This artifact analyzes Kerberos tickets and attempts to determine if they are forged, using WonkaVision by @4ndr3w6s and @exploitph.
After analysis, notable events are documented in the native Windows Application log, and are easily reviewable using the Exhange.Windows.EventLogs.WonkaVision artifact.
https://github.com/0xe7/WonkaVision
name: Windows.Detection.WonkaVision
description: |
This artifact analyzes Kerberos tickets and attempts to determine if they are forged, using WonkaVision by @4ndr3w6s and @exploitph.
After analysis, notable events are documented in the native Windows Application log, and are easily reviewable using the `Exhange.Windows.EventLogs.WonkaVision` artifact.
https://github.com/0xe7/WonkaVision
author: Wes Lambert -- @therealwlambert
reference:
- https://github.com/0xe7/WonkaVision
tools:
- name: WonkaVision
url: https://github.com/weslambert/WonkaVision/releases/download/testing/WonkaVision.exe
sources:
- name: RunWonkaVison
query: |
LET WV <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="WonkaVision", IsExecutable=FALSE)
LET KeyDir <= tempdir(remove_last=true)
LET DumpDir <= tempdir(remove_last=true)
LET CreateKeys = SELECT * FROM execve(argv=[WV.FullPath[0], '/createkeys', '/outdir:' + KeyDir])
LET DumpIt = SELECT * FROM execve(argv=[WV.FullPath[0], '/dump', '/publickey:' + KeyDir + '/public.key', '/dumpdir:' + DumpDir])
LET AnalyzeIt = SELECT * FROM execve(argv=[WV.FullPath[0], '/analyze', '/privatekey:' + KeyDir + '/private.key', '/dumpdir:' + DumpDir])
SELECT * FROM chain(
a=CreateKeys,
b=DumpIt,
c=AnalyzeIt
)