Analytics Story: Windows Post-Exploitation

Date: 2022-11-30 ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.

Why it matters

These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the "Prestige ransomware" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Create or delete windows shares using net exe Network Share Connection Removal TTP
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App Internet Connection Discovery Hunting
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Windows Cached Domain Credentials Reg Query Cached Domain Credentials Anomaly
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
Windows Credentials from Password Stores Query Credentials from Password Stores Anomaly
Windows Credentials in Registry Reg Query Credentials in Registry Anomaly
Windows Excessive Usage Of Net App Account Access Removal Anomaly
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Indirect Command Execution Via Series Of Forfiles Indirect Command Execution Anomaly
Windows Information Discovery Fsutil System Information Discovery Anomaly
Windows Network Connection Discovery Via Net System Network Connections Discovery Hunting
Windows Password Managers Discovery Password Managers Anomaly
Windows Private Keys Discovery Private Keys Anomaly
Windows Registry Entries Exported Via Reg Query Registry Hunting
Windows Registry Entries Restored Via Reg Query Registry Hunting
Windows Security Support Provider Reg Query Security Support Provider Anomaly
Windows Steal or Forge Kerberos Tickets Klist Steal or Forge Kerberos Tickets Hunting
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows System User Discovery Via Quser System Owner/User Discovery Hunting
Windows WMI Process And Service List Windows Management Instrumentation Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1