From e50d06b687b91b7b256f4ae12c638bbc1c5c9880 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 20 Mar 2023 21:31:40 +0100 Subject: [PATCH 1/6] Update proc_creation_win_hktl_winpeas.yml --- .../proc_creation_win_hktl_winpeas.yml | 44 ++++++++++++------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index e3d1980c8..71dc92abc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -1,13 +1,13 @@ title: HackTool - winPEAS Execution id: 98b53e78-ebaf-46f8-be06-421aafd176d9 -status: experimental +status: test description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz references: - https://github.com/carlospolop/PEASS-ng - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation -author: Georg Lauenstein +author: Georg Lauenstein -- sure[secure] date: 2022/09/19 -modified: 2023/02/14 +modified: 2023/03/20 tags: - attack.privilege_escalation - attack.t1082 @@ -17,7 +17,7 @@ logsource: category: process_creation product: windows detection: - selection_basic: + selection_img: Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -25,17 +25,31 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - selection_pe: OriginalFileName: 'winPEAS.exe' - selection_option: - - CommandLine|endswith: - - 'serviceinfo' # Search services information - - 'applicationsinfo' # Search installed applications information - - 'windowscreds' # Search windows credentials - - 'browserinfo ' # Search browser information - - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - - CommandLine|contains: '.exe browserinfo ' # Search browser information - condition: 1 of selection* + selection_cmd: + CommandLine|contains: + - ' domain' # Enumerate domain information + - ' systeminfo' # Search system information + - ' userinfo' # Search user information + - ' processinfo' # Search processes information + - ' servicesinfo' # Search services information + - ' applicationsinfo' # Search installed applications information + - ' windowscreds' # Search windows credentials + - ' browserinfo' # Search browser information + - ' filesinfo' # Search generic files that can contains credentials + - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - ' eventsinfo' # Display interesting events information + selection_wsl: + Image|startswith: '\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux_' + Image|endswith: '\wsl.exe' + OriginalFileName: 'wsl.exe' + CommandLine|contains|all: + - '"bash"' + - '-c' + - 'curl' + - 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh' # use linpeas for WSL with default URL from linpeas.sh + - ' ---silent | sh' + condition: selection_img or (selection_img and selection_cmd) or selection_wsl falsepositives: - - Other programs that use the same command line flags + - Unknown level: high From 1dc81a54554b056871bca4139761a39cdc52ed88 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Tue, 21 Mar 2023 07:52:35 +0100 Subject: [PATCH 2/6] Update proc_creation_win_hktl_winpeas.yml - add selection_linpeas_option - add selection_default_dl - chg AND to OR for OriginalFileName --- .../proc_creation_win_hktl_winpeas.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index 71dc92abc..70396562f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -1,6 +1,6 @@ title: HackTool - winPEAS Execution id: 98b53e78-ebaf-46f8-be06-421aafd176d9 -status: test +status: experimental description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz references: - https://github.com/carlospolop/PEASS-ng @@ -18,16 +18,18 @@ logsource: product: windows detection: selection_img: - Image|endswith: + - Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' + - OriginalFileName: + - 'winPEAS.exe' selection_cmd: CommandLine|contains: + # PS F:\Downloads> .\winPEASx64.exe domain... - ' domain' # Enumerate domain information - ' systeminfo' # Search system information - ' userinfo' # Search user information @@ -39,17 +41,15 @@ detection: - ' filesinfo' # Search generic files that can contains credentials - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files - ' eventsinfo' # Display interesting events information - selection_wsl: - Image|startswith: '\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux_' - Image|endswith: '\wsl.exe' - OriginalFileName: 'wsl.exe' - CommandLine|contains|all: - - '"bash"' - - '-c' - - 'curl' - - 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh' # use linpeas for WSL with default URL from linpeas.sh - - ' ---silent | sh' - condition: selection_img or (selection_img and selection_cmd) or selection_wsl + selection_linpeas_option: + # PS F:\Downloads> .\winPEASx64.exe -linpeas + OriginalFileName: 'Bash.exe' + # contains due to second option: -linpeas=[url] + # PS F:\Downloads> .\winPEASx64.exe -linpeas=https://otherurl.com/ + ParentCommandLine|contains: ' -linpeas' + selection_default_dl: + CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/' + condition: selection_img or (selection_img and selection_cmd) or selection_linpeas_option or selection_default_dl falsepositives: - Unknown level: high From 302b42267ff5a9f6171129a3fe714d4c2e8ac9cb Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Tue, 21 Mar 2023 08:26:22 +0100 Subject: [PATCH 3/6] Update proc_creation_win_hktl_winpeas.yml fix error --- .../process_creation/proc_creation_win_hktl_winpeas.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index 70396562f..e8e95353d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -25,8 +25,7 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: - - 'winPEAS.exe' + - OriginalFileName: 'winPEAS.exe' selection_cmd: CommandLine|contains: # PS F:\Downloads> .\winPEASx64.exe domain... From d48a08c44174bd6e05d85ba82f7a7e2579b3e448 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Mar 2023 15:30:48 +0100 Subject: [PATCH 4/6] fix: update selection choices --- .../proc_creation_win_hktl_winpeas.yml | 36 ++++++++----------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index e8e95353d..07333990d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -7,7 +7,7 @@ references: - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation author: Georg Lauenstein -- sure[secure] date: 2022/09/19 -modified: 2023/03/20 +modified: 2023/03/23 tags: - attack.privilege_escalation - attack.t1082 @@ -18,6 +18,7 @@ logsource: product: windows detection: selection_img: + - OriginalFileName: 'winPEAS.exe' - Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -25,30 +26,21 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: 'winPEAS.exe' - selection_cmd: + selection_cli_option: CommandLine|contains: - # PS F:\Downloads> .\winPEASx64.exe domain... - - ' domain' # Enumerate domain information - - ' systeminfo' # Search system information - - ' userinfo' # Search user information + - ' applicationsinfo' # Search installed applications information + - ' browserinfo' # Search browser information + - ' eventsinfo' # Display interesting events information + - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - ' filesinfo' # Search generic files that can contains credentials - ' processinfo' # Search processes information - ' servicesinfo' # Search services information - - ' applicationsinfo' # Search installed applications information - ' windowscreds' # Search windows credentials - - ' browserinfo' # Search browser information - - ' filesinfo' # Search generic files that can contains credentials - - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files - - ' eventsinfo' # Display interesting events information - selection_linpeas_option: - # PS F:\Downloads> .\winPEASx64.exe -linpeas - OriginalFileName: 'Bash.exe' - # contains due to second option: -linpeas=[url] - # PS F:\Downloads> .\winPEASx64.exe -linpeas=https://otherurl.com/ - ParentCommandLine|contains: ' -linpeas' - selection_default_dl: - CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/' - condition: selection_img or (selection_img and selection_cmd) or selection_linpeas_option or selection_default_dl + selection_cli_dl: + CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/' + selection_cli_parent: + ParentCommandLine|endswith: ' -linpeas' + condition: 1 of selection_* falsepositives: - - Unknown + - Unlikely level: high From a504ab69270e48d214615e61cee010d106458d66 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Mar 2023 15:36:13 +0100 Subject: [PATCH 5/6] fix: add cli option --- .../process_creation/proc_creation_win_hktl_winpeas.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index 07333990d..397fbdc47 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -38,8 +38,9 @@ detection: - ' windowscreds' # Search windows credentials selection_cli_dl: CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/' - selection_cli_parent: - ParentCommandLine|endswith: ' -linpeas' + selection_cli_specific: + - ParentCommandLine|endswith: ' -linpeas' + - CommandLine|endswith: ' -linpeas' condition: 1 of selection_* falsepositives: - Unlikely From df54e30ec8d51fc04bab6dd646d1ec4c82dc4b8a Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Thu, 23 Mar 2023 20:07:09 +0100 Subject: [PATCH 6/6] chg author --- .../windows/process_creation/proc_creation_win_hktl_winpeas.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index 397fbdc47..cd59fa71b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -5,7 +5,7 @@ description: WinPEAS is a script that search for possible paths to escalate priv references: - https://github.com/carlospolop/PEASS-ng - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation -author: Georg Lauenstein -- sure[secure] +author: Georg Lauenstein (sure[secure]) date: 2022/09/19 modified: 2023/03/23 tags: