feat: quick logic update

swachchhanda000 · Dec 4, 2023 · 61a49ee · 61a49ee
1 parent 3e94515
commit 61a49ee
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 32 deletions.
diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml
@@ -4,42 +4,42 @@ related:
     - id: d557dc06-62e8-4468-a8e8-7984124908ce
       type: similar
 status: experimental
-description: Detects the execution of the hacktool WinPwn using specific command line flags
+description: |
+    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
 author: Swachchhanda Shrawan Poudel
-date: 2023/10/30
+date: 2023/12/04
 references:
     - https://github.com/S3cur3Th1sSh1t/WinPwn
     - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
     - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
     - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
 tags:
+    - attack.credential_access
+    - attack.defense_evasion
     - attack.discovery
+    - attack.execution
+    - attack.privilege_escalation
     - attack.t1046
     - attack.t1082
+    - attack.t1106
     - attack.t1518
-    - attack.credential_access
+    - attack.t1548.002
     - attack.t1552.001
     - attack.t1555
     - attack.t1555.003
-    - attack.privilege_escalation
-    - attack.defense_evasion
-    - attack.t1548.002
-    - attack.execution
-    - attack.t1106
 logsource:
     category: ps_script
     product: windows
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
-    selection_commandlet:
-        ScriptBlockText|contains: 'WinPwn.ps1' # Also covers 'Offline_Winpwn.ps1'
-    selection_flags:
+    selection:
         ScriptBlockText|contains:
-            - '-noninteractive'
-            - '-consoleoutput'
-            - '-command'
-    condition: all of selection_*
+            - 'Offline_Winpwn'
+            - 'WinPwn '
+            - 'WinPwn.exe'
+            - 'WinPwn.ps1'
+    condition: selection
 falsepositives:
-    - Unknown
+    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml
@@ -4,40 +4,40 @@ related:
     - id: 851fd622-b675-4d26-b803-14bc7baa517a
       type: similar
 status: experimental
-description: Detects command line parameters used by WinPwn, a tool for Windows and Active Directory reconnaissance and exploitation.
+description: |
+    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
 author: Swachchhanda Shrawan Poudel
-date: 2023/10/30
+date: 2023/12/04
 references:
     - https://github.com/S3cur3Th1sSh1t/WinPwn
     - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
     - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
     - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
 tags:
+    - attack.credential_access
+    - attack.defense_evasion
     - attack.discovery
+    - attack.execution
+    - attack.privilege_escalation
     - attack.t1046
     - attack.t1082
+    - attack.t1106
     - attack.t1518
-    - attack.credential_access
+    - attack.t1548.002
     - attack.t1552.001
     - attack.t1555
     - attack.t1555.003
-    - attack.privilege_escalation
-    - attack.defense_evasion
-    - attack.t1548.002
-    - attack.execution
-    - attack.t1106
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_powershell_commandlets:
-        CommandLine|contains: 'WinPwn.ps1' # also covers 'Offline_Winpwn.ps1'
-    selection_flags:
+    selection:
         CommandLine|contains:
-            - '-noninteractive'
-            - '-consoleoutput'
-            - '-command'
+            - 'Offline_Winpwn'
+            - 'WinPwn '
+            - 'WinPwn.exe'
+            - 'WinPwn.ps1'
     condition: all of selection_*
 falsepositives:
     - Unknown