Analytics Story: Windows Post-Exploitation

Date: 2022-11-30 ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.

Why it matters

These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the "Prestige ransomware" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Create or delete windows shares using net exe	Indicator Removal, Network Share Connection Removal	TTP
Domain Group Discovery With Net	Permission Groups Discovery, Domain Groups	Hunting
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Excessive Usage Of Net App	Account Access Removal	Anomaly
Net Localgroup Discovery	Permission Groups Discovery, Local Groups	Hunting
Network Connection Discovery With Arp	System Network Connections Discovery	Hunting
Network Connection Discovery With Net	System Network Connections Discovery	Hunting
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Network Discovery Using Route Windows App	System Network Configuration Discovery, Internet Connection Discovery	Hunting
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Windows Cached Domain Credentials Reg Query	Cached Domain Credentials, OS Credential Dumping	Anomaly
Windows ClipBoard Data via Get-ClipBoard	Clipboard Data	Anomaly
Windows Credentials from Password Stores Query	Credentials from Password Stores	Anomaly
Windows Credentials in Registry Reg Query	Credentials in Registry, Unsecured Credentials	Anomaly
Windows Indirect Command Execution Via forfiles	Indirect Command Execution	TTP
Windows Indirect Command Execution Via Series Of Forfiles	Indirect Command Execution	Anomaly
Windows Information Discovery Fsutil	System Information Discovery	Anomaly
Windows Modify Registry Reg Restore	Query Registry	Hunting
Windows Password Managers Discovery	Password Managers	Anomaly
Windows Private Keys Discovery	Private Keys, Unsecured Credentials	Anomaly
Windows Query Registry Reg Save	Query Registry	Hunting
Windows Security Support Provider Reg Query	Security Support Provider, Boot or Logon Autostart Execution	Anomaly
Windows Steal or Forge Kerberos Tickets Klist	Steal or Forge Kerberos Tickets	Hunting
Windows System Network Config Discovery Display DNS	System Network Configuration Discovery	Anomaly
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Anomaly
Windows System User Discovery Via Quser	System Owner/User Discovery	Hunting
Windows WMI Process And Service List	Windows Management Instrumentation	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Source: GitHub | Version: 1