blue tangle

  Last post we looked at winPEAS traces left in logs using Splunk and Windows security event logging and guess what we are doing this time? More of the same, these are potential security alerts or a jumping off point for some threat hunting.    What prompted me looking at PEAS-ng, Watson and dazzleUP is that they are all featured in one of the rounds of Conti ransomware gang leaks.    I'll be trying to cover all three red team tools in some depth, with some SPL. If you are using a different SIEM you can use what I have here to inspire your own detections, just go with your heart. winPEAS performs extensive reconnaissance on Windows endpoints to provide some guidance on potential privilege escalation paths for adversaries, as before we are looking at the batchfile implementation of winPEAS, though it also comes in pre-compiled binaries and there is a Powershell version floating around as well.   Part of this discovery/recon process involves using Windows native tool findstr.exe t

  Been a while since I've updated this, figured I might as well post some of my findings looking at logs generated by Windows privilege escalation discovery frameworks, in this case winPEAS (Windows Privilege Escalation Awesome Script). So far I've only looked at the resulting logs generated by running the .bat file implementation, I'll chuck up another couple of blogs as I work my way through the pre-compiled executable version, then dazzleUP and Watson. winPEAS is really comprehensive, it provides a lot of information about the host it is run on, patching and security updates, potential avenues for exploitation, existing services, file and directory permissions, etc. As a result of this though, it is very noisy in logs. To retrieve service information winPEAS makes use of the windows executable sc.exe with the " qc " command. A full run of winPEAS.bat resulted in around 250 sc qc queries on my test VM, we can hunt for this: Obviously replace the index