Try in Splunk Security Cloud
Description
This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2022-11-30
- Author: Teoderick Contreras, Splunk
- ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba
Narrative
These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the “Prestige ransomware” also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.
Detections
Name |
Technique |
Type |
Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Net |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials, OS Credential Dumping |
Anomaly |
Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
Anomaly |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
Windows Credentials in Registry Reg Query |
Credentials in Registry, Unsecured Credentials |
Anomaly |
Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
Windows Modify Registry Reg Restore |
Query Registry |
Hunting |
Windows Password Managers Discovery |
Password Managers |
Anomaly |
Windows Post Exploitation Risk Behavior |
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials |
Correlation |
Windows Private Keys Discovery |
Private Keys, Unsecured Credentials |
Anomaly |
Windows Query Registry Reg Save |
Query Registry |
Hunting |
Windows Security Support Provider Reg Query |
Security Support Provider, Boot or Logon Autostart Execution |
Anomaly |
Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
Reference
source | version: 1