HackTool - WinPwn Execution - ScriptBlock

 1title: HackTool - WinPwn Execution - ScriptBlock
 2id: 851fd622-b675-4d26-b803-14bc7baa517a
 3related:
 4    - id: d557dc06-62e8-4468-a8e8-7984124908ce
 5      type: similar
 6status: experimental
 7description: |
 8        Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
 9author: Swachchhanda Shrawan Poudel
10date: 2023/12/04
11references:
12    - https://github.com/S3cur3Th1sSh1t/WinPwn
13    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
14    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
15    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
16    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
17tags:
18    - attack.credential_access
19    - attack.defense_evasion
20    - attack.discovery
21    - attack.execution
22    - attack.privilege_escalation
23    - attack.t1046
24    - attack.t1082
25    - attack.t1106
26    - attack.t1518
27    - attack.t1548.002
28    - attack.t1552.001
29    - attack.t1555
30    - attack.t1555.003
31logsource:
32    category: ps_script
33    product: windows
34    definition: 'Requirements: Script Block Logging must be enabled'
35detection:
36    selection:
37        ScriptBlockText|contains:
38            - 'Offline_Winpwn'
39            - 'WinPwn '
40            - 'WinPwn.exe'
41            - 'WinPwn.ps1'
42    condition: selection
43falsepositives:
44    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
45level: high

References

• GitHub - S3cur3Th1sSh1t/WinPwn: Automation for internal Windows Penetrationtest / AD-Security

  

  Automation for internal Windows Penetrationtest / AD-Security - S3cur3Th1sSh1t/WinPwn

  
  Read More

• Trustwave Corporation (via Public) / Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT

  After Microsoft announced this year that macros from the Internet will be blocked by default in Office[1], many threat actors have switched to different file types such as Windows Shortcut (LNK), I...

  
  Read More

• WinPwn – Tool for internal Windows Pentesting and AD-Security

  

  If you are using ObfusWinPwn.ps1 - its now making use of the project https://amsi.fail/ by Flangvik, i am not responsible for the code hosted there - but the

  
  Read More

• atomic-red-team/atomics/T1082/T1082.md at 4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• grep.app | code search

  Search across a half million git repos. Search by regular expression.

  
  Read More

Related rules

• HackTool - WinPwn Execution
• Potential Suspicious Activity Using SeCEdit
• Audit CVE Event
• UAC Bypass Using IDiagnostic Profile
• UAC Bypass Using IDiagnostic Profile - File