HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Sigma rule (View on GitHub)
1title: HackTool - WinPwn Execution - ScriptBlock
2id: 851fd622-b675-4d26-b803-14bc7baa517a
3related:
4 - id: d557dc06-62e8-4468-a8e8-7984124908ce
5 type: similar
6status: test
7description: |
8 Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
9author: Swachchhanda Shrawan Poudel
10date: 2023-12-04
11references:
12 - https://github.com/S3cur3Th1sSh1t/WinPwn
13 - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
14 - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
15 - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
16 - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
17tags:
18 - attack.credential-access
19 - attack.defense-evasion
20 - attack.discovery
21 - attack.execution
22 - attack.privilege-escalation
23 - attack.t1046
24 - attack.t1082
25 - attack.t1106
26 - attack.t1518
27 - attack.t1548.002
28 - attack.t1552.001
29 - attack.t1555
30 - attack.t1555.003
31logsource:
32 category: ps_script
33 product: windows
34 definition: 'Requirements: Script Block Logging must be enabled'
35detection:
36 selection:
37 ScriptBlockText|contains:
38 - 'Offline_Winpwn'
39 - 'WinPwn '
40 - 'WinPwn.exe'
41 - 'WinPwn.ps1'
42 condition: selection
43falsepositives:
44 - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
45level: high
References
Related rules
- HackTool - WinPwn Execution
- Potential Suspicious Activity Using SeCEdit
- Audit CVE Event
- HackTool - CrackMapExec Execution
- UAC Bypass Using IDiagnostic Profile - File