Winpeas
winPEAS (Windows Privilege Escalation Awesome Script) enumerates Windows systems for privilege escalation vulnerabilities and misconfigurations.
Installation
# Download binary (C# compiled)
https://github.com/carlospolop/PEASS-ng/releases/download/20250330/winPEASx64.exe
https://github.com/carlospolop/PEASS-ng/releases/download/20250330/winPEASx86.exe
# Download source and compile
git clone https://github.com/carlospolop/PEASS-ng.git
cd PEASS-ng/winPEAS/winPEASexe
# Open in Visual Studio and build
# Run directly via PowerShell
powershell -ExecutionPolicy Bypass "IEX(New-Object Net.WebClient).DownloadString('https://github.com/carlospolop/PEASS-ng/releases/download/20250330/winPEASx64.exe')"Basic Usage
| Command | Description |
|---|---|
winPEASx64.exe | Run full enumeration |
winPEASx64.exe -h | Display help |
winPEASx64.exe quiet | Minimal output |
winPEASx64.exe cmd | Show commands to run |
winPEASx64.exe logfile | Save output to file |
Enumeration Groups
# All groups at once
winPEASx64.exe all
# Specific groups
winPEASx64.exe -group=system
winPEASx64.exe -group=user
winPEASx64.exe -group=network
winPEASx64.exe -group=programsKey Areas
System Information
# OS details
systeminfo
[System.Environment]::OSVersion
Get-CimInstance Win32_OperatingSystem
# Installed updates (check for missing patches)
Get-HotFix
wmic qfe listUsers and Groups
# Current user
whoami
[System.Security.Principal.WindowsIdentity]::GetCurrent()
# All users
net user
Get-LocalUser
# User privileges
whoami /priv
# Group membership
net user %username%
Get-LocalGroupMemberFile Permissions
# Program Files permissions
icacls "C:\Program Files"
Get-Acl "C:\Program Files" | Format-List
# Service binaries
Get-Service | Select Name,Status,StartTypeServices
# List services and binaries
Get-Service | Select Name,StartType,Status
wmic service list brief
# Service binary paths (check for unquoted paths)
wmic service get name,pathname
# Start/Stop service privilege
Get-Service -Name "ServiceName" | % {$_.Status}Scheduled Tasks
# List all tasks
Get-ScheduledTask -Recurse
# Task triggers and actions
Get-ScheduledTask | Get-ScheduledTaskInfo
# Check task binary paths (privilege escalation vector)
Get-Content "C:\Windows\System32\Tasks\*"Registry
# Credentials in registry
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyPassword
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
# AutoRun programs
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"Network
# Network information
ipconfig /all
Get-NetIPConfiguration
# Open ports
netstat -ano
Get-NetTCPConnection -State Listen
# Firewall rules
netsh advfirewall show allprofiles
Get-NetFirewallRuleEnvironment Variables
# Display all env vars
Get-ChildItem env:
# Sensitive data search
dir env: | findstr "API\|TOKEN\|KEY"Privilege Escalation Vectors
UAC Bypass
# Check UAC status
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
# UAC level (0-4, lower = easier bypass)
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdminToken Impersonation
# Check if impersonation privileges available
whoami /priv | findstr "ImpersonateUser\|AssignPrimaryToken"
# Use tools like Rotten Potato, GodPotato for token impersonationUnquoted Service Paths
# Find unquoted paths
Get-WmiObject win32_service | Select pathname
# Check for spaces in path (exploitation vector)
C:\Program Files\Vulnerable Program\service.exe
# Exploitable as: C:\Program.exe, C:\Program Files\Vulnerable.exeDLL Hijacking
# Check DLL search order
(New-Object System.Diagnostics.ProcessStartInfo).FileName
# Vulnerable paths to check
C:\Windows\System32
C:\Program Files\*Vulnerable Applications
# List installed software
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion
# Check for known vulnerable versions
# Java, Adobe Reader, QuickTime, etc.Output Interpretation
Critical Findings (Red)
- Unquoted service paths with spaces
- UAC disabled or misconfigured
- SYSTEM-owned files in writable directories
- Weak file permissions on sensitive files
- Kernel exploits available
Important Findings (Yellow)
- Services running as NetworkService/LocalService
- Interesting scheduled tasks
- Credentials in registry/files
- Disabled firewall rules
Exploitation Examples
Service Binary Hijacking
# If service binary path is writable:
# 1. Backup original binary
Copy-Item "C:\path\to\service.exe" "service.exe.bak"
# 2. Replace with payload (must maintain service interface)
# 3. Restart service (or wait for scheduled restart)
Restart-Service "ServiceName" -ForceRegistry Manipulation
# Add Run registry entry for persistence
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Malware /t REG_SZ /d "C:\path\to\payload.exe"
# Trigger on next logonTask Scheduler Exploitation
# Create scheduled task running as SYSTEM
$TaskAction = New-ScheduledTaskAction -Execute "C:\Windows\System32\cmd.exe" -Argument "/c calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
Register-ScheduledTask -TaskName "MyTask" -Action $TaskAction -Trigger $Trigger -User "SYSTEM"Remediation Checklist
- Apply all Windows updates and security patches
- Disable unnecessary services
- Fix unquoted service paths
- Enable UAC
- Remove unnecessary SUID/admin files
- Regular credential audits
- Monitor scheduled tasks and services
- Implement least privilege principle
Related Tools
- Seatbelt: .NET security enumeration tool
- PowerUp: PowerShell privilege escalation checks
- PrivEsc: Privilege escalation vector enumeration
- Rubeus: Kerberos exploitation
- Mimikatz: Credential dumping and manipulation
Last updated: March 2025 | GitHub