Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1555-credentials-from-password-stores

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects execution of WinPwn, a PowerShell-based penetration testing and offensive security framework used for Windows system enumeration and exploitation.

Strategy

This rule monitors Windows event logs for PowerShell script block text containing specific WinPwn execution patterns. The detection looks for script blocks that include references to Offline_WinPwn, WinPwn , WinPwn.exe, or WinPwn.ps1. WinPwn is a PowerShell-based security toolkit primarily used for offensive security testing that combines various functions for reconnaissance, local privilege escalation, credential extraction, and network lateral movement. The presence of WinPwn execution is highly suspicious in most environments as it is typically used by attackers or red teams during post-exploitation phases rather than for regular system administration.

Triage & Response

• Analyze the full PowerShell script block content to understand which specific WinPwn functions or modules were executed on {{host}}.
• Identify the user account that ran the WinPwn commands and determine if they are authorized to perform security testing.
• Examine the process tree to understand how WinPwn was initiated and what other processes it may have spawned.
• Review system logs for evidence of successful credential extraction, privilege escalation, or lateral movement following WinPwn execution.
• Check for data exfiltration attempts by reviewing network logs for unusual outbound connections.