Windows Post-Exploitation

Description

This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel: Endpoint
Last Updated: 2022-11-30
Author: Teoderick Contreras, Splunk
ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba

Narrative

These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the “Prestige ransomware” also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.

Detections

Name	Technique	Type
Create or delete windows shares using net exe	Indicator Removal, Network Share Connection Removal	TTP
Domain Group Discovery With Net	Permission Groups Discovery, Domain Groups	Hunting
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Excessive Usage Of Net App	Account Access Removal	Anomaly
Net Localgroup Discovery	Permission Groups Discovery, Local Groups	Hunting
Network Connection Discovery With Arp	System Network Connections Discovery	Hunting
Network Connection Discovery With Net	System Network Connections Discovery	Hunting
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Network Discovery Using Route Windows App	System Network Configuration Discovery, Internet Connection Discovery	Hunting
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Windows Cached Domain Credentials Reg Query	Cached Domain Credentials, OS Credential Dumping	Anomaly
Windows ClipBoard Data via Get-ClipBoard	Clipboard Data	Anomaly
Windows Credentials from Password Stores Query	Credentials from Password Stores	Anomaly
Windows Credentials in Registry Reg Query	Credentials in Registry, Unsecured Credentials	Anomaly
Windows Indirect Command Execution Via Series Of Forfiles	Indirect Command Execution	Anomaly
Windows Information Discovery Fsutil	System Information Discovery	Hunting
Windows Modify Registry Reg Restore	Query Registry	Hunting
Windows Password Managers Discovery	Password Managers	Hunting
Windows Private Keys Discovery	Private Keys, Unsecured Credentials	Anomaly
Windows Query Registry Reg Save	Query Registry	Hunting
Windows Security Support Provider Reg Query	Security Support Provider, Boot or Logon Autostart Execution	Anomaly
Windows Steal or Forge Kerberos Tickets Klist	Steal or Forge Kerberos Tickets	Hunting
Windows System Network Config Discovery Display DNS	System Network Configuration Discovery	Hunting
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Hunting
Windows System User Discovery Via Quser	System Owner/User Discovery	Hunting
Windows WMI Process And Service List	Windows Management Instrumentation	Anomaly

Reference

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

source | version: 1

Twitter Facebook LinkedIn