PUA - PingCastle Execution

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.

Sigma rule (View on GitHub)

  1title: PUA - PingCastle Execution
  2id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
  3related:
  4    - id: b37998de-a70b-4f33-b219-ec36bf433dc0
  5      type: derived
  6status: experimental
  7description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
  8references:
  9    - https://github.com/vletoux/pingcastle
 10    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
 11    - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
 12    - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
 13    - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
 14    - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
 15    - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
 16author: Nasreddine Bencherchali (Nextron Systems), frack113
 17date: 2024-01-11
 18tags:
 19    - attack.reconnaissance
 20    - attack.t1595
 21logsource:
 22    category: process_creation
 23    product: windows
 24detection:
 25    selection:
 26        - Hashes|contains:
 27              # PingCastle.exe
 28              - 'MD5=f741f25ac909ee434e50812d436c73ff'
 29              - 'MD5=d40acbfc29ee24388262e3d8be16f622'
 30              - 'MD5=01bb2c16fadb992fa66228cd02d45c60'
 31              - 'MD5=9e1b18e62e42b5444fc55b51e640355b'
 32              - 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
 33              - 'MD5=324579d717c9b9b8e71d0269d13f811f'
 34              - 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
 35              - 'MD5=049e85963826b059c9bac273bb9c82ab'
 36              - 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
 37              - 'MD5=faf87749ac790ec3a10dd069d10f9d63'
 38              - 'MD5=f296dba5d21ad18e6990b1992aea8f83'
 39              - 'MD5=93ba94355e794b6c6f98204cf39f7a11'
 40              - 'MD5=a258ef593ac63155523a461ecc73bdba'
 41              - 'MD5=97000eb5d1653f1140ee3f47186463c4'
 42              - 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
 43              - 'MD5=32fe9f0d2630ac40ea29023920f20f49'
 44              - 'MD5=a05930dde939cfd02677fc18bb2b7df5'
 45              - 'MD5=124283924e86933ff9054a549d3a268b'
 46              - 'MD5=ceda6909b8573fdeb0351c6920225686'
 47              - 'MD5=60ce120040f2cd311c810ae6f6bbc182'
 48              - 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
 49              - 'MD5=011d967028e797a4c16d547f7ba1463f'
 50              - 'MD5=2da9152c0970500c697c1c9b4a9e0360'
 51              - 'MD5=b5ba72034b8f44d431f55275bace9f8b'
 52              - 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
 53              - 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
 54              - 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
 55              - 'MD5=28caff93748cb84be70486e79f04c2df'
 56              - 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
 57              - 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
 58              - 'MD5=86ba9dddbdf49215145b5bcd081d4011'
 59              - 'MD5=9dce0a481343874ef9a36c9a825ef991'
 60              - 'MD5=85890f62e231ad964b1fda7a674747ec'
 61              - 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
 62              - 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
 63              - 'MD5=32d45718164205aec3e98e0223717d1d'
 64              - 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
 65              - 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
 66              - 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
 67              - 'MD5=781fa16511a595757154b4304d2dd350'
 68              - 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
 69              - 'MD5=f4a84d6f1caf0875b50135423d04139f'
 70              - 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
 71              - 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
 72              - 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
 73              - 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
 74              - 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
 75              - 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
 76              - 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
 77              - 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
 78              - 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
 79              - 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
 80              - 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
 81              - 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
 82              - 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
 83              - 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
 84              - 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
 85              - 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
 86              - 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
 87              - 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
 88              - 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
 89              - 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
 90              - 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
 91              - 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
 92              - 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
 93              - 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
 94              - 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
 95              - 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
 96              - 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
 97              - 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
 98              - 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
 99              - 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
100              - 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
101              - 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
102              - 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
103              - 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
104              - 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
105              - 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
106              - 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
107              - 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
108              - 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
109              - 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
110              - 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
111              - 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
112              - 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
113              - 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
114              - 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
115              - 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
116              - 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
117              - 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
118              - 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
119              - 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
120              - 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
121              - 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
122              - 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
123              - 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
124              - 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
125              - 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
126              - 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
127              - 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
128              - 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
129              - 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
130              - 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
131              - 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
132              - 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
133              - 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
134              - 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
135              - 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
136              - 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
137              - 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
138              - 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
139              - 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
140              - 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
141              - 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
142              - 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
143              - 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
144              - 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
145              - 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
146              - 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
147              - 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
148              - 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
149              - 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
150              - 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
151              - 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
152              - 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
153              - 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
154        - Image|endswith: '\PingCastle.exe'
155        - OriginalFileName: PingCastle.exe
156        - Product: 'Ping Castle'
157        - CommandLine|contains:
158              - '--scanner aclcheck'
159              - '--scanner antivirus'
160              - '--scanner computerversion'
161              - '--scanner foreignusers'
162              - '--scanner laps_bitlocker'
163              - '--scanner localadmin'
164              - '--scanner nullsession'
165              - '--scanner nullsession-trust'
166              - '--scanner oxidbindings'
167              - '--scanner remote'
168              - '--scanner share'
169              - '--scanner smb'
170              - '--scanner smb3querynetwork'
171              - '--scanner spooler'
172              - '--scanner startup'
173              - '--scanner zerologon'
174        - CommandLine|contains: '--no-enum-limit'
175        - CommandLine|contains|all:
176              - '--healthcheck'
177              - '--level Full'
178        - CommandLine|contains|all:
179              - '--healthcheck'
180              - '--server '
181    condition: selection
182falsepositives:
183    - Unknown
184# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit
185level: medium

References

Related rules

to-top