* feat: MITRE ATT&CK integration for LinPEAS and WinPEAS
- Add -T T1234,T5678 flag to LinPEAS to filter checks by technique
- Add mitre=T1234,T5678 argument to WinPEAS for technique-based filtering
- Annotate every check title with MITRE technique ID(s) displayed in grey
- Add $_mitre_tag to Generated Global Variables in 0_variables_base.sh
- Add check_mitre_filter() shell function with prefix-match support
- Add MitreAttackIds property to ISystemCheck interface (C#)
- Update MainPrint/GreatPrint in Beaprint.cs to accept optional mitreIds
- Tag all 158 LinPEAS check modules with # Mitre: metadata
- Tag all 16 WinPEAS check classes with MitreAttackIds property
- Update linpeasModule.py to parse # Mitre: metadata field
- Update linpeasBaseBuilder.py to emit check_mitre_filter wrappers
- Add 3 MITRE argument parsing tests to ArgumentParsingTests.cs
* test: add MITRE filter coverage for LinPEAS builder and WinPEAS
LinPEAS (test_builder.py):
- test_mitre_flag_present_in_getopts: -T: must appear in getopts string
- test_mitre_flag_present_in_help_text: -T must appear in built help text
- test_mitre_filter_function_present: check_mitre_filter() must be in built script
WinPEAS (ArgumentParsingTests.cs):
- PassesMitreFilter_EmptyFilter_AllChecksPass: no filter -> all checks run
- PassesMitreFilter_ExactMatch_Passes: T1082 filter matches T1082 check
- PassesMitreFilter_NoMatch_Fails: T1082 filter rejects T1057 check
- PassesMitreFilter_PrefixMatch_Passes: T1552 filter matches T1552.001/T1552.005
- PassesMitreFilter_SubtechniqueDoesNotMatchDifferentBase_Fails: T1548 != T1552.001
* chore: ignore .github/instructions/ and untrack todos.instructions.md
* fix: complete and accurate MITRE ATT&CK mappings for LinPEAS and WinPEAS
gitignore:
- Add .github/instructions/ to .gitignore and untrack todos.instructions.md
LinPEAS — corrected mappings:
- 29_Interesting_environment_variables.sh: add missing T1552.007,T1082
- 3_USBCreator.sh: T1548 → T1548.003,T1068 (polkit bypass + CVE-class exploit)
- 9_Doas.sh: T1548 → T1548.003 (doas is a sudo/sudo-caching equivalent)
- 10_Pkexec.sh: T1548 → T1548.003,T1548.004,T1068 per-section specificity
- 2_Process_cred_in_memory.sh: T1003,T1055 → T1003.007 (Proc Filesystem, drop wrong T1055)
- 11_Superusers.sh: T1087.001,T1548 → T1087.001 (discovery only, no elevation abuse)
- 14/15/16 writable files: T1574 → T1574.009,T1574.010 (specific sub-techniques)
WinPEAS — corrected mappings:
- SystemInfo: class expanded to full technique union; WSUS T1195→T1072,T1068;
KrbRelayUp T1558→T1187,T1558; Object Manager T1548→T1068;
Named Pipes T1559.001→T1559; Low-priv pipes T1559.001→T1134.001,T1559
- EventsInfo: class expanded with T1078.003,T1552.001,T1059.001,T1082
- UserInfo: class expanded; Token privileges T1134→T1134.001
- ProcessInfo: Leaked Handlers T1134.003→T1134.001 (token impersonation, not make-token)
- ServicesInfo: class adds T1574.011,T1068
- ApplicationsInfo: class adds T1010,T1014
- NetworkInfo: class adds T1018,T1090
- ActiveDirectoryInfo: T1484→T1484.001; class adds T1003
- WindowsCreds: class sub-techniques T1552→T1552.001,T1552.002, T1555→T1555.003,T1555.004;
SSClient T1059→T1552.001 (wrong technique entirely)
- FilesInfo: class expanded with T1552.002,T1552.004,T1552.006,T1564.001,T1574.001,
T1059.004,T1114.001,T1218,T1649; Cloud Credentials T1552.005→T1552.001
- SoapClientInfo: T1059,T1071→T1559,T1071.001 (IPC/Web protocol, not scripting)
* fix: add missing T1613 and T1562.001 to SystemInfo class-level MitreAttackIds; label AD object enumeration with T1087.002 and T1018
* fix: correct linpeas mitre filter matching logic
* fix: MITRE code bugs — pass-through for untagged checks, remove dead OR in section gate
- PassesMitreFilter (Checks.cs): when MitreAttackIds is null or empty and a filter
is active, return true (pass-through) instead of false. Previously any future
ISystemCheck added without MITRE IDs would be silently excluded by an active filter.
- linpeasBaseBuilder.py: remove redundant '|| [ -z "$MITRE_FILTER" ]' from the
generated section-level gate. check_mitre_filter already returns 0 immediately
when MITRE_FILTER is empty, so the OR branch was unreachable and inconsistent with
the check-level gate which uses the same function without the extra guard.
- ArgumentParsingTests.cs: add PassesMitreFilter_NullMitreAttackIds_PassesThrough
and PassesMitreFilter_EmptyMitreAttackIds_PassesThrough regression tests.
* fix(mitre): 4 bugs — dead arg parser, wait logic, subprocess forks, cleanup race
Checks.cs: max-regex-file-size used string.Equals which requires exact match,
so 'max-regex-file-size=500000' could never match and MaxRegexFileSize was stuck
at 1000000 forever. Fixed to arg.StartsWith.
Checks.cs RunChecks: wait compared loop index i against
_systemCheckSelectedKeysHashSet.Count, which is 0 when all checks run (so
i < -1 is always false) and semantically wrong when a key subset is selected.
Replaced with a pre-count of checks that pass both filters and a running counter.
0_variables_base.sh check_mitre_filter: replaced two $(echo ... | tr ...)
subprocess forks per call with pure parameter-expansion while-loops. Zero
process forks, POSIX-compliant, ~632 fork()s saved per full filtered run.
Declares _mitre_tags_left and _mitre_filters_left in Generated Global Variables.
linpeas_builder.py: os.remove of the shared temp file raised FileNotFoundError
when multiple sequential builder invocations ran (the second saw the file
already deleted by the first). Wrapped in try/except FileNotFoundError.
Tests: Added PassesMitreFilter_SubtechniqueFilter_DoesNotMatchParentOnlyTag
and MaxRegexFileSize_ArgParsed_Correctly regression tests (16 total).
* ci: add manual build-artifacts workflow (winPEAS.exe + linpeas.sh)
* fix(linpeas): getopts silent mode — clear error when -T given without argument
Switch getopts to silent mode (leading ':') so the shell does not emit its
own terse 'No arg for -T option' message. Add explicit :) case that prints
ERROR: -T requires an argument (e.g. -T T1082,T1552)
and then dumps the help text before exiting 1. Add *) case for unrecognised
flags with the same pattern. Behaviour for all valid flags is unchanged.
* chore: untrack build-artifacts workflow, add to .gitignore
* Fix thread count override and add -z flag to set thread count
* Enforce THREADS >= 1 after detection; validate -z range; clarify help text
* Strip colours from -z warning; add regression tests for -z getopts/help
* Tighten getopts regression test: match 'while getopts' line with regex
* Fix WinPEAS network host discovery and port scanner bugs
- Fix auto-mode NullReferenceException: change plain 'if' to 'else if'
for IPAddressNetmask/IPAddressList branches in NetworkScanner.Scan(),
so the auto path no longer falls through and calls AddRange(null)
- Fix HostsAlive race condition in NetPinger: replace List<string> with
ConcurrentBag<string> so concurrent async ping callbacks don't corrupt
the collection
- Fix unbound parallelism: cap outer host loop at MaxDegreeOfParallelism=5
and inner port loop at 50; create a PortScanner per host to remove
shared-state concerns
- Fix port scan output bypassing Beaprint: replace raw Console.WriteLine
with Beaprint.GoodPrint so open-port results are colour-highlighted and
respect -nocolor
- Move network scan into NetworkInfo.PrintInfo(): add PrintNetworkScan()
method, wire it into the check list when IsNetworkScan is true, remove
the detached scan block from RunChecks(), expose NetworkScanOptions and
PortScannerPorts as public, and remove the now-unused using directive
* Add compiled binaries (x86/x64/Release), Directory.Build.targets Linux shim, fix Vault enum/struct casing
* Fix -network/-ports arg parsing to accept space-separated values
* Remove Directory.Build.targets from tracking; add to .gitignore
* Dispose Ping per-attempt in NetPinger to prevent handle leaks on large sweeps
* Fix TcpClient/WaitHandle leaks in PortScanner: use using block, close wait handle, remove stale AsyncCallback+TcpPortState
* Force-select networkinfo check when -network is set with a subset of checks
* Remove unused System.Threading.Tasks import from PortScanner
* Add tests for space-separated -network/-ports arg normalisation
* Remove Thread.Sleep(1) and unused System.Threading import from PortScanner
* Replace BeginConnect/WaitOne APM with ConnectAsync+Wait(timeout) in PortScanner
* Cap concurrent pings at 50 with SemaphoreSlim in NetPinger to prevent resource exhaustion on large ranges
* Isolate per-IP ping exceptions so a single bad target can't abort the sweep; surface errors in debug mode
* Observe timed-out ConnectAsync task via ContinueWith to prevent UnobservedTaskException
* Broaden ParseOnly reset to cover all arg-parsing-mutable Checks fields to prevent test cross-talk
* Add MainPrint/LinkPrint header to PrintNetworkScan; remove misplaced GreatPrint from NetworkScanner.Scan()
* Add dedicated 'networkscan' system check to avoid running all NetworkInfo sub-checks when -network is passed with a subset
* Delete linpeas_test.sh
* Delete winPEAS/winPEASexe/binaries/Release/winPEAS.exe
* Delete winPEAS/winPEASexe/binaries/x64/Release/winPEAS.exe
* Delete winPEAS/winPEASexe/binaries/x86/Release/winPEAS.exe
---------
Co-authored-by: SirBroccoli <carlospolop@gmail.com>
