HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
Sigma rule (View on GitHub)
1title: HackTool - winPEAS Execution
2id: 98b53e78-ebaf-46f8-be06-421aafd176d9
3status: test
4description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
5references:
6 - https://github.com/carlospolop/PEASS-ng
7 - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
8author: Georg Lauenstein (sure[secure])
9date: 2022-09-19
10modified: 2023-03-23
11tags:
12 - attack.privilege-escalation
13 - attack.discovery
14 - attack.t1082
15 - attack.t1087
16 - attack.t1046
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - OriginalFileName: 'winPEAS.exe'
23 - Image|endswith:
24 - '\winPEASany_ofs.exe'
25 - '\winPEASany.exe'
26 - '\winPEASx64_ofs.exe'
27 - '\winPEASx64.exe'
28 - '\winPEASx86_ofs.exe'
29 - '\winPEASx86.exe'
30 selection_cli_option:
31 CommandLine|contains:
32 - ' applicationsinfo' # Search installed applications information
33 - ' browserinfo' # Search browser information
34 - ' eventsinfo' # Display interesting events information
35 - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
36 - ' filesinfo' # Search generic files that can contains credentials
37 - ' processinfo' # Search processes information
38 - ' servicesinfo' # Search services information
39 - ' windowscreds' # Search windows credentials
40 selection_cli_dl:
41 CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
42 selection_cli_specific:
43 - ParentCommandLine|endswith: ' -linpeas'
44 - CommandLine|endswith: ' -linpeas'
45 condition: 1 of selection_*
46falsepositives:
47 - Unlikely
48level: high
References
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- PUA - System Informer Execution
- Network Reconnaissance Activity
- Potential Suspicious Activity Using SeCEdit