From 74d4b2dfe9d6c055bccabafb4d88d4b0d483f396 Mon Sep 17 00:00:00 2001
From: makikvues <makikvues2@gmail.com>
Date: Sun, 14 Feb 2021 10:39:58 +0100
Subject: [PATCH] - updated README.md

---
 winPEAS/winPEASexe/README.md | 71 ++++++++++++++++++++++++++----------
 1 file changed, 51 insertions(+), 20 deletions(-)

diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md
index e3f0e23..45c52f2 100755
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -14,12 +14,13 @@ Check also the **Local Windows Privilege Escalation checklist** from **[book.hac
 
 Download the **[latest obfuscated version from here](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin/Obfuscated%20Releases)** or **compile it yourself** (read instructions for compilation).
 ```bash
-winpeas.exe cmd searchall #cmd commands, search all filenames and avoid sleepig (noisy - CTFs)
-winpeas.exe #Will execute all checks except the ones that use external Windows binaries
-winpeas.exe cmd #All checks
+winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs)
 winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
 winpeas.exe notcolor #Do not color the output
-winpeas.exe cmd wait #cmd commands and wait between tests
+winpeas.exe wait #wait for user input between tests
+winpeas.exe debug #display additional debug information
+winpeas.exe log #log output to out.txt instead of standard output
+winpeas.exe -lolbas -linpeas=http://127.0.0.1/linpeas.sh #execute also additional LOLBAS search check and linpeas check (runs linpeas.sh in default WSL distribution) with custom linpeas.sh URL (if not provided, the default URL is: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh)
 ```
 
 ## Basic information
@@ -28,10 +29,7 @@ The goal of this project is to search for possible **Privilege Escalation Paths*
 
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
-By default, the progam **sleeps 100ms** before start searching files in each directory. This is made to consume less resources (**stealthier**). You can **avoid this sleep using `searchfast` parameter**.
-
-
-The tool is based in **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
+The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
 ## Where are my COLORS?!?!?!
 
@@ -78,17 +76,27 @@ Once you have installed and activated it you need to:
 - **System Information**
   - [x] Basic System info information
   - [x] Use Watson to search for vulnerabilities
+  - [x] Enumerate Microsoft updates
   - [x] PS, Audit, WEF and LAPS Settings
-  - [x] LSA protection?
-  - [x] Credential Guard?
-  - [x] WDigest?
+  - [x] LSA protection
+  - [x] Credential Guard
+  - [x] WDigest
   - [x] Number of cached cred
   - [x] Environment Variables
   - [x] Internet Settings
   - [x] Current drives information
-  - [x] AV? whitelisted defender paths?
+  - [x] AV
+  - [x] Windows Defender
   - [x] UAC configuration
-
+  - [x] NTLM Settings
+  - [x] Local Group Policy
+  - [x] Applocker Configuration & bypass suggestions
+  - [x] Printers
+  - [x] Named Pipes
+  - [x] AMSI Providers
+  - [x] SysMon
+  - [x] .NET Versions
+  
 - **Users Information**
   - [x] Users information
   - [x] Current token privileges
@@ -99,12 +107,15 @@ Once you have installed and activated it you need to:
   - [x] Autologin credentials
   - [x] Home folders
   - [x] Password policies
+  - [x] Local User details
+  - [x] Logon Sessions
 
 - **Processes Information**
   - [x] Interesting processes (non Microsoft)
 
 - **Services Information**
   - [x] Interesting services (non Microsoft) information
+  - [x] Modifiable services
   - [x] Writable service registry binpath
   - [x] PATH Dll Hijacking
 
@@ -113,19 +124,22 @@ Once you have installed and activated it you need to:
   - [x] Installed software
   - [x] AutoRuns
   - [x] Scheduled tasks
+  - [x] Device drivers
 
 - **Network Information**
   - [x] Current net shares
+  - [x] Mapped drives (WMI)
   - [x] hosts file
   - [x] Network Interfaces
   - [x] Listening ports
   - [x] Firewall rules
   - [x] DNS Cache (limit 70)
+  - [x] Internet Settings
 
 - **Windows Credentials**
   - [x] Windows Vault
   - [x] Credential Manager
-  - [x] Saved RDP connections
+  - [x] Saved RDP settings
   - [x] Recently run commands
   - [x] Default PS transcripts files
   - [x] DPAPI Masterkeys
@@ -135,6 +149,8 @@ Once you have installed and activated it you need to:
   - [x] Wifi
   - [x] AppCmd.exe
   - [x] SSClient.exe
+  - [x] SCCM
+  - [x] Security Package Credentials
   - [x] AlwaysInstallElevated
   - [x] WSUS
   
@@ -146,22 +162,40 @@ Once you have installed and activated it you need to:
   - [x] Current IE tabs
   - [x] Credentials in IE history
   - [x] IE Favorites
+  - [x] Extracting saved passwords for: Firefox, Chrome, Opera, Brave
 
 - **Interesting Files and registry**
   - [x] Putty sessions
   - [x] Putty SSH host keys
+  - [x] SuperPutty info
+  - [x] Office365 endpoints synced by OneDrive
   - [x] SSH Keys inside registry
   - [x] Cloud credentials
   - [x] Check for unattended files
   - [x] Check for SAM & SYSTEM backups
   - [x] Check for cached GPP Passwords
-  - [x] Check for McAffe SiteList.xml files
+  - [x] Check for and extract creds from McAffe SiteList.xml files
   - [x] Possible registries with credentials
   - [x] Possible credentials files in users homes
   - [x] Possible password files inside the Recycle bin
   - [x] Possible files containing credentials (this take some minutes)
   - [x] User documents (limit 100)
+  - [x] Oracle SQL Developer config files check
+  - [x] Slack files search
+  - [x] LOLBAS search
+  - [x] Outlook downloads
+  - [x] Machine and user certificate files
+  - [x] Office most recent documents
+  - [x] Hidden files and folders
+  - [x] Executable files in non-default folders with write permissions
+  - [x] WSL check + run linpeas.sh in WSL default distribution
 
+- **Events Information**
+  - [x] Logon + Explicit Logon Events
+  - [x] Process Creation Events
+  - [x] PowerShell Events
+  - [x] Power On/Off Events
+  
 </details>
 
 ## Let's improve PEASS together
@@ -170,11 +204,8 @@ If you want to **add something** and have **any cool idea** related to this proj
 
 
 ## TODO
-
 - Add more checks
-- Mantain updated Watson (last JAN 2020)
-- List wifi networks without using CMD
-- List credentials inside the Credential Manager without using CMD
+- Mantain updated Watson (last JAN 2021)
 
 If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)** or you can submit a pull request.
 
@@ -190,4 +221,4 @@ All the scripts/binaries of the PEAS Suite should be used for authorized penetra
 
 MIT License
 
-By Polop<sup>(TM)</sup>
+By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)