Detecting the presence of WinPeas tool

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the use of WinPeas, a freely available tool designed to enumerate vulnerabilities and misconfigurations that could be exploited for privilege escalation on Windows systems.

Data source:

Windows: Command, File, Process, Command

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0006 - Credential Access

Techniques: T1068 - Exploitation for Privilege Escalation, T1003 - OS Credential Dumping

Sub-techniques: T1003.001 - LSASS Memory, T1003.002 - Security Account Manager

Criteria:

Original file name contains winpeas.exe:

Threat actors often rename the WinPEAS executable to make it less conspicuous. This rule directly targets attempts to mask WinPEAS usage.

Command line contains winpeas.bat:

Batch (.bat) scripts are used to automate tasks on Windows. Attackers might use a batch script to launch WinPEAS with custom parameters, making detection more difficult. This rule catches attempts to execute WinPEAS via a batch file.

Command line contains winpeas.ps1:

PowerShell (.ps1) scripts are incredibly powerful on Windows systems. Attackers frequently use PowerShell for sophisticated attacks due to its flexibility. This part of the rule looks for PowerShell-based attempts to execute WinPEAS.

When to implement:

Enable this rule when you want to detect:

• Vulnerability exploitation of misconfigurations.
• Privilege escalations on Windows systems.

Compliance mapping:

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to the detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of abnormal execution patterns or command-line arguments indicative of Winpeas usage, such as rapid execution of system enumeration commands.
• Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized attempts to access or manipulate credential stores or memory dumps.
• Unusual Network Traffic Patterns (DE.AE-1): Monitoring for unexpected network activity, potentially signaling Winpeas' use in post-exploitation stages.
• Security Log Anomalies (DE.CM-7): Alerting on suspicious activities related to credential theft or system compromise.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of Winpeas and similar tools known for system reconnaissance and enumeration.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously analyze audit logs for anomalies indicating Winpeas usage or unauthorized system exploration.

Next steps:

Triggering of this alert can be followed by the below actions:

• Mark this alert as a part of an existing incident or a new incident. Assign this incident to an analyst for further investigation.
• Impact investigation and analysis of the degree of compromise using Incident Workbench.
• Automated workflow execution to kill the malicious process using Workflows.