HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
Sigma rule (View on GitHub)
1title: HackTool - winPEAS Execution
2id: 98b53e78-ebaf-46f8-be06-421aafd176d9
3status: test
4description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
5references:
6 - https://github.com/carlospolop/PEASS-ng
7 - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
8author: Georg Lauenstein (sure[secure])
9date: 2022-09-19
10modified: 2023-03-23
11tags:
12 - attack.privilege-escalation
13 - attack.t1082
14 - attack.t1087
15 - attack.t1046
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - OriginalFileName: 'winPEAS.exe'
22 - Image|endswith:
23 - '\winPEASany_ofs.exe'
24 - '\winPEASany.exe'
25 - '\winPEASx64_ofs.exe'
26 - '\winPEASx64.exe'
27 - '\winPEASx86_ofs.exe'
28 - '\winPEASx86.exe'
29 selection_cli_option:
30 CommandLine|contains:
31 - ' applicationsinfo' # Search installed applications information
32 - ' browserinfo' # Search browser information
33 - ' eventsinfo' # Display interesting events information
34 - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
35 - ' filesinfo' # Search generic files that can contains credentials
36 - ' processinfo' # Search processes information
37 - ' servicesinfo' # Search services information
38 - ' windowscreds' # Search windows credentials
39 selection_cli_dl:
40 CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
41 selection_cli_specific:
42 - ParentCommandLine|endswith: ' -linpeas'
43 - CommandLine|endswith: ' -linpeas'
44 condition: 1 of selection_*
45falsepositives:
46 - Unlikely
47level: high
References
Related rules
- Network Reconnaissance Activity
- Potential Suspicious Activity Using SeCEdit
- Reconnaissance Activity Using BuiltIn Commands
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU