wtfbins icon indicating copy to clipboard operation
wtfbins copied to clipboard
verified publisher icon mttaggart

[New WTFBin]: OpenVAS runs WMIExec

Open mttaggart opened this issue 1 year ago • 0 comments

  • Contributor Name: Taggart
  • Application/Executable: Greenbone OpenVAS Vulnerability scanner
  • WTF Behavior Description:

When connecting to Windows hosts, OpenVAS will run impacket-wmiexec against the host. The resulting events look identical to a secretsdump run that you'd hunt for.

  • Link to Documentation of Behavior: https://github.com/greenbone/openvas-scanner/blob/308cefe338df888814b735d11302f4b7e258bdc3/nasl/nasl_smb.c#L367
  • Please provide any images for additional evidence. image

mttaggart avatar May 20 '24 17:05 mttaggart