Peas In Our Time: Detecting Pre-Compiled winPEAS Recon on Windows Endpoints
After the last two blog entries about winPEAS.bat related detections I figured we'd take a look at the pre-compiled binary version. Oh and we get this last pea related punny blog title, for now.
First of all we have winPEAS retrieving local Wi-Fi profile details, potentially a pre-cursor to retrieving network security keys.
We can hunt for this behaviour:
index=winlogs EventCode=4688 (Process_Command_Line=*powershell.exe* OR Process_Command_Line="*wlan show profiles*")
| stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name
| convert ctime(earliest) ctime(latest)
| where Count > 1
index=winlogs NOT Process_Name IN (*services.exe, *svchost.exe, *SearchIndexer.exe, *msedge.exe, *powershell.exe, *System32*) EventCode=4670 Object_Type=Token Object_Server=Security
| stats min(_time) as earliest max(_time) as latest values(Original_Security_
| convert ctime(earliest) ctime(latest)