EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - winPEAS Execution

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

MITRE ATT&CK

T1082T1087T1046
privilege-escalationdiscovery

Detection Query

selection_img:
  - OriginalFileName: winPEAS.exe
  - Image|endswith:
      - \winPEASany_ofs.exe
      - \winPEASany.exe
      - \winPEASx64_ofs.exe
      - \winPEASx64.exe
      - \winPEASx86_ofs.exe
      - \winPEASx86.exe
selection_cli_option:
  CommandLine|contains:
    - " applicationsinfo"
    - " browserinfo"
    - " eventsinfo"
    - " fileanalysis"
    - " filesinfo"
    - " processinfo"
    - " servicesinfo"
    - " windowscreds"
selection_cli_dl:
  CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/
selection_cli_specific:
  - ParentCommandLine|endswith: " -linpeas"
  - CommandLine|endswith: " -linpeas"
condition: 1 of selection_*

Author

Georg Lauenstein (sure[secure])

Created

2022-09-19

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.discoveryattack.t1082attack.t1087attack.t1046
Raw Content
title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
    - https://github.com/carlospolop/PEASS-ng
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
    - attack.privilege-escalation
    - attack.discovery
    - attack.t1082
    - attack.t1087
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'winPEAS.exe'
        - Image|endswith:
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
    selection_cli_option:
        CommandLine|contains:
            - ' applicationsinfo' # Search installed applications information
            - ' browserinfo' # Search browser information
            - ' eventsinfo' # Display interesting events information
            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
            - ' filesinfo' # Search generic files that can contains credentials
            - ' processinfo' # Search processes information
            - ' servicesinfo' # Search services information
            - ' windowscreds' # Search windows credentials
    selection_cli_dl:
        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
    selection_cli_specific:
        - ParentCommandLine|endswith: ' -linpeas'
        - CommandLine|endswith: ' -linpeas'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high