PUA - PingCastle Execution
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
Sigma rule (View on GitHub)
1title: PUA - PingCastle Execution
2id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
3related:
4 - id: b37998de-a70b-4f33-b219-ec36bf433dc0
5 type: derived
6status: test
7description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
8references:
9 - https://github.com/vletoux/pingcastle
10 - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
11 - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
12 - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
13 - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
14 - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
15 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
16author: Nasreddine Bencherchali (Nextron Systems), frack113
17date: 2024-01-11
18tags:
19 - attack.reconnaissance
20 - attack.t1595
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection:
26 - Hashes|contains:
27 # PingCastle.exe
28 - 'MD5=f741f25ac909ee434e50812d436c73ff'
29 - 'MD5=d40acbfc29ee24388262e3d8be16f622'
30 - 'MD5=01bb2c16fadb992fa66228cd02d45c60'
31 - 'MD5=9e1b18e62e42b5444fc55b51e640355b'
32 - 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
33 - 'MD5=324579d717c9b9b8e71d0269d13f811f'
34 - 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
35 - 'MD5=049e85963826b059c9bac273bb9c82ab'
36 - 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
37 - 'MD5=faf87749ac790ec3a10dd069d10f9d63'
38 - 'MD5=f296dba5d21ad18e6990b1992aea8f83'
39 - 'MD5=93ba94355e794b6c6f98204cf39f7a11'
40 - 'MD5=a258ef593ac63155523a461ecc73bdba'
41 - 'MD5=97000eb5d1653f1140ee3f47186463c4'
42 - 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
43 - 'MD5=32fe9f0d2630ac40ea29023920f20f49'
44 - 'MD5=a05930dde939cfd02677fc18bb2b7df5'
45 - 'MD5=124283924e86933ff9054a549d3a268b'
46 - 'MD5=ceda6909b8573fdeb0351c6920225686'
47 - 'MD5=60ce120040f2cd311c810ae6f6bbc182'
48 - 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
49 - 'MD5=011d967028e797a4c16d547f7ba1463f'
50 - 'MD5=2da9152c0970500c697c1c9b4a9e0360'
51 - 'MD5=b5ba72034b8f44d431f55275bace9f8b'
52 - 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
53 - 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
54 - 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
55 - 'MD5=28caff93748cb84be70486e79f04c2df'
56 - 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
57 - 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
58 - 'MD5=86ba9dddbdf49215145b5bcd081d4011'
59 - 'MD5=9dce0a481343874ef9a36c9a825ef991'
60 - 'MD5=85890f62e231ad964b1fda7a674747ec'
61 - 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
62 - 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
63 - 'MD5=32d45718164205aec3e98e0223717d1d'
64 - 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
65 - 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
66 - 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
67 - 'MD5=781fa16511a595757154b4304d2dd350'
68 - 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
69 - 'MD5=f4a84d6f1caf0875b50135423d04139f'
70 - 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
71 - 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
72 - 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
73 - 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
74 - 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
75 - 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
76 - 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
77 - 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
78 - 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
79 - 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
80 - 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
81 - 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
82 - 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
83 - 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
84 - 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
85 - 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
86 - 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
87 - 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
88 - 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
89 - 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
90 - 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
91 - 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
92 - 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
93 - 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
94 - 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
95 - 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
96 - 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
97 - 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
98 - 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
99 - 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
100 - 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
101 - 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
102 - 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
103 - 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
104 - 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
105 - 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
106 - 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
107 - 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
108 - 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
109 - 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
110 - 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
111 - 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
112 - 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
113 - 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
114 - 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
115 - 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
116 - 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
117 - 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
118 - 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
119 - 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
120 - 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
121 - 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
122 - 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
123 - 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
124 - 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
125 - 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
126 - 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
127 - 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
128 - 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
129 - 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
130 - 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
131 - 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
132 - 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
133 - 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
134 - 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
135 - 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
136 - 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
137 - 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
138 - 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
139 - 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
140 - 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
141 - 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
142 - 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
143 - 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
144 - 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
145 - 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
146 - 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
147 - 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
148 - 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
149 - 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
150 - 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
151 - 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
152 - 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
153 - 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
154 - Image|endswith: '\PingCastle.exe'
155 - OriginalFileName: PingCastle.exe
156 - Product: 'Ping Castle'
157 - CommandLine|contains:
158 - '--scanner aclcheck'
159 - '--scanner antivirus'
160 - '--scanner computerversion'
161 - '--scanner foreignusers'
162 - '--scanner laps_bitlocker'
163 - '--scanner localadmin'
164 - '--scanner nullsession'
165 - '--scanner nullsession-trust'
166 - '--scanner oxidbindings'
167 - '--scanner remote'
168 - '--scanner share'
169 - '--scanner smb'
170 - '--scanner smb3querynetwork'
171 - '--scanner spooler'
172 - '--scanner startup'
173 - '--scanner zerologon'
174 - CommandLine|contains: '--no-enum-limit'
175 - CommandLine|contains|all:
176 - '--healthcheck'
177 - '--level Full'
178 - CommandLine|contains|all:
179 - '--healthcheck'
180 - '--server '
181 condition: selection
182falsepositives:
183 - Unknown
184# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit
185level: medium
References
Related rules
- PUA - PingCastle Execution From Potentially Suspicious Parent
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Account Credential Leaked
- Bitbucket User Details Export Attempt Detected