Permission Check Via Accesschk.EXE

 1title: Permission Check Via Accesschk.EXE
 2id: c625d754-6a3d-4f65-9c9a-536aea960d37
 3status: test
 4description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
 7    - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
 8    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
 9    - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
10author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
11date: 2020/10/13
12modified: 2023/02/20
13tags:
14    - attack.discovery
15    - attack.t1069.001
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_img:
21        - Product|endswith: 'AccessChk'
22        - Description|contains: 'Reports effective permissions'
23        - Image|endswith:
24              - '\accesschk.exe'
25              - '\accesschk64.exe'
26        - OriginalFileName: 'accesschk.exe'
27    selection_cli:
28        CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
29            - 'uwcqv '
30            - 'kwsu '
31            - 'qwsu '
32            - 'uwdqs '
33    condition: all of selection*
34fields:
35    - IntegrityLevel
36    - Product
37    - Description
38    - CommandLine
39falsepositives:
40    - System administrator Usage
41level: medium

References

• Hunting for Privilege Escalation in Windows Environment

  

  Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)

  
  Read More

• YouTube

  

  Share your videos with friends, family, and the world

  
  Read More

• PEASS-ng/winPEAS/winPEASbat/winPEAS.bat at fa0f2e17fbc1d86f1fd66338a40e665e7182501d · peass-ng/PEASS-ng

  

  PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - peass-ng/PEASS-ng

  
  Read More

• Powerless/Powerless.bat at 04f553bbc0c65baf4e57344deff84e3f016e6b51 · gladiatx0r/Powerless

  

  Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind - gladiatx0r/Powerless

  
  Read More

Related rules

• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• HackTool - Bloodhound/Sharphound Execution
• Suspicious Get Local Groups Information
• Suspicious Get Information for SMB Share - PowerShell Module
• Suspicious Get Local Groups Information - PowerShell