HackTool - winPEAS Execution

 1title: HackTool - winPEAS Execution
 2id: 98b53e78-ebaf-46f8-be06-421aafd176d9
 3status: test
 4description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
 5references:
 6    - https://github.com/carlospolop/PEASS-ng
 7    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
 8author: Georg Lauenstein (sure[secure])
 9date: 2022-09-19
10modified: 2023-03-23
11tags:
12    - attack.privilege-escalation
13    - attack.t1082
14    - attack.t1087
15    - attack.t1046
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - OriginalFileName: 'winPEAS.exe'
22        - Image|endswith:
23              - '\winPEASany_ofs.exe'
24              - '\winPEASany.exe'
25              - '\winPEASx64_ofs.exe'
26              - '\winPEASx64.exe'
27              - '\winPEASx86_ofs.exe'
28              - '\winPEASx86.exe'
29    selection_cli_option:
30        CommandLine|contains:
31            - ' applicationsinfo' # Search installed applications information
32            - ' browserinfo' # Search browser information
33            - ' eventsinfo' # Display interesting events information
34            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
35            - ' filesinfo' # Search generic files that can contains credentials
36            - ' processinfo' # Search processes information
37            - ' servicesinfo' # Search services information
38            - ' windowscreds' # Search windows credentials
39    selection_cli_dl:
40        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
41    selection_cli_specific:
42        - ParentCommandLine|endswith: ' -linpeas'
43        - CommandLine|endswith: ' -linpeas'
44    condition: 1 of selection_*
45falsepositives:
46    - Unlikely
47level: high