attack.t1552.001

HackTool - WinPwn Execution

Dec 4, 2023 · attack.credential_access attack.defense_evasion attack.discovery attack.execution attack.privilege_escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003 ·

Share on:

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

HackTool - WinPwn Execution - ScriptBlock

Dec 4, 2023 · attack.credential_access attack.defense_evasion attack.discovery attack.execution attack.privilege_escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003 ·

Share on:

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Copy Passwd Or Shadow From TMP Path

Dec 1, 2023 · attack.credential_access attack.t1552.001 ·

Share on:

Detects when the file "passwd" or "shadow" is copied from tmp path

Insensitive Subfolder Search Via Findstr.EXE

Nov 15, 2023 · attack.defense_evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105 ·

Share on:

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Remote File Download Via Findstr.EXE

Nov 15, 2023 · attack.defense_evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105 ·

Share on:

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Typical HiveNightmare SAM File Export

Oct 18, 2023 · attack.credential_access attack.t1552.001 cve.2021.36934 ·

Share on:

Detects files written by the different tools that exploit HiveNightmare

Azure Key Vault Modified or Deleted

Oct 17, 2023 · attack.impact attack.credential_access attack.t1552 attack.t1552.001 ·

Share on:

Identifies when a key vault is modified or deleted.

Azure Keyvault Key Modified or Deleted

Oct 17, 2023 · attack.impact attack.credential_access attack.t1552 attack.t1552.001 ·

Share on:

Identifies when a Keyvault Key is modified or deleted in Azure.

Azure Keyvault Secrets Modified or Deleted

Oct 17, 2023 · attack.impact attack.credential_access attack.t1552 attack.t1552.001 ·

Share on:

Identifies when secrets are modified or deleted in Azure.

Linux Recon Indicators

Oct 17, 2023 · attack.reconnaissance attack.t1592.004 attack.credential_access attack.t1552.001 ·

Share on:

Detects events with patterns found in commands used for reconnaissance on linux systems

Extract Credentials From IIS Application Pool Configuration Files

Sep 13, 2023 · attack.CredentialAccess attack.T1552.001 ·

Share on:

Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.

Potential Russian APT Credential Theft Activity

Jun 20, 2023 · attack.credential_access attack.t1552.001 attack.t1003.003 detection.emerging_threats ·

Share on:

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Credentials In Files - Linux

Apr 30, 2023 · attack.credential_access attack.t1552.001 ·

Share on:

Detecting attempts to extract passwords with grep

Suspicious Active Directory Database Snapshot Via ADExplorer

Mar 15, 2023 · attack.credential_access attack.t1552.001 attack.t1003.003 ·

Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Active Directory Database Snapshot Via ADExplorer

Mar 14, 2023 · attack.credential_access attack.t1552.001 attack.t1003.003 ·

Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

Automated Collection Command Prompt

Feb 21, 2023 · attack.collection attack.t1119 attack.credential_access attack.t1552.001 ·

Share on:

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

iOS Implant URL Pattern

Feb 1, 2023 · attack.execution attack.t1203 attack.collection attack.t1005 attack.t1119 attack.credential_access attack.t1528 attack.t1552.001 ·

Share on:

Detects URL pattern used by iOS Implant

Cisco Collect Data

Jan 4, 2023 · attack.discovery attack.credential_access attack.collection attack.t1087.001 attack.t1552.001 attack.t1005 ·

Share on:

Collect pertinent data from the configuration files

Extracting Information with PowerShell

Jan 4, 2023 · attack.credential_access attack.t1552.001 ·

Share on:

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Suspicious Unattend.xml File Access

Dec 27, 2022 · attack.credential_access attack.t1552.001 ·

Share on:

Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process