HackTool - WinPwn Execution

calendar Apr 28, 2026 · attack.credential-access attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003  ·
Share on: linkedin copy

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Sigma rule (View on GitHub)

 1title: HackTool - WinPwn Execution
 2id: d557dc06-62e8-4468-a8e8-7984124908ce
 3related:
 4    - id: 851fd622-b675-4d26-b803-14bc7baa517a
 5      type: similar
 6status: test
 7description: |
 8        Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
 9author: Swachchhanda Shrawan Poudel
10date: 2023-12-04
11references:
12    - https://github.com/S3cur3Th1sSh1t/WinPwn
13    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
14    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
15    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
16    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
17tags:
18    - attack.credential-access
19    - attack.discovery
20    - attack.execution
21    - attack.privilege-escalation
22    - attack.t1046
23    - attack.t1082
24    - attack.t1106
25    - attack.t1518
26    - attack.t1548.002
27    - attack.t1552.001
28    - attack.t1555
29    - attack.t1555.003
30logsource:
31    category: process_creation
32    product: windows
33detection:
34    selection:
35        CommandLine|contains:
36            - 'Offline_Winpwn'
37            - 'WinPwn '
38            - 'WinPwn.exe'
39            - 'WinPwn.ps1'
40    condition: selection
41falsepositives:
42    - Unknown
43level: high

References

Related rules

to-top