legitimate security assessments or administrative audits may run winpeas for privilege escalation checks. exclude trusted security tools to reduce false alerts.

Techniques

Sample rules

Windows WinPEAS PowerShell Script Execution

source: splunk
technicques:
- T1590
- T1007
- T1082
- T1033
- T1592.002
- T1592.004
- T1016
- T1615

Description

Detects the execution of the WinPEAS PowerShell script via default function names used within the script. winPEAS is a Windows tool that stands for Windows Privilege Escalation Awesome Script. Similar to its Linux counterpart, linpeas.sh, winPEAS is designed to automate the process of identifying potential privilege escalation paths on Windows systems.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText IN (
    "*returnHotFixID*",
    "*Start-ACLCheck*",
    "*UnquotedServicePathCheck*",
    "*Get-ClipBoardText*"
)

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
     Opcode Name Path ProcessID ScriptBlockId


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_winpeas_powershell_script_execution_filter`