HackTool - WinPwn Execution

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Sigma rule (View on GitHub)

 1title: HackTool - WinPwn Execution
 2id: d557dc06-62e8-4468-a8e8-7984124908ce
 3related:
 4    - id: 851fd622-b675-4d26-b803-14bc7baa517a
 5      type: similar
 6status: test
 7description: |
 8        Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
 9author: Swachchhanda Shrawan Poudel
10date: 2023-12-04
11references:
12    - https://github.com/S3cur3Th1sSh1t/WinPwn
13    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
14    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
15    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
16    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
17tags:
18    - attack.credential-access
19    - attack.defense-evasion
20    - attack.discovery
21    - attack.execution
22    - attack.privilege-escalation
23    - attack.t1046
24    - attack.t1082
25    - attack.t1106
26    - attack.t1518
27    - attack.t1548.002
28    - attack.t1552.001
29    - attack.t1555
30    - attack.t1555.003
31logsource:
32    category: process_creation
33    product: windows
34detection:
35    selection:
36        CommandLine|contains:
37            - 'Offline_Winpwn'
38            - 'WinPwn '
39            - 'WinPwn.exe'
40            - 'WinPwn.ps1'
41    condition: selection
42falsepositives:
43    - Unknown
44level: high

References

Related rules

to-top