Invoke-winPEAS - Empire Module
This page contains detailed information about how to use the powershell/privesc/winPEAS Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-winPEAS
Module: powershell/privesc/winPEAS
Source code [1]: empire/server/modules/powershell/privesc/winPEAS.yaml
Source code [2]: empire/server/data/module_source/privesc/Invoke-winPEAS.ps1
MITRE ATT&CK:
T1046
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the winPEAS module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the winPEAS module:
Agent
Agent to run on.
notansi
Disable colored output.
Default value: False
.
Additional Module Options
This is a list of additional options that are supported by the winPEAS module:
+
Full Scan. Default all checks (except CMD checks) are executed.
Default value: True
.
applicationsinfo
Search installed applications information.
browserinfo
Search browser information.
cmd
Obtain wifi, cred manager and clipboard information executing CMD commands.
filesinfo
Search files that can contains credentials.
networkinfo
Search network information.
procesinfo
Search processes information.
searchall
Search all known filenames whith possible credentials.
searchfast
Avoid sleeping while searching files (notable amount of resources).
servicesinfo
Search services information.
systeminfo
Search system information.
userinfo
Search user information.
windowscreds
Search windows information.
WinPEAS Example Usage
Here's an example of how to use the winPEAS module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/winPEAS
Author @carlospolop
@S3cur3Th1sSh1t
Background False
Comments https://github.com/carlospolop/privilege-escalation-awesome-scripts-
suite/tree/master/winPEAS
Description WinPEAS is a script that search for possible paths to escalate
privileges on Windows hosts.
Language powershell
Name powershell/privesc/winPEAS
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1046
,Record Options----,-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|-------|----------|-------------------------------------|
| + | True | False | Full Scan. Default all checks |
| | | | (except CMD checks) are executed |
|------------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run on. |
|------------------|-------|----------|-------------------------------------|
| applicationsinfo | | False | Search installed applications |
| | | | information. |
|------------------|-------|----------|-------------------------------------|
| browserinfo | | False | Search browser information. |
|------------------|-------|----------|-------------------------------------|
| cmd | | False | Obtain wifi, cred manager and |
| | | | clipboard information executing CMD |
| | | | commands. |
|------------------|-------|----------|-------------------------------------|
| filesinfo | | False | Search files that can contains |
| | | | credentials. |
|------------------|-------|----------|-------------------------------------|
| networkinfo | | False | Search network information. |
|------------------|-------|----------|-------------------------------------|
| notansi | False | True | Disable colored output. |
|------------------|-------|----------|-------------------------------------|
| procesinfo | | False | Search processes information. |
|------------------|-------|----------|-------------------------------------|
| searchall | | False | Search all known filenames whith |
| | | | possible credentials. |
|------------------|-------|----------|-------------------------------------|
| searchfast | | False | Avoid sleeping while searching |
| | | | files (notable amount of |
| | | | resources). |
|------------------|-------|----------|-------------------------------------|
| servicesinfo | | False | Search services information. |
|------------------|-------|----------|-------------------------------------|
| systeminfo | | False | Search system information. |
|------------------|-------|----------|-------------------------------------|
| userinfo | | False | Search user information. |
|------------------|-------|----------|-------------------------------------|
| windowscreds | | False | Search windows information. |
'------------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/privesc/winPEAS) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/winPEAS) > set notansi False
[*] Set notansi to False
(Empire: usemodule/powershell/privesc/winPEAS) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/winPEAS.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/privesc/Invoke-winPEAS.ps1
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- http://attack.mitre.org/techniques/T1046
See Also
Check also the following modules related to this module:
- powershell/privesc/bypassuac
- powershell/privesc/bypassuac_env
- powershell/privesc/bypassuac_tokenmanipulation
- powershell/privesc/sweetpotato
- powershell/privesc/tater
- powershell/privesc/ms16-135
- powershell/privesc/ask
- powershell/privesc/bypassuac_wscript
- powershell/privesc/mcafee_sitelist
- powershell/privesc/privesccheck
- powershell/privesc/sherlock
- powershell/privesc/ms16-032
- powershell/privesc/bypassuac_eventvwr
- powershell/privesc/zerologon
- powershell/privesc/printdemon
- powershell/privesc/getsystem
- powershell/privesc/gpp
- powershell/privesc/bypassuac_sdctlbypass
- powershell/privesc/watson
- powershell/privesc/bypassuac_fodhelper
- powershell/privesc/printnightmare
- powershell/privesc/powerup/service_exe_useradd
- powershell/privesc/powerup/write_dllhijacker
- powershell/privesc/powerup/service_stager
- powershell/privesc/powerup/service_exe_restore
- powershell/privesc/powerup/service_exe_stager
- powershell/privesc/powerup/find_dllhijack
- powershell/privesc/powerup/service_useradd
- powershell/privesc/powerup/allchecks
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.