cscli scenarios install sigmahq/proc_creation_win_hktl_winpeas1type: trigger2name: sigmahq/proc_creation_win_hktl_winpeas3description: |4 WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.OriginalFileName == 'winPEAS.exe' || evt.Parsed.Image endsWith '\\winPEASany_ofs.exe' || evt.Parsed.Image endsWith '\\winPEASany.exe' || evt.Parsed.Image endsWith '\\winPEASx64_ofs.exe' || evt.Parsed.Image endsWith '\\winPEASx64.exe' || evt.Parsed.Image endsWith '\\winPEASx86_ofs.exe' || evt.Parsed.Image endsWith '\\winPEASx86.exe' || evt.Parsed.CommandLine contains ' applicationsinfo' || evt.Parsed.CommandLine contains ' browserinfo' || evt.Parsed.CommandLine contains ' eventsinfo' || evt.Parsed.CommandLine contains ' fileanalysis' || evt.Parsed.CommandLine contains ' filesinfo' || evt.Parsed.CommandLine contains ' processinfo' || evt.Parsed.CommandLine contains ' servicesinfo' || evt.Parsed.CommandLine contains ' windowscreds' || evt.Parsed.CommandLine contains 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/' || evt.Parsed.ParentCommandLine endsWith ' -linpeas' || evt.Parsed.CommandLine endsWith ' -linpeas')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t108215 - attack.t108716 - attack.t10461718 label: "HackTool - winPEAS Execution"19 behavior : "windows:audit"20 remediation: false2122scope:23 type: ParentProcessId24 expression: evt.Parsed.ParentProcessId2526