as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.

t1046
t1082
t1106
t1518
t1548
t1548.002
t1552
t1552.001
t1555
t1555.003
windows
sigma

Techniques

t1046
t1082
t1106
t1518
t1548
t1548.002
t1552
t1552.001
t1555
t1555.003

Sample rules

HackTool - WinPwn Execution - ScriptBlock

source: sigma
technicques:
- t1046
- t1082
- t1106
- t1518
- t1548
- t1548.002
- t1552
- t1552.001
- t1555
- t1555.003

Description

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - Offline_Winpwn
  - 'WinPwn '
  - WinPwn.exe
  - WinPwn.ps1