peass-ng · carlospolop · Dec 17, 2025
diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md
@@ -77,6 +77,8 @@ The goal of this project is to search for possible **Privilege Escalation Paths*
 New in this version:
 - Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
 
+- Added Object Manager race-window amplification guidance (Project Zero 2025): winPEAS now checks if the current user can create named objects under \\BaseNamedObjects and reminds you how to build extremely long names/deep directory chains to stretch kernel race windows.
+
 
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 

diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
@@ -81,6 +81,7 @@ public void PrintInfo(bool isDebug)
                 PrintKrbRelayUp,
                 PrintInsideContainer,
                 PrintAlwaysInstallElevated,
+                PrintObjectManagerRaceAmplification,
                 PrintLSAInfo,
                 PrintNtlmSettings,
                 PrintLocalGroupPolicy,
@@ -667,6 +668,31 @@ static void PrintAlwaysInstallElevated()
             }
         }
 
+        static void PrintObjectManagerRaceAmplification()
+        {
+            try
+            {
+                Beaprint.MainPrint("Object Manager race-window amplification primitives");
+                Beaprint.LinkPrint("https://projectzero.google/2025/12/windows-exploitation-techniques.html", "Project Zero write-up:");
+
+                if (ObjectManagerHelper.TryCreateSessionEvent(out var objectName, out var error))
+                {
+                    Beaprint.BadPrint($"    Created a test named event ({objectName}) under \\BaseNamedObjects.");
+                    Beaprint.InfoPrint("    -> Low-privileged users can slow NtOpen*/NtCreate* lookups using ~32k-character names or ~16k-level directory chains.");
+                    Beaprint.InfoPrint("    -> Point attacker-controlled symbolic links to the slow path to stretch kernel race windows.");
+                    Beaprint.InfoPrint("    -> Use this whenever a bug follows check -> NtOpenX -> privileged action patterns.");
+                }
+                else
+                {
+                    Beaprint.InfoPrint($"    Could not create a test event under \\BaseNamedObjects ({error}). The namespace might be locked down.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintNtlmSettings()
         {
             Beaprint.MainPrint($"Enumerating NTLM Settings");

diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace winPEAS.Helpers
+{
+    internal static class ObjectManagerHelper
+    {
+        public static bool TryCreateSessionEvent(out string objectName, out string error)
+        {
+            objectName = $"PEAS_OMNS_{Process.GetCurrentProcess().Id}_{Guid.NewGuid():N}";
+            error = string.Empty;
+
+            try
+            {
+                using (var handle = new EventWaitHandle(initialState: false, EventResetMode.ManualReset, objectName, out var createdNew))
+                {
+                    if (!createdNew)
+                    {
+                        error = "A test event with the generated name already existed.";
+                        return false;
+                    }
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                error = ex.Message;
+                return false;
+            }
+        }
+    }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
@@ -1359,6 +1359,7 @@
     <Compile Include="KnownFileCreds\Vault\Structs\VAULT_ITEM_WIN8.cs" />
     <Compile Include="KnownFileCreds\Vault\VaultCli.cs" />
     <Compile Include="Helpers\MyUtils.cs" />
+    <Compile Include="Helpers\ObjectManagerHelper.cs" />
     <Compile Include="Info\UserInfo\SAM\Enums.cs" />
     <Compile Include="Info\UserInfo\SAM\SamServer.cs" />
     <Compile Include="Info\UserInfo\SAM\Structs.cs" />