Detectionhightest

HackTool - winPEAS Execution

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Georg Lauenstein (sure[secure])Created Mon Sep 19Updated Thu Mar 2398b53e78-ebaf-46f8-be06-421aafd176d9windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - OriginalFileName: 'winPEAS.exe'
        - Image|endswith:
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
    selection_cli_option:
        CommandLine|contains:
            - ' applicationsinfo' # Search installed applications information
            - ' browserinfo' # Search browser information
            - ' eventsinfo' # Display interesting events information
            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
            - ' filesinfo' # Search generic files that can contains credentials
            - ' processinfo' # Search processes information
            - ' servicesinfo' # Search services information
            - ' windowscreds' # Search windows credentials
    selection_cli_dl:
        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
    selection_cli_specific:
        - ParentCommandLine|endswith: ' -linpeas'
        - CommandLine|endswith: ' -linpeas'
    condition: 1 of selection_*