Try in Splunk Security Cloud


This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk
  • Last Updated: 2022-11-30
  • Author: Teoderick Contreras, Splunk
  • ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba


These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the “Prestige ransomware” also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.


Name Technique Type
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Windows Cached Domain Credentials Reg Query Cached Domain Credentials, OS Credential Dumping Anomaly
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation
Windows Credentials from Password Stores Query Credentials from Password Stores Anomaly
Windows Credentials in Registry Reg Query Credentials in Registry, Unsecured Credentials Anomaly
Windows Indirect Command Execution Via Series Of Forfiles Indirect Command Execution Anomaly
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Information Discovery Fsutil System Information Discovery Anomaly
Windows Modify Registry Reg Restore Query Registry Hunting
Windows Password Managers Discovery Password Managers Anomaly
Windows Post Exploitation Risk Behavior Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials Correlation
Windows Private Keys Discovery Private Keys, Unsecured Credentials Anomaly
Windows Query Registry Reg Save Query Registry Hunting
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Anomaly
Windows Steal or Forge Kerberos Tickets Klist Steal or Forge Kerberos Tickets Hunting
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows System User Discovery Via Quser System Owner/User Discovery Hunting
Windows WMI Process And Service List Windows Management Instrumentation Anomaly


source | version: 1