Adversaries may use PwnDrp web servers to exfiltrate data or deploy malicious payloads by leveraging compromised credentials or misconfigured access controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential red team activity or malicious operations that could lead to data breaches or system compromise.
Detection Rule
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
imWebSession
| where Url contains "/pwndrop/"Scenario: Red team members using PwnDrp for authorized penetration testing
Filter/Exclusion: Check for presence of red team tools (e.g., Cobalt Strike, Metasploit) in the process tree or user context. Exclude downloads initiated by red team user accounts or during scheduled red team exercises.
Scenario: System administrators downloading PwnDrp for internal security training or lab setup
Filter/Exclusion: Filter by user account (e.g., admin, security-team) or check for presence of training environments (e.g., training, lab in the host name or directory path).
Scenario: Scheduled job to fetch PwnDrp payloads for automated security testing
Filter/Exclusion: Exclude downloads initiated by scheduled tasks (e.g., Task Scheduler, cron jobs) or check for presence of known security testing frameworks (e.g., OWASP ZAP, Burp Suite) in the process or command line.
Scenario: Developers using PwnDrp for internal research or vulnerability analysis
Filter/Exclusion: Filter by user group (e.g., dev, research) or check for presence of development tools (e.g., Ghidra, IDA Pro) in the process or command line.
Scenario: Legacy systems or virtual machines using PwnDrp for outdated testing tools
Filter/Exclusion: Exclude traffic from virtual machines (check for VMware, Hyper-V, or VirtualBox in the host name or process) or filter by older system versions (e.g., Windows Server 2008 R2).