frack113
41 lines
1.5 KiB
YAML
41 lines
1.5 KiB
YAML
title: Detect Execution of winPEAS
|
|
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
|
|
status: experimental
|
|
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
|
|
references:
|
|
- https://github.com/carlospolop/PEASS-ng
|
|
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
|
|
author: Georg Lauenstein
|
|
date: 2022/09/19
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1082
|
|
- attack.t1087
|
|
- attack.t1046
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_basic:
|
|
Image|endswith:
|
|
- '\winPEASany.exe'
|
|
- '\winPEASany_ofs.exe'
|
|
- '\winPEASx64.exe'
|
|
- '\winPEASx64_ofs.exe'
|
|
- '\winPEASx86.exe'
|
|
- '\winPEASx86_ofs.exe'
|
|
selection_pe:
|
|
OriginalFileName: 'winPEAS.exe'
|
|
selection_option:
|
|
- CommandLine|endswith:
|
|
- 'serviceinfo' # Search services information
|
|
- 'applicationsinfo' # Search installed applications information
|
|
- 'windowscreds' # Search windows credentials
|
|
- 'browserinfo ' # Search browser information
|
|
- 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files
|
|
- CommandLine|contains: '.exe browserinfo ' # Search browser information
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Other programs that use the same command line flags
|
|
level: high
|