Try in Splunk Security Cloud
Description
This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2022-11-30
- Author: Teoderick Contreras, Splunk
- ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba
Narrative
These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the “Prestige ransomware” also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.
Detections
| Name |
Technique |
Type |
| Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
| Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
| Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
| Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
| Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
| Network Connection Discovery With Net |
System Network Connections Discovery |
Hunting |
| Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
| Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials, OS Credential Dumping |
Anomaly |
| Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
Anomaly |
| Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
| Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
| Windows Credentials in Registry Reg Query |
Credentials in Registry, Unsecured Credentials |
Anomaly |
| Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
| Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
| Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
| Windows Modify Registry Reg Restore |
Query Registry |
Hunting |
| Windows Password Managers Discovery |
Password Managers |
Anomaly |
| Windows Post Exploitation Risk Behavior |
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials |
Correlation |
| Windows Private Keys Discovery |
Private Keys, Unsecured Credentials |
Anomaly |
| Windows Query Registry Reg Save |
Query Registry |
Hunting |
| Windows Security Support Provider Reg Query |
Security Support Provider, Boot or Logon Autostart Execution |
Anomaly |
| Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
| Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
| Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
| Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
| Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
Reference
source | version: 1