github-actions[bot]
08c52c367c
chore: promote older rules status from experimental to test Co-authored-by: nasbench <nasbench@users.noreply.github.com>
46 lines
1.6 KiB
YAML
46 lines
1.6 KiB
YAML
title: HackTool - WinPwn Execution - ScriptBlock
|
|
id: 851fd622-b675-4d26-b803-14bc7baa517a
|
|
related:
|
|
- id: d557dc06-62e8-4468-a8e8-7984124908ce
|
|
type: similar
|
|
status: test
|
|
description: |
|
|
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
|
|
author: Swachchhanda Shrawan Poudel
|
|
date: 2023-12-04
|
|
references:
|
|
- https://github.com/S3cur3Th1sSh1t/WinPwn
|
|
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
|
|
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
|
|
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
|
|
tags:
|
|
- attack.credential-access
|
|
- attack.defense-evasion
|
|
- attack.discovery
|
|
- attack.execution
|
|
- attack.privilege-escalation
|
|
- attack.t1046
|
|
- attack.t1082
|
|
- attack.t1106
|
|
- attack.t1518
|
|
- attack.t1548.002
|
|
- attack.t1552.001
|
|
- attack.t1555
|
|
- attack.t1555.003
|
|
logsource:
|
|
category: ps_script
|
|
product: windows
|
|
definition: 'Requirements: Script Block Logging must be enabled'
|
|
detection:
|
|
selection:
|
|
ScriptBlockText|contains:
|
|
- 'Offline_Winpwn'
|
|
- 'WinPwn '
|
|
- 'WinPwn.exe'
|
|
- 'WinPwn.ps1'
|
|
condition: selection
|
|
falsepositives:
|
|
- As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
|
|
level: high
|