Fix CI failures for PR #551

* f

* new actions

* Doc tweak for Codex merge test

.github/codex/pr-merge-schema.json

@@ -0,0 +1,18 @@
+{
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "decision": {
+      "type": "string",
+      "enum": ["merge", "comment"]
+    },
+    "message": {
+      "type": "string"
+    },
+    "confidence": {
+      "type": "string",
+      "enum": ["low", "medium", "high"]
+    }
+  },
+  "required": ["decision", "message", "confidence"]
+}

.github/workflows/CI-PR_from_dev.yml

@@ -1,26 +0,0 @@
-name: CI-PR_from_dev
-
-on:
-  push:
-    branches:
-      - winpeas_dev
-      - linpeas_dev
-
-  workflow_dispatch:
-
-jobs:     
-  create_pull_request:
-    runs-on: ubuntu-latest
-    
-    steps:
-      # checkout
-      - name: Checkout
-        uses: actions/checkout@v2
-    
-      # PR     
-      - name: Pull Request
-        uses: repo-sync/pull-request@v2
-        with:
-          destination_branch: "master"
-          github_token: ${{ secrets.PULL_REQUEST_TOKEN }}
-      

.github/workflows/codex-pr-triage.yml

@@ -0,0 +1,113 @@
+name: Codex PR Triage
+
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  codex_triage:
+    if: ${{ github.event.pull_request.user.login == 'carlospolop' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      decision: ${{ steps.parse.outputs.decision }}
+      message: ${{ steps.parse.outputs.message }}
+
+    steps:
+      - name: Checkout PR merge ref
+        uses: actions/checkout@v5
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+
+      - name: Pre-fetch base and head refs
+        run: |
+          git fetch --no-tags origin \
+            ${{ github.event.pull_request.base.ref }} \
+            +refs/pull/${{ github.event.pull_request.number }}/head
+
+      - name: Run Codex
+        id: run_codex
+        uses: openai/codex-action@v1
+        with:
+          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          output-schema-file: .github/codex/pr-merge-schema.json
+          model: gpt-5.2-codex
+          prompt: |
+            You are reviewing PR #${{ github.event.pull_request.number }} for ${{ github.repository }}.
+
+            Decide whether to merge or comment. Merge only if all of the following are true:
+            - Changes are simple and safe (no DoS, no long operations, no backdoors).
+            - Changes follow common PEASS syntax and style without breaking anything and add useful checks or value.
+            - Changes simplify code or add new useful checks without breaking anything.
+
+            If you don't have any doubts, and all the previous conditions are met, decide to merge.
+            If you have serious doubts, choose "comment" and include your doubts or questions.
+            If you decide to merge, include a short rationale.
+
+            Pull request title and body:
+            ----
+            ${{ github.event.pull_request.title }}
+            ${{ github.event.pull_request.body }}
+
+            Review ONLY the changes introduced by the PR:
+              git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}
+
+            Output JSON only, following the provided schema.
+
+      - name: Parse Codex decision
+        id: parse
+        env:
+          CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
+        run: |
+          python3 - <<'PY'
+          import json
+          import os
+
+          data = json.loads(os.environ.get('CODEX_MESSAGE', '') or '{}')
+          decision = data.get('decision', 'comment')
+          message = data.get('message', '').strip() or 'Codex did not provide details.'
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as handle:
+            handle.write(f"decision={decision}\n")
+            handle.write("message<<EOF\n")
+            handle.write(message + "\n")
+            handle.write("EOF\n")
+          PY
+
+  merge_or_comment:
+    runs-on: ubuntu-latest
+    needs: codex_triage
+    if: ${{ needs.codex_triage.outputs.decision != '' }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Merge PR when approved
+        if: ${{ needs.codex_triage.outputs.decision == 'merge' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          gh api \
+            -X PUT \
+            -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \
+            -f merge_method=squash \
+            -f commit_title="Auto-merge PR #${PR_NUMBER} (Codex)"
+
+      - name: Comment with doubts
+        if: ${{ needs.codex_triage.outputs.decision == 'comment' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          CODEX_MESSAGE: ${{ needs.codex_triage.outputs.message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CODEX_MESSAGE,
+            });

.github/workflows/pr-failure-codex-dispatch.yml

@@ -0,0 +1,136 @@
+name: PR Failure Codex Dispatch
+
+on:
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
+
+jobs:
+  codex_on_failure:
+    if: >
+      ${{ github.event.workflow_run.conclusion == 'failure' &&
+          github.event.workflow_run.pull_requests &&
+          github.event.workflow_run.pull_requests[0].user.login == 'carlospolop' &&
+          !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: read
+
+    steps:
+      - name: Comment on PR with failure info
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const prNumber = Number(process.env.PR_NUMBER);
+            const body = `PR #${prNumber} had a failing workflow "${process.env.WORKFLOW_NAME}".\n\nRun: ${process.env.RUN_URL}\n\nLaunching Codex to attempt a fix.`;
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              body,
+            });
+
+      - name: Checkout PR head
+        uses: actions/checkout@v5
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Configure git author
+        run: |
+          git config user.name "codex-action"
+          git config user.email "codex-action@users.noreply.github.com"
+
+      - name: Fetch failure summary
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/actions/runs/$RUN_ID/jobs \
+            --paginate > /tmp/jobs.json
+          python3 - <<'PY'
+          import json
+
+          data = json.load(open('/tmp/jobs.json'))
+          lines = []
+          for job in data.get('jobs', []):
+            if job.get('conclusion') == 'failure':
+              lines.append(f"Job: {job.get('name')} (id {job.get('id')})")
+              lines.append(f"URL: {job.get('html_url')}")
+              for step in job.get('steps', []):
+                if step.get('conclusion') == 'failure':
+                  lines.append(f"  Step: {step.get('name')}")
+              lines.append("")
+
+          summary = "\n".join(lines).strip() or "No failing job details found."
+          with open('codex_failure_summary.txt', 'w') as handle:
+            handle.write(summary)
+          PY
+
+      - name: Create Codex prompt
+        env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        run: |
+          {
+            echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
+            echo "The failing workflow run is: ${RUN_URL}"
+            echo "The PR branch is: ${HEAD_BRANCH}"
+            echo ""
+            echo "Failure summary:"
+            cat codex_failure_summary.txt
+            echo ""
+            echo "Please identify the cause, apply a easy, simple and minimal fix, and update files accordingly."
+            echo "Run any fast checks you can locally (no network)."
+            echo "Leave the repo in a state ready to commit as when you finish, it'll be automatically committed and pushed."
+          } > codex_prompt.txt
+
+      - name: Run Codex
+        id: run_codex
+        uses: openai/codex-action@v1
+        with:
+          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          prompt-file: codex_prompt.txt
+          sandbox: workspace-write
+          model: gpt-5.2-codex
+
+      - name: Commit and push if changed
+        env:
+          TARGET_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+        run: |
+          if git diff --quiet; then
+            echo "No changes to commit."
+            exit 0
+          fi
+          git add -A
+          git commit -m "Fix CI failures for PR #${PR_NUMBER}"
+          git push origin HEAD:${TARGET_BRANCH}
+
+      - name: Comment with Codex result
+        if: steps.run_codex.outputs.final-message != ''
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CODEX_MESSAGE,
+            });

README.md

@@ -28,7 +28,7 @@ Check the **[parsers](./parsers/)** directory to **transform PEASS outputs to JS
 
 If you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
 
-You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
+You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about the latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
 
 ## Let's improve PEASS together
 
@@ -37,4 +37,3 @@ If you want to **add something** and have **any cool idea** related to this proj
 ## Advisory
 
 All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
-

build_lists/sensitive_files.yaml

@@ -3352,7 +3352,7 @@ search:
 
           - name: "credentials.xml"
             value: 
-                bad_regex: "secret.*|password.*"
+                bad_regex: "secret.*|password.*|token.*|SecretKey.*|credentialId.*"
                 remove_empty_lines: True
                 type: f
                 search_in: 
@@ -3360,7 +3360,7 @@ search:
           
           - name: "config.xml"
             value: 
-                bad_regex: "secret.*|password.*"
+                bad_regex: "secret.*|password.*|token.*|SecretKey.*|credentialId.*"
                 only_bad_lines: True
                 type: f
                 search_in: 

codex_failure_summary.txt

@@ -0,0 +1,7 @@
+Job: Build_and_test_linpeas_pr (id 60731895947)
+URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895947
+  Step: Build linpeas
+
+Job: Build_and_test_macpeas_pr (id 60731895952)
+URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895952
+  Step: Build macpeas

codex_prompt.txt

@@ -0,0 +1,15 @@
+You are fixing CI failures for PR #551 in peass-ng/PEASS-ng.
+The failing workflow run is: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167
+The PR branch is: codex-pr-failure-test-1
+
+Failure summary:
+Job: Build_and_test_linpeas_pr (id 60731895947)
+URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895947
+  Step: Build linpeas
+
+Job: Build_and_test_macpeas_pr (id 60731895952)
+URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895952
+  Step: Build macpeas
+Please identify the cause, apply a easy, simple and minimal fix, and update files accordingly.
+Run any fast checks you can locally (no network).
+Leave the repo in a state ready to commit as when you finish, it'll be automatically committed and pushed.

linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh

@@ -1,14 +1,14 @@
 # Title: Cloud - AWS ECS
 # ID: CL_AWS_ECS
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 17-01-2026
 # Description: AWS ECS Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
 # Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
 # Initial Functions: check_aws_ecs
-# Generated Global Variables: $aws_ecs_req
+# Generated Global Variables: $aws_ecs_req, $aws_exec_env, $ecs_task_metadata, $launch_type, $network_modes, $imds_tool, $imds_token, $imds_roles, $imds_http_code, $ecs_block_line, $ecs_host_line, $iptables_cmd, $docker_rules, $first_role
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -44,5 +44,146 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     else
         echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
     fi
+
+    print_3title "ECS task metadata hints"
+    aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null)
+    if [ "$aws_exec_env" ]; then
+        printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env"
+    fi
+
+    ecs_task_metadata=""
+    if [ "$aws_ecs_metadata_uri" ]; then
+        ecs_task_metadata=$(eval $aws_ecs_req "$aws_ecs_metadata_uri/task" 2>/dev/null)
+    fi
+
+    if [ "$ecs_task_metadata" ]; then
+        launch_type=$(printf "%s" "$ecs_task_metadata" | grep -oE '"LaunchType":"[^"]+"' | head -n 1 | cut -d '"' -f4)
+        if [ "$launch_type" ]; then
+            printf "ECS LaunchType reported: %s\n" "$launch_type"
+        fi
+        network_modes=$(printf "%s" "$ecs_task_metadata" | grep -oE '"NetworkMode":"[^"]+"' | cut -d '"' -f4 | sort -u | tr '\n' ' ')
+        if [ "$network_modes" ]; then
+            printf "Reported NetworkMode(s): %s\n" "$network_modes"
+        fi
+    else
+        echo "Unable to fetch task metadata (check ECS_CONTAINER_METADATA_URI)."
+    fi
     echo ""
-fi
+
+    print_3title "IMDS reachability from this task"
+    imds_token=""
+    imds_roles=""
+    imds_http_code=""
+    imds_tool=""
+
+    if command -v curl >/dev/null 2>&1; then
+        imds_tool="curl"
+    elif command -v wget >/dev/null 2>&1; then
+        imds_tool="wget"
+    fi
+
+    if [ "$imds_tool" = "curl" ]; then
+        imds_token=$(curl -s --connect-timeout 2 --max-time 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
+        if [ "$imds_token" ]; then
+            printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
+            imds_roles=$(curl -s --connect-timeout 2 --max-time 2 -H "X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
+            if [ "$imds_roles" ]; then
+                printf "    Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
+                first_role=$(printf "%s" "$imds_roles" | awk '{print $1}')
+                if [ "$first_role" ]; then
+                    printf "    Example: curl -H 'X-aws-ec2-metadata-token: <TOKEN>' http://169.254.169.254/latest/meta-data/iam/security-credentials/%s\n" "$first_role"
+                fi
+            else
+                printf "    No IAM role names returned (instance profile might be missing).\n"
+            fi
+        else
+            imds_http_code=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/meta-data/" 2>/dev/null)
+            case "$imds_http_code" in
+                000|"")
+                    printf "[i] IMDS endpoint did not respond (likely blocked via hop-limit or host firewalling).\n"
+                    ;;
+                401)
+                    printf "[i] IMDS requires v2 tokens but token requests are being blocked (bridge-mode tasks rely on this when hop limit = 1).\n"
+                    ;;
+                *)
+                    printf "[i] IMDS GET returned HTTP %s (investigate host configuration).\n" "$imds_http_code"
+                    ;;
+            esac
+        fi
+    elif [ "$imds_tool" = "wget" ]; then
+        imds_token=$(wget -q -O - --timeout=2 --tries=1 --method=PUT --header="X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token" 2>/dev/null)
+        if [ "$imds_token" ]; then
+            printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
+            imds_roles=$(wget -q -O - --timeout=2 --tries=1 --header="X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
+            if [ "$imds_roles" ]; then
+                printf "    Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
+            else
+                printf "    No IAM role names returned (instance profile might be missing).\n"
+            fi
+        else
+            wget --server-response -O /dev/null --timeout=2 --tries=1 "http://169.254.169.254/latest/meta-data/" 2>&1 | awk 'BEGIN{code=""} /^  HTTP/{code=$2} END{ if(code!="") { printf("[i] IMDS GET returned HTTP %s (token could not be retrieved).\n", code); } else { print "[i] IMDS endpoint did not respond (likely blocked)."; } }'
+        fi
+    else
+        echo "Neither curl nor wget were found, I can't test IMDS reachability."
+    fi
+    echo ""
+
+    print_3title "ECS agent IMDS settings"
+    if [ -r "/etc/ecs/ecs.config" ]; then
+        ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
+        ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
+        if [ "$ecs_block_line" ]; then
+            printf "%s\n" "$ecs_block_line"
+            if echo "$ecs_block_line" | grep -qi "=true"; then
+                echo "    -> awsvpc-mode tasks should be blocked from IMDS by the ECS agent."
+            else
+                echo "    -> awsvpc-mode tasks can still reach IMDS (set this to true to block)."
+            fi
+        else
+            echo "ECS_AWSVPC_BLOCK_IMDS not set (awsvpc tasks inherit host IMDS reachability)."
+        fi
+
+        if [ "$ecs_host_line" ]; then
+            printf "%s\n" "$ecs_host_line"
+            if echo "$ecs_host_line" | grep -qi "=false"; then
+                echo "    -> Host-network tasks lose IAM task roles but IMDS is blocked."
+            else
+                echo "    -> Host-network tasks keep IAM task roles and retain IMDS access."
+            fi
+        else
+            echo "ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST not set (defaults keep IMDS reachable for host-mode tasks)."
+        fi
+    else
+        echo "Cannot read /etc/ecs/ecs.config (file missing or permissions denied)."
+    fi
+    echo ""
+
+    print_3title "DOCKER-USER IMDS filtering"
+    iptables_cmd=""
+    if command -v iptables >/dev/null 2>&1; then
+        iptables_cmd=$(command -v iptables)
+    elif command -v iptables-nft >/dev/null 2>&1; then
+        iptables_cmd=$(command -v iptables-nft)
+    fi
+
+    if [ "$iptables_cmd" ]; then
+        docker_rules=$($iptables_cmd -S DOCKER-USER 2>/dev/null)
+        if [ $? -eq 0 ]; then
+            if [ "$docker_rules" ]; then
+                echo "$docker_rules"
+            else
+                echo "(DOCKER-USER chain exists but no rules were found)"
+            fi
+            if echo "$docker_rules" | grep -q "169\\.254\\.169\\.254"; then
+                echo "    -> IMDS traffic is explicitly filtered before Docker NAT."
+            else
+                echo "    -> No DOCKER-USER rule drops 169.254.169.254 traffic (bridge tasks rely on hop limit or host firewalling)."
+            fi
+        else
+            echo "Unable to read DOCKER-USER chain (missing chain or insufficient permissions)."
+        fi
+    else
+        echo "iptables binary not found; cannot inspect DOCKER-USER chain."
+    fi
+    echo ""
+fi

winPEAS/winPEASexe/README.md

@@ -74,6 +74,11 @@ winpeas.exe -lolbas  #Execute also additional LOLBAS search check
 
 The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
 
+New in this version:
+- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
+
+- Flag installed OEM utilities such as ASUS DriverHub, MSI Center, Acer Control Centre and Razer Synapse 4, highlighting writable updater folders and world-accessible pipes tied to recent CVEs.
+
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.

winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs

@@ -36,6 +36,7 @@ namespace winPEAS.Checks
                 PrintModifiableServices,
                 PrintWritableRegServices,
                 PrintPathDllHijacking,
+                PrintOemPrivilegedUtilities,
                 PrintLegacySignedKernelDrivers,
                 PrintKernelQuickIndicators,
             }.ForEach(action => CheckRunner.Run(action, isDebug));
@@ -210,6 +211,51 @@ namespace winPEAS.Checks
             }
         }
 
+        void PrintOemPrivilegedUtilities()
+        {
+            try
+            {
+                Beaprint.MainPrint("OEM privileged utilities & risky components");
+                var findings = OemSoftwareHelper.GetPotentiallyVulnerableComponents(Checks.CurrentUserSiDs);
+
+                if (findings.Count == 0)
+                {
+                    Beaprint.GoodPrint("    None of the supported OEM utilities were detected.");
+                    return;
+                }
+
+                foreach (var finding in findings)
+                {
+                    bool hasCves = finding.Cves != null && finding.Cves.Length > 0;
+                    string cveSuffix = hasCves ? $" ({string.Join(", ", finding.Cves)})" : string.Empty;
+                    Beaprint.BadPrint($"  {finding.Name}{cveSuffix}");
+
+                    if (!string.IsNullOrWhiteSpace(finding.Description))
+                    {
+                        Beaprint.GrayPrint($"      {finding.Description}");
+                    }
+
+                    foreach (var evidence in finding.Evidence)
+                    {
+                        string message = $"      - {evidence.Message}";
+                        if (evidence.Highlight)
+                        {
+                            Beaprint.BadPrint(message);
+                        }
+                        else
+                        {
+                            Beaprint.GrayPrint(message);
+                        }
+                    }
+
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
 
         void PrintLegacySignedKernelDrivers()
         {
@@ -352,4 +398,3 @@ namespace winPEAS.Checks
         }
     }
 }
-

winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/OemSoftwareHelper.cs

@@ -0,0 +1,458 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using System.ServiceProcess;
+using winPEAS.Helpers;
+
+namespace winPEAS.Info.ServicesInfo
+{
+    internal static class OemSoftwareHelper
+    {
+        internal static List<OemSoftwareFinding> GetPotentiallyVulnerableComponents(Dictionary<string, string> currentUserSids)
+        {
+            var findings = new List<OemSoftwareFinding>();
+            var services = GetServiceSnapshot();
+            var processes = GetProcessSnapshot();
+
+            foreach (var definition in GetDefinitions())
+            {
+                var finding = new OemSoftwareFinding
+                {
+                    Name = definition.Name,
+                    Description = definition.Description,
+                    Cves = definition.Cves,
+                };
+
+                AppendServiceEvidence(definition, services, finding);
+                AppendProcessEvidence(definition, processes, finding);
+                AppendPathEvidence(definition, currentUserSids, finding);
+                AppendPipeEvidence(definition, finding);
+
+                if (finding.Evidence.Count > 0)
+                {
+                    findings.Add(finding);
+                }
+            }
+
+            return findings;
+        }
+
+        private static void AppendServiceEvidence(OemComponentDefinition definition, List<ServiceSnapshot> services, OemSoftwareFinding finding)
+        {
+            if (definition.ServiceHints == null || definition.ServiceHints.Length == 0)
+            {
+                return;
+            }
+
+            foreach (var serviceHint in definition.ServiceHints)
+            {
+                foreach (var service in services)
+                {
+                    if (ContainsIgnoreCase(service.Name, serviceHint) ||
+                        ContainsIgnoreCase(service.DisplayName, serviceHint))
+                    {
+                        finding.Evidence.Add(new OemEvidence
+                        {
+                            EvidenceType = "service",
+                            Highlight = true,
+                            Message = $"Service '{service.Name}' (Display: {service.DisplayName}) matches indicator '{serviceHint}'"
+                        });
+                    }
+                }
+            }
+        }
+
+        private static void AppendProcessEvidence(OemComponentDefinition definition, List<ProcessSnapshot> processes, OemSoftwareFinding finding)
+        {
+            if (definition.ProcessHints == null || definition.ProcessHints.Length == 0)
+            {
+                return;
+            }
+
+            foreach (var processHint in definition.ProcessHints)
+            {
+                foreach (var process in processes)
+                {
+                    bool matchesName = ContainsIgnoreCase(process.Name, processHint);
+                    bool matchesPath = ContainsIgnoreCase(process.FullPath, processHint);
+
+                    if (matchesName || matchesPath)
+                    {
+                        var location = string.IsNullOrWhiteSpace(process.FullPath) ? "Unknown" : process.FullPath;
+                        finding.Evidence.Add(new OemEvidence
+                        {
+                            EvidenceType = "process",
+                            Highlight = true,
+                            Message = $"Process '{process.Name}' (Path: {location}) matches indicator '{processHint}'"
+                        });
+                    }
+                }
+            }
+        }
+
+        private static void AppendPathEvidence(OemComponentDefinition definition, Dictionary<string, string> currentUserSids, OemSoftwareFinding finding)
+        {
+            if ((definition.DirectoryHints == null || definition.DirectoryHints.Length == 0) &&
+                (definition.FileHints == null || definition.FileHints.Length == 0))
+            {
+                return;
+            }
+
+            if (definition.DirectoryHints != null)
+            {
+                foreach (var dirHint in definition.DirectoryHints)
+                {
+                    var expandedPath = ExpandPath(dirHint.Path);
+                    if (!Directory.Exists(expandedPath))
+                    {
+                        continue;
+                    }
+
+                    var permissions = PermissionsHelper.GetPermissionsFolder(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                    bool isWritable = permissions.Count > 0;
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "path",
+                        Highlight = isWritable,
+                        Message = BuildPathMessage(expandedPath, dirHint.Description, isWritable, permissions)
+                    });
+                }
+            }
+
+            if (definition.FileHints != null)
+            {
+                foreach (var fileHint in definition.FileHints)
+                {
+                    var expandedPath = ExpandPath(fileHint);
+                    if (!File.Exists(expandedPath))
+                    {
+                        continue;
+                    }
+
+                    var permissions = PermissionsHelper.GetPermissionsFile(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                    bool isWritable = permissions.Count > 0;
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "file",
+                        Highlight = isWritable,
+                        Message = BuildPathMessage(expandedPath, "file", isWritable, permissions)
+                    });
+                }
+            }
+        }
+
+        private static void AppendPipeEvidence(OemComponentDefinition definition, OemSoftwareFinding finding)
+        {
+            if (definition.PipeHints == null)
+            {
+                return;
+            }
+
+            foreach (var pipeHint in definition.PipeHints)
+            {
+                try
+                {
+                    var path = $"\\\\.\\pipe\\{pipeHint.Name}";
+                    var security = File.GetAccessControl(path);
+                    string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
+                    string identity = string.Empty;
+                    string rights = string.Empty;
+                    bool worldWritable = false;
+
+                    if (pipeHint.CheckWorldWritable)
+                    {
+                        worldWritable = HasWorldWritableAce(security, out identity, out rights);
+                    }
+
+                    string details = worldWritable
+                        ? $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) is writable by {identity} ({rights})."
+                        : $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) present. SDDL: {sddl}";
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "pipe",
+                        Highlight = worldWritable,
+                        Message = details
+                    });
+                }
+                catch (FileNotFoundException)
+                {
+                    // Pipe not present.
+                }
+                catch (DirectoryNotFoundException)
+                {
+                    // Pipe namespace not accessible.
+                }
+                catch (Exception)
+                {
+                    // Best effort: pipes might disappear during enumeration or deny access.
+                }
+            }
+        }
+
+        private static List<ServiceSnapshot> GetServiceSnapshot()
+        {
+            var services = new List<ServiceSnapshot>();
+
+            try
+            {
+                foreach (var service in ServiceController.GetServices())
+                {
+                    services.Add(new ServiceSnapshot
+                    {
+                        Name = service.ServiceName ?? string.Empty,
+                        DisplayName = service.DisplayName ?? string.Empty
+                    });
+                }
+            }
+            catch (Exception)
+            {
+                // Ignore - this is best effort.
+            }
+
+            return services;
+        }
+
+        private static List<ProcessSnapshot> GetProcessSnapshot()
+        {
+            var processes = new List<ProcessSnapshot>();
+
+            try
+            {
+                foreach (var process in Process.GetProcesses())
+                {
+                    string fullPath = string.Empty;
+                    try
+                    {
+                        fullPath = process.MainModule?.FileName ?? string.Empty;
+                    }
+                    catch
+                    {
+                        // Access denied or 64-bit vs 32-bit mismatch.
+                    }
+
+                    processes.Add(new ProcessSnapshot
+                    {
+                        Name = process.ProcessName ?? string.Empty,
+                        FullPath = fullPath ?? string.Empty
+                    });
+                }
+            }
+            catch (Exception)
+            {
+                // Ignore - enumeration is best effort.
+            }
+
+            return processes;
+        }
+
+        private static string ExpandPath(string rawPath)
+        {
+            if (string.IsNullOrWhiteSpace(rawPath))
+            {
+                return string.Empty;
+            }
+
+            var expanded = Environment.ExpandEnvironmentVariables(rawPath);
+            return expanded.Trim().Trim('"');
+        }
+
+        private static string BuildPathMessage(string path, string description, bool isWritable, List<string> permissions)
+        {
+            string descriptor = string.IsNullOrWhiteSpace(description) ? "" : $" ({description})";
+            if (isWritable)
+            {
+                return $"Path '{path}'{descriptor} is writable by current user: {string.Join(", ", permissions)}";
+            }
+
+            return $"Path '{path}'{descriptor} detected.";
+        }
+
+        private static bool ContainsIgnoreCase(string value, string toFind)
+        {
+            if (string.IsNullOrWhiteSpace(value) || string.IsNullOrWhiteSpace(toFind))
+            {
+                return false;
+            }
+
+            return value.IndexOf(toFind, StringComparison.OrdinalIgnoreCase) >= 0;
+        }
+
+        private static bool HasWorldWritableAce(FileSecurity security, out string identity, out string rights)
+        {
+            identity = string.Empty;
+            rights = string.Empty;
+
+            try
+            {
+                var rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                foreach (FileSystemAccessRule rule in rules)
+                {
+                    if (rule.AccessControlType != AccessControlType.Allow)
+                    {
+                        continue;
+                    }
+
+                    if (rule.IdentityReference is SecurityIdentifier sid)
+                    {
+                        bool isWorld = sid.IsWellKnown(WellKnownSidType.WorldSid);
+                        bool isAuthenticated = sid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid);
+
+                        if (!isWorld && !isAuthenticated)
+                        {
+                            continue;
+                        }
+
+                        const FileSystemRights interestingRights =
+                            FileSystemRights.FullControl |
+                            FileSystemRights.Modify |
+                            FileSystemRights.Write |
+                            FileSystemRights.WriteData |
+                            FileSystemRights.CreateFiles |
+                            FileSystemRights.ChangePermissions;
+
+                        if ((rule.FileSystemRights & interestingRights) != 0)
+                        {
+                            identity = isWorld ? "Everyone" : "Authenticated Users";
+                            rights = rule.FileSystemRights.ToString();
+                            return true;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                // Ignore parsing issues.
+            }
+
+            return false;
+        }
+
+        private static IEnumerable<OemComponentDefinition> GetDefinitions()
+        {
+            return new List<OemComponentDefinition>
+            {
+                new OemComponentDefinition
+                {
+                    Name = "ASUS DriverHub",
+                    Description = "Local web API exposed by ADU.exe allowed bypassing origin/url validation and signature checks.",
+                    Cves = new[] { "CVE-2025-3462", "CVE-2025-3463" },
+                    ServiceHints = new[] { "asusdriverhub", "asus driverhub" },
+                    ProcessHints = new[] { "adu", "asusdriverhub" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\ASUS\\AsusDriverHub", Description = "Program Files" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\ASUS\\AsusDriverHub", Description = "Program Files (x86)" },
+                        new PathHint { Path = "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp", Description = "SupportTemp updater staging" }
+                    },
+                    FileHints = new[]
+                    {
+                        "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp\\Installer.json"
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "MSI Center",
+                    Description = "MSI.CentralServer.exe exposed TCP commands with TOCTOU and signature bypass issues.",
+                    Cves = new[] { "CVE-2025-27812", "CVE-2025-27813" },
+                    ServiceHints = new[] { "msi.center", "msi centralserver" },
+                    ProcessHints = new[] { "msi.centralserver", "msi center" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\MSI\\MSI Center", Description = "Main installation" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\MSI\\MSI Center", Description = "Main installation (x86)" },
+                        new PathHint { Path = "%ProgramData%\\MSI\\MSI Center", Description = "Shared data" },
+                        new PathHint { Path = "%ProgramData%\\MSI Center SDK", Description = "SDK temp copy location" }
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "Acer Control Centre",
+                    Description = "ACCSvc.exe exposes treadstone_service_LightMode named pipe with weak impersonation controls.",
+                    Cves = new[] { "CVE-2025-5491" },
+                    ServiceHints = new[] { "accsvc", "acer control" },
+                    ProcessHints = new[] { "accsvc", "accstd" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\Acer\\Care Center", Description = "Install directory" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\Acer\\Care Center", Description = "Install directory (x86)" }
+                    },
+                    PipeHints = new[]
+                    {
+                        new PipeHint { Name = "treadstone_service_LightMode", Description = "Command dispatcher", CheckWorldWritable = true }
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "Razer Synapse 4 Elevation Service",
+                    Description = "razer_elevation_service.exe exposes COM elevation helpers that allowed arbitrary process launch.",
+                    Cves = new[] { "CVE-2025-27811" },
+                    ServiceHints = new[] { "razer_elevation_service" },
+                    ProcessHints = new[] { "razer_elevation_service" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\Razer\\RazerAppEngine", Description = "Razer App Engine" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\Razer\\RazerAppEngine", Description = "Razer App Engine (x86)" }
+                    }
+                }
+            };
+        }
+
+        private class ServiceSnapshot
+        {
+            public string Name { get; set; }
+            public string DisplayName { get; set; }
+        }
+
+        private class ProcessSnapshot
+        {
+            public string Name { get; set; }
+            public string FullPath { get; set; }
+        }
+
+        private class OemComponentDefinition
+        {
+            public string Name { get; set; }
+            public string Description { get; set; }
+            public string[] Cves { get; set; } = Array.Empty<string>();
+            public string[] ServiceHints { get; set; } = Array.Empty<string>();
+            public string[] ProcessHints { get; set; } = Array.Empty<string>();
+            public PathHint[] DirectoryHints { get; set; } = Array.Empty<PathHint>();
+            public string[] FileHints { get; set; } = Array.Empty<string>();
+            public PipeHint[] PipeHints { get; set; } = Array.Empty<PipeHint>();
+        }
+
+        private class PathHint
+        {
+            public string Path { get; set; }
+            public string Description { get; set; }
+        }
+
+        private class PipeHint
+        {
+            public string Name { get; set; }
+            public string Description { get; set; }
+            public bool CheckWorldWritable { get; set; }
+        }
+    }
+
+    internal class OemSoftwareFinding
+    {
+        public string Name { get; set; }
+        public string Description { get; set; }
+        public string[] Cves { get; set; } = Array.Empty<string>();
+        public List<OemEvidence> Evidence { get; } = new List<OemEvidence>();
+    }
+
+    internal class OemEvidence
+    {
+        public string EvidenceType { get; set; }
+        public string Message { get; set; }
+        public bool Highlight { get; set; }
+    }
+}

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

@@ -1463,6 +1463,7 @@
       <DependentUpon>Resources.resx</DependentUpon>
     </Compile>
     <Compile Include="Info\ServicesInfo\ServicesInfoHelper.cs" />
+    <Compile Include="Info\ServicesInfo\OemSoftwareHelper.cs" />
     <Compile Include="Info\SystemInfo\SystemInfo.cs" />
     <Compile Include="Info\UserInfo\UserInfoHelper.cs" />
     <Compile Include="Helpers\DomainHelper.cs" />