TLDR: If you have been hunting for privescs before you will know it’s normally not a fast task, you will have a shed ton of data to look at. Sure WINPEAS is good but it’s not a silver bullet.

Here is a really small script which focuses on system administration files/scripts, scheduled tasks and scheduled task history to help you hunt for weaknesses:

write-host "Looking for files modified recently" -ForegroundColor Cyan
$lastmod = Get-childitem -Path c:\ -Include("*.bat","*.cmd","*.ps1","*.vbs","*.wsh","*.reg","*.log","*.bak","*.txt","*.exe","*.py") -recurse -File -ErrorAction SilentlyContinue | Sort-Object -Property LastAccessTime | Where-Object {$_.lastwritetime -gt (get-date).addDays(-1) -and -not $_.PSIsContainer}  

$lastmod | Select-Object -First 100


write-host "Hunt scheduled tasks" -ForegroundColor Cyan

$tasks = Get-ScheduledTask -TaskName * | Get-ScheduledTaskInfo
$tasks  | Sort-Object -Property LastRunTime -Descending | Select-Object -First 50 -Property LastRunTime,TaskName,TaskPath,Author,Actions,Date,Description | FT


write-host "Hunt scheduled task history" -ForegroundColor Cyan


write-host "Hunt scheduled task history: Log-on/off events" -ForegroundColor Cyan
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational |  findstr -i log- | findstr /v Microsoft


write-host "Hunt scheduled task history: not Microsoft" -ForegroundColor Cyan
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | findstr /v Microsoft

Happy hunting!