Merge pull request #3513 from gs3cl/gsec-mod

new rule for the winpeas tool

rules/windows/process_creation/proc_creation_win_winpeas_tool.yml

@@ -0,0 +1,40 @@
+title: Detect Execution of winPEAS
+id: 98b53e78-ebaf-46f8-be06-421aafd176d9
+status: experimental
+description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
+author: Georg Lauenstein
+date: 2022/09/19
+references:
+    - https://github.com/carlospolop/PEASS-ng
+    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
+tags:
+    - attack.privilege_escalation
+    - attack.t1082
+    - attack.t1087
+    - attack.t1046
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_basic:
+        Image|endswith:
+            - '\winPEASany.exe'
+            - '\winPEASany_ofs.exe'
+            - '\winPEASx64.exe'
+            - '\winPEASx64_ofs.exe'
+            - '\winPEASx86.exe'
+            - '\winPEASx86_ofs.exe'
+    selection_pe:
+        OriginalFileName: 'winPEAS.exe'
+    selection_option:
+        - CommandLine|endswith:
+            - 'serviceinfo'    # Search services information
+            - 'applicationsinfo' # Search installed applications information
+            - 'windowscreds'  # Search windows credentials
+            - 'browserinfo '  # Search browser information
+            - 'fileanalysis'  # Search specific files that can contains credentials and for regexes inside files
+        - CommandLine|contains: '.exe browserinfo '  # Search browser information
+    condition: 1 of selection*
+falsepositives:
+    - Other programs that use the same command line flags
+level: high