diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml
index d4d8c9c..a280fea 100644
--- a/build_lists/sensitive_files.yaml
+++ b/build_lists/sensitive_files.yaml
@@ -3941,3 +3941,27 @@ search:
                 type: f
                 search_in: 
                   - common
+
+  - name: WAPT
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "waptserver.ini"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "wapt-get.ini"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "*wapt*.7z"
+            value:
+                type: f
+                search_in:
+                  - common
diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md
index 5421493..1d4087a 100755
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -266,3 +266,8 @@ If you find any issue, please report it using **[github issues](https://github.c
 ## Advisory
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
+
+### New in this update
+- AD GPO abuse indicators: winPEAS now highlights membership in "Group Policy Creator Owners" and inspects applied GPO folders in SYSVOL for write permissions that can enable SYSTEM via GPO abuse.
+- WAPT artifacts: added detection of common WAPT files (waptserver.ini, wapt-get.ini) and backup archives (*wapt*.7z) in user homes and Recycle Bin searches.
+
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
index 9fe48f0..36a2cbf 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
@@ -20,7 +20,7 @@ namespace winPEAS.Checks
 {
     internal class FilesInfo : ISystemCheck
     {
-        static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe";
+        static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe|waptserver.ini|wapt-get.ini|wapt.*\.7z|wapt";
         //    static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
 
         private static readonly IList<string> patternsFileCreds = new List<string>()
@@ -110,6 +110,11 @@ namespace winPEAS.Checks
             "winscp.ini",
             "ws_ftp.ini",
             "wsl.exe",
+            // WAPT software artifacts (from HTB TheFrizz case):
+            "waptserver.ini",
+            "wapt-get.ini",
+            "wapt*.ini",
+            "*wapt*.7z",
         };
 
 
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.GpoAbuse.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.GpoAbuse.cs
new file mode 100644
index 0000000..90fde67
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.GpoAbuse.cs
@@ -0,0 +1,37 @@
+using System; using winPEAS.Helpers; namespace winPEAS.Checks { internal partial class UserInfo { 
+void PrintPotentialGpoAbuseIndicators() { 
+    try {
+        Beaprint.MainPrint("Potential GPO abuse (Active Directory)");
+        Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Check if you can abuse GPO permissions to run code as SYSTEM");
+        if (!Checks.IsPartOfDomain || Checks.IsCurrentUserLocal) { Beaprint.NotFoundPrint(); return; }
+        bool isGpcOwner = false;
+        foreach (var kv in Checks.CurrentUserSiDs) {
+            if (!string.IsNullOrEmpty(kv.Value) && kv.Value.Equals("Group Policy Creator Owners", StringComparison.OrdinalIgnoreCase)) { isGpcOwner = true; break; }
+        }
+        if (isGpcOwner) { Beaprint.BadPrint("  [!] Current user token contains 'Group Policy Creator Owners' – you may be able to create/modify GPOs."); }
+        else { Beaprint.NoColorPrint("  [-] Not a member of 'Group Policy Creator Owners' (based on current token)."); }
+        try {
+            var applied = winPEAS.Info.SystemInfo.GroupPolicy.GroupPolicy.GetLocalGroupPolicyInfos();
+            var anyPrinted = false;
+            foreach (var info in applied) {
+                if ($"{info.GPOType}".Equals("machine", StringComparison.OrdinalIgnoreCase)) {
+                    var fileSysPath = $"{info.FileSysPath}";
+                    if (string.IsNullOrEmpty(fileSysPath)) continue;
+                    if (fileSysPath.StartsWith("\\\\")) {
+                        var rights = PermissionsHelper.GetPermissionsFolder(fileSysPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                        if (rights.Count > 0) {
+                            if (!anyPrinted) { Beaprint.BadPrint("  [!] Writable applied GPO folders in SYSVOL (abusable):"); anyPrinted = true; }
+                            Beaprint.BadPrint($"      -> {fileSysPath} | Rights: {string.Join(", ", rights)}");
+                        }
+                    }
+                }
+            }
+            if (!isGpcOwner && !anyPrinted) { Beaprint.NotFoundPrint(); }
+        } catch (Exception ex2) {
+            Beaprint.GrayPrint("    [i] Error while checking applied GPO folders: " + ex2.Message);
+            if (!isGpcOwner) { Beaprint.NotFoundPrint(); }
+        }
+        Beaprint.GrayPrint("    Tip: If you can edit a GPO linked to this computer, tools like SharpGPOAbuse can add an immediate scheduled task to execute a command as SYSTEM.");
+    } catch (Exception ex) { Beaprint.PrintException(ex.Message); }
+}
+} }
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
index 350e525..357ca84 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
@@ -14,7 +14,7 @@ using winPEAS.Native.Structs;
 
 namespace winPEAS.Checks
 {
-    internal class UserInfo : ISystemCheck
+    internal partial class UserInfo : ISystemCheck
     {
         /* Colors Code
         * RED:
@@ -30,7 +30,8 @@ namespace winPEAS.Checks
        */
 
 
-        static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins|Server Operators";//The space in Remote is important to not mix with SeShutdownRemotePrivilege
+        static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins|Server Operators|Group Policy Creator Owners";// The space in "Remote " is important to not mix with SeShutdownRemotePrivilege
+        // Added "Group Policy Creator Owners" as a high-value group since members can create/modify GPOs that can be abused to get SYSTEM on linked computers.
         static readonly string _badPasswd = "NotChange|NotExpi";
         static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
 
@@ -44,6 +45,7 @@ namespace winPEAS.Checks
                 PrintCurrentUserIdleTime,
                 PrintCurrentTenantInfo,
                 PrintTokenP,
+                PrintPotentialGpoAbuseIndicators,
                 PrintClipboardText,
                 PrintLoggedUsers,
                 PrintLocalUsers,