 4688 in Security on target:
o cmd.exe → conhost.exe 0xffffffff -ForceV1
• Event ID 4634 Type 3 in Security on target (for user specified in command)
• [MAY BE PRESENT] Event ID 5857/5858 in Microsoft-Windows-WMI-Activity\Operational on target

youtube.com/13cubed Version 1.1

You might also like