/
proc_creation_win_sysinternals_accesschk_check_permissions.yml
41 lines (41 loc) · 1.61 KB
/
proc_creation_win_sysinternals_accesschk_check_permissions.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
title: Permission Check Via Accesschk.EXE
id: c625d754-6a3d-4f65-9c9a-536aea960d37
status: test
description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
- https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2020/10/13
modified: 2023/02/20
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Product|endswith: 'AccessChk'
- Description|contains: 'Reports effective permissions'
- Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- OriginalFileName: 'accesschk.exe'
selection_cli:
CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
- 'uwcqv '
- 'kwsu '
- 'qwsu '
- 'uwdqs '
condition: all of selection*
fields:
- IntegrityLevel
- Product
- Description
- CommandLine
falsepositives:
- System administrator Usage
level: medium