WinPEAS PowerShell Script Execution Detection

WinPEAS (Windows Privilege Escalation Awesome Script) is a post-exploitation tool used to automate the identification of potential privilege escalation paths on Windows systems, similar to its Linux counterpart, linpeas.sh. This detection focuses on identifying the execution of WinPEAS through PowerShell script block logging, specifically by detecting the use of default function names commonly found within the script, such as returnHotFixID, Start-ACLCheck, UnquotedServicePathCheck, and Get-ClipBoardText. Detecting WinPEAS usage can alert defenders to potential reconnaissance and privilege escalation attempts by attackers who have already gained initial access to a system.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows system, potentially through exploitation of a vulnerability or compromised credentials.
2. Execution: The attacker executes a PowerShell script, which may be directly run or downloaded and executed.
3. Reconnaissance: The attacker executes the WinPEAS PowerShell script on the compromised system.
4. Privilege Escalation Checks: WinPEAS automatically enumerates the system for potential privilege escalation paths. This includes checking for unquoted service paths, accessible ACLs, and potentially sensitive information like clipboard contents. The script utilizes functions such as UnquotedServicePathCheck, Start-ACLCheck, and Get-ClipBoardText.
5. Data Collection: WinPEAS collects system information to identify potential privilege escalation vulnerabilities. It uses functions like returnHotFixID to identify installed hotfixes.
6. Analysis: The attacker analyzes the output from WinPEAS to identify misconfigurations or vulnerabilities that can be exploited to elevate privileges.
7. Exploitation: The attacker exploits identified vulnerabilities or misconfigurations to escalate privileges on the system.

Impact

Successful execution of WinPEAS indicates that an attacker has already gained a foothold on a system and is actively engaged in reconnaissance for privilege escalation opportunities. This can lead to the attacker gaining higher-level access, potentially compromising sensitive data, deploying ransomware, or establishing persistent access to the network. Organizations that fail to detect and respond to WinPEAS activity may experience significant data breaches and system compromise.

Recommendation

• Enable PowerShell Script Block Logging (Event ID 4104) to ensure the necessary data is available for detecting WinPEAS execution.
• Deploy the Sigma rule Detect WinPEAS PowerShell Script Execution to your SIEM and tune for your environment.
• Review and investigate any alerts generated by the detection rule, prioritizing systems with sensitive data or critical functions.
• Implement access controls and patch management procedures to mitigate the privilege escalation paths that WinPEAS may identify.