Peas In Our Time: Detecting Pre-Compiled winPEAS Recon on Windows Endpoints

 

After the last two blog entries about winPEAS.bat related detections I figured we'd take a look at the pre-compiled binary version. Oh and we get this last pea related punny blog title, for now.

First of all we have winPEAS retrieving local Wi-Fi profile details, potentially a pre-cursor to retrieving network security keys.

We can hunt for this behaviour:


index=winlogs EventCode=4688 (Process_Command_Line=*powershell.exe* OR Process_Command_Line="*wlan show profiles*")

| stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name

| convert ctime(earliest) ctime(latest)

| where Count > 1

| table earliest latest Count Creator_Process_Name Process_Command_Line
 
 
This is what it looks like in Splunk: 
 
 
Other reconnaissance tools and legitimate user behaviour may introduce false positives here, though checking for Wi-Fi profiles on say a Windows server or desktop PC should probably be a red flag that something odd is happening.
 
Secondly I noticed that an EventID 4670 (Permissions on an object were changed) is generated, winPEAS checks a value and appends local hostname and username to the string. You'll want to check what is and isn't normal in your environment over a long time period and allowlist false positives accordingly, my list of exclusions in the brackets below is a good potential starting point:

index=winlogs NOT Process_Name IN (*services.exe, *svchost.exe, *SearchIndexer.exe, *msedge.exe, *powershell.exe, *System32*) EventCode=4670 Object_Type=Token Object_Server=Security

| stats min(_time) as earliest max(_time) as latest values(Original_Security_Descriptor) AS Original_Security_Descriptor values(New_Security_Descriptor) AS New_Security_Descriptor BY Process_Name ComputerName

| convert ctime(earliest) ctime(latest)

| table earliest latest ComputerName Process_Name Original_Security_Descriptor New_Security_Descriptor
  
This is what it looks like in Splunk: 
 

 
Thus wraps up our somewhat deep look at winPEAS for now.

Popular posts from this blog

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

Capturing Pcap driver installations