HackTool - winPEAS Execution

 1title: HackTool - winPEAS Execution
 2id: 98b53e78-ebaf-46f8-be06-421aafd176d9
 3status: test
 4description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
 5references:
 6    - https://github.com/carlospolop/PEASS-ng
 7    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
 8author: Georg Lauenstein (sure[secure])
 9date: 2022-09-19
10modified: 2023-03-23
11tags:
12    - attack.privilege-escalation
13    - attack.discovery
14    - attack.t1082
15    - attack.t1087
16    - attack.t1046
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - OriginalFileName: 'winPEAS.exe'
23        - Image|endswith:
24              - '\winPEASany_ofs.exe'
25              - '\winPEASany.exe'
26              - '\winPEASx64_ofs.exe'
27              - '\winPEASx64.exe'
28              - '\winPEASx86_ofs.exe'
29              - '\winPEASx86.exe'
30    selection_cli_option:
31        CommandLine|contains:
32            - ' applicationsinfo' # Search installed applications information
33            - ' browserinfo' # Search browser information
34            - ' eventsinfo' # Display interesting events information
35            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
36            - ' filesinfo' # Search generic files that can contains credentials
37            - ' processinfo' # Search processes information
38            - ' servicesinfo' # Search services information
39            - ' windowscreds' # Search windows credentials
40    selection_cli_dl:
41        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
42    selection_cli_specific:
43        - ParentCommandLine|endswith: ' -linpeas'
44        - CommandLine|endswith: ' -linpeas'
45    condition: 1 of selection_*
46falsepositives:
47    - Unlikely
48level: high