Peas In Our Time: Detecting Pre-Compiled winPEAS Recon on Windows Endpoints
After the last two blog entries about winPEAS.bat related detections I figured we'd take a look at the pre-compiled binary version. Oh and we get this last pea related punny blog title, for now. First of all we have winPEAS retrieving local Wi-Fi profile details, potentially a pre-cursor to retrieving network security keys. We can hunt for this behaviour: index=winlogs EventCode=4688 (Process_Command_Line=*powershell.exe* OR Process_Command_Line="*wlan show profiles*") | stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name | convert ctime(earliest) ctime(latest) | where Count > 1 | table earliest latest Count Creator_Process_Name Process_Command_Line This is what it looks like in Splunk: Other reconnaissance tools and legitimate user behaviour may introduce false positives here, though checking for Wi-Fi profiles on say a Windows server or des