From 52eae2c92b29eb121e7e59ecf9158d8d956cbb04 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 20:25:18 +0200 Subject: [PATCH 1/9] new rule for winpeas tool --- ...c_creation_detect_execution_of_winPEAS.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml diff --git a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml b/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml new file mode 100644 index 000000000..5ef086252 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml @@ -0,0 +1,57 @@ +title: Detect Execution of winPEAS +id: 98b53e78-ebaf-46f8-be06-421aafd176d9 +status: experimental +description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +author: Georg Lauenstein +date: 2022/09/19 +references: + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation +tags: + - attack.privilege_escalation + - attack.t1082 + - attack.t1087 + - attack.t1046 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\winPEASany.exe' + - '\winPEASany_ofs.exe' + - '\winPEASx64.exe' + - '\winPEASx64_ofs.exe' + - '\winPEASx86.exe' + - '\winPEASx86_ofs.exe' + - OriginalFileName: + - 'winPEAS.exe' # always the same + selection_cmd_args: + - CommandLine|contains: + - 'domain' # Enumerate domain information + - 'systeminfo' # Search system information + - 'userinfo' # Search user information + - 'processinfo' # Search processes information + - 'serviceinfo' # Search services information + - 'applicationsinfo' # Search installed applications information + - 'networkinfo' # Search network information + - 'windowscreds' # Search windows credentials + - 'browserinfo ' # Search browser information + - 'filesinfo ' # Search generic files that can contains credentials + - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - 'eventsinfo' # Display interesting events information + filter_sysinfo: + - Image|endswith: + - '\systeminfo.exe' # due to option "systeminfo" via winPEAS + - OriginalFileName: + - 'sysinfo.exe' + condition: (selection_img or selection_cmd_args) and not filter_sysinfo +fields: + - Image + - User + - CommandLine + - ParentCommandLine + - CurrentDirectory +falsepositives: + - Pentesting +level: high From 44a49914190ed714da6685442af6c7b0baa92af6 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 21:00:59 +0200 Subject: [PATCH 2/9] Update and rename proc_creation_detect_execution_of_winPEAS.yml to proc_creation_win_winpeas_tool.yml --- ...cution_of_winPEAS.yml => proc_creation_win_winpeas_tool.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{proc_creation_detect_execution_of_winPEAS.yml => proc_creation_win_winpeas_tool.yml} (98%) diff --git a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml rename to rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 5ef086252..d093f55aa 100644 --- a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -1,4 +1,4 @@ -title: Detect Execution of winPEAS +title: Detect Execution of winPEAS id: 98b53e78-ebaf-46f8-be06-421aafd176d9 status: experimental description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz From d8e806cf93e82ce0dc5ea5e92e29089c68659d40 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 21:17:32 +0200 Subject: [PATCH 3/9] Update falsepositives and format --- .../proc_creation_win_winpeas_tool.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index d093f55aa..92378f6ca 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -24,8 +24,7 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: - - 'winPEAS.exe' # always the same + - OriginalFileName: 'winPEAS.exe' # always the same selection_cmd_args: - CommandLine|contains: - 'domain' # Enumerate domain information @@ -41,10 +40,8 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - - Image|endswith: - - '\systeminfo.exe' # due to option "systeminfo" via winPEAS - - OriginalFileName: - - 'sysinfo.exe' + - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS + - OriginalFileName: 'sysinfo.exe' condition: (selection_img or selection_cmd_args) and not filter_sysinfo fields: - Image @@ -53,5 +50,5 @@ fields: - ParentCommandLine - CurrentDirectory falsepositives: - - Pentesting + - Should not be any as administrators do not use this tool level: high From 86a4f24ce8b085105c768b8f24ca6257669bfce0 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 22:36:18 +0200 Subject: [PATCH 4/9] del "domain" under CommandLine --- .../windows/process_creation/proc_creation_win_winpeas_tool.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 92378f6ca..cc52a318a 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -27,7 +27,6 @@ detection: - OriginalFileName: 'winPEAS.exe' # always the same selection_cmd_args: - CommandLine|contains: - - 'domain' # Enumerate domain information - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information From 9bfd2c729fb9ba4c1261d8407a44266436ae2b1d Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 23:00:02 +0200 Subject: [PATCH 5/9] change condition and format --- .../process_creation/proc_creation_win_winpeas_tool.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index cc52a318a..d591a8b10 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - selection_img: + winpeas_basic: - Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -25,7 +25,7 @@ detection: - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' # always the same - selection_cmd_args: + winpeas_option: - CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information @@ -41,7 +41,7 @@ detection: filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - OriginalFileName: 'sysinfo.exe' - condition: (selection_img or selection_cmd_args) and not filter_sysinfo + condition: 1 of winpeas_* and not filter_sysinfo fields: - Image - User From 9e589736c2d2e7c106ca6cc7560f942a9e5d7170 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 23:23:28 +0200 Subject: [PATCH 6/9] Update proc_creation_win_winpeas_tool.yml --- .../proc_creation_win_winpeas_tool.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index d591a8b10..ee5604ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -17,16 +17,16 @@ logsource: product: windows detection: winpeas_basic: - - Image|endswith: + Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: 'winPEAS.exe' # always the same + OriginalFileName: 'winPEAS.exe' # always the same winpeas_option: - - CommandLine|contains: + CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information @@ -39,8 +39,8 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - - OriginalFileName: 'sysinfo.exe' + Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS + OriginalFileName: 'sysinfo.exe' condition: 1 of winpeas_* and not filter_sysinfo fields: - Image From 137653f08a89aa27893476562ccc585b2463703a Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:04:12 +0200 Subject: [PATCH 7/9] fix format and delete 'OriginalFileName' --- .../proc_creation_win_winpeas_tool.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index ee5604ae5..9696b83b3 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -5,8 +5,8 @@ description: WinPEAS is a script that search for possible paths to escalate priv author: Georg Lauenstein date: 2022/09/19 references: - - https://github.com/carlospolop/PEASS-ng - - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation tags: - attack.privilege_escalation - attack.t1082 @@ -17,16 +17,15 @@ logsource: product: windows detection: winpeas_basic: - Image|endswith: + Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' # always the same winpeas_option: - CommandLine|contains: + CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information @@ -39,8 +38,7 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - OriginalFileName: 'sysinfo.exe' + Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS condition: 1 of winpeas_* and not filter_sysinfo fields: - Image @@ -49,5 +47,5 @@ fields: - ParentCommandLine - CurrentDirectory falsepositives: - - Should not be any as administrators do not use this tool + - Unlikely level: high From cb09f9d522576dabfc2af60e4919bee331ce610b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Sep 2022 17:44:56 +0200 Subject: [PATCH 8/9] Update proc_creation_win_winpeas_tool.yml --- .../proc_creation_win_winpeas_tool.yml | 27 ++++++------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 9696b83b3..0b34ea85c 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - winpeas_basic: + selection_basic: Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -24,28 +24,17 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - winpeas_option: - CommandLine|contains: - - 'systeminfo' # Search system information - - 'userinfo' # Search user information - - 'processinfo' # Search processes information + selection_pe: + OriginalFileName: 'winPEAS.exe' + selection_option: + - CommandLine|endswith: - 'serviceinfo' # Search services information - 'applicationsinfo' # Search installed applications information - - 'networkinfo' # Search network information - 'windowscreds' # Search windows credentials - 'browserinfo ' # Search browser information - - 'filesinfo ' # Search generic files that can contains credentials - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - - 'eventsinfo' # Display interesting events information - filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - condition: 1 of winpeas_* and not filter_sysinfo -fields: - - Image - - User - - CommandLine - - ParentCommandLine - - CurrentDirectory + - CommandLine|contains: '.exe browserinfo ' # Search browser information + condition: 1 of selection* falsepositives: - - Unlikely + - Other programs that use the same command line flags level: high From 83fbd7f258a315417f4418f0f07700cd4abcfa7c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Sep 2022 17:45:13 +0200 Subject: [PATCH 9/9] Update proc_creation_win_winpeas_tool.yml --- .../windows/process_creation/proc_creation_win_winpeas_tool.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 0b34ea85c..917e8fdba 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -25,7 +25,7 @@ detection: - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' selection_pe: - OriginalFileName: 'winPEAS.exe' + OriginalFileName: 'winPEAS.exe' selection_option: - CommandLine|endswith: - 'serviceinfo' # Search services information