Analytics Story: Windows Post-Exploitation

Updated Date: 2026-05-13 ID: 992899b7-a5cf-4bcd-bb0d-cf81762188ba Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.

Why it matters

These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the "Prestige ransomware" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.

Correlation Search

Windows Common Abused Cmd Shell Risk Behavior

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
2  WHERE source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*")
3  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
4| `drop_dm_object_name(All_Risk)`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where source_count >= 4
8| `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Credentials in Registry Reg Query	Credentials in Registry	Anomaly
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Windows Steal or Forge Kerberos Tickets Klist	Steal or Forge Kerberos Tickets	Hunting
Windows Group Discovery Via Net	Local Groups, Domain Groups	Hunting
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Network Connection Discovery With Arp	System Network Connections Discovery	Hunting
Windows ClipBoard Data via Get-ClipBoard	Clipboard Data	Anomaly
Windows Indirect Command Execution Via Series Of Forfiles	Indirect Command Execution	Anomaly
Windows Excessive Usage Of Net App	Account Access Removal	Anomaly
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Anomaly
Windows Password Managers Discovery	Password Managers	Anomaly
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Create or delete windows shares using net exe	Network Share Connection Removal	TTP
Windows WMI Process And Service List	Windows Management Instrumentation	Anomaly
Windows Indirect Command Execution Via forfiles	Indirect Command Execution	TTP
Windows WinPEAS PowerShell Script Execution	System Service Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Information Discovery, Gather Victim Network Information, Software, Client Configurations, Group Policy Discovery	TTP
Windows Credentials from Password Stores Query	Credentials from Password Stores	Anomaly
Windows System Network Config Discovery Display DNS	System Network Configuration Discovery	Anomaly
Windows Symlink Evaluation Change via Fsutil	Windows Permissions	Anomaly
Network Discovery Using Route Windows App	Internet Connection Discovery	Hunting
Windows System User Discovery Via Quser	System Owner/User Discovery	Hunting
Windows Information Discovery Fsutil	System Information Discovery	Anomaly
Windows Registry Entries Exported Via Reg	Query Registry	Hunting
Windows TOR Client Execution	Multi-hop Proxy	Anomaly
Windows SymbolicLink-Testing-Tools Utility Execution	File and Directory Permissions Modification, NTFS File Attributes	TTP
Windows Registry Entries Restored Via Reg	Query Registry	Hunting
Windows Process Accessing Windows Recall Directory	Command and Scripting Interpreter, Automated Collection	Anomaly
Windows Cached Domain Credentials Reg Query	Cached Domain Credentials	Anomaly
Windows Security Support Provider Reg Query	Security Support Provider	Anomaly
Windows Private Keys Discovery	Private Keys	Anomaly
Windows Network Connection Discovery Via Net	System Network Connections Discovery	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Windows Event Log Security 4663	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Source: GitHub | Version: 2