From f07e2b37c0919e0fb7b00eb1123d9a862e6466b4 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Mon, 4 Dec 2023 19:09:19 +0545
Subject: [PATCH] Merge PR #4529 from @swachchhanda000 - Add New Rules Related
 To WinPwn Execution

new: HackTool - WinPwn Execution - ScriptBlock
new: HackTool - WinPwn Execution

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../powershell_script/posh_ps_hktl_winpwn.yml | 45 +++++++++++++++++++
 .../proc_creation_win_hktl_winpwn.yml         | 44 ++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml
new file mode 100644
index 00000000000..22994a2e658
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml
@@ -0,0 +1,45 @@
+title: HackTool - WinPwn Execution - ScriptBlock
+id: 851fd622-b675-4d26-b803-14bc7baa517a
+related:
+    - id: d557dc06-62e8-4468-a8e8-7984124908ce
+      type: similar
+status: experimental
+description: |
+    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
+author: Swachchhanda Shrawan Poudel
+date: 2023/12/04
+references:
+    - https://github.com/S3cur3Th1sSh1t/WinPwn
+    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
+    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
+    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
+    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.discovery
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.t1046
+    - attack.t1082
+    - attack.t1106
+    - attack.t1518
+    - attack.t1548.002
+    - attack.t1552.001
+    - attack.t1555
+    - attack.t1555.003
+logsource:
+    category: ps_script
+    product: windows
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'Offline_Winpwn'
+            - 'WinPwn '
+            - 'WinPwn.exe'
+            - 'WinPwn.ps1'
+    condition: selection
+falsepositives:
+    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml
new file mode 100644
index 00000000000..b71d35ca7dd
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml
@@ -0,0 +1,44 @@
+title: HackTool - WinPwn Execution
+id: d557dc06-62e8-4468-a8e8-7984124908ce
+related:
+    - id: 851fd622-b675-4d26-b803-14bc7baa517a
+      type: similar
+status: experimental
+description: |
+    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
+author: Swachchhanda Shrawan Poudel
+date: 2023/12/04
+references:
+    - https://github.com/S3cur3Th1sSh1t/WinPwn
+    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
+    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
+    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
+    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.discovery
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.t1046
+    - attack.t1082
+    - attack.t1106
+    - attack.t1518
+    - attack.t1548.002
+    - attack.t1552.001
+    - attack.t1555
+    - attack.t1555.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - 'Offline_Winpwn'
+            - 'WinPwn '
+            - 'WinPwn.exe'
+            - 'WinPwn.ps1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high