PrivescCheck aims to discover Windows problems which can be used for escalating privileges. He also collects various information which may be useful for exploitation and post-exploitation.
The purpose of this tool is to help security researchers identify potential vulnerabilities in Windows machines during pentest testing and Workstation / VDI checks. It is not intended to be used for purely professional use by Red Teamers, although it may provide you with a lot of useful information about the security of your systems.
Specifications
Current User
- Invoke-UserCheck - Gets the username and SID of the current user
- Invoke-UserGroupsCheck - Enumerates groups the current user belongs to except default and low-privileged ones
- Invoke-UserPrivilegesCheck - Enumerates the high potential privileges of the current user's token
Services
- Invoke-InstalledServicesCheck - Enumerates non-default services
- Invoke-ServicesPermissionsCheck - Enumerates the services the current can modify through the service control manager
- Invoke-ServicesPermissionsRegistryCheck - Enumerates services that can be modified in the registry
- Invoke-ServicesImagePermissionsCheck - Enumerates all the services that have a modifiable binary (or argument)
- Invoke-ServicesUnquotedPathCheck - Enumerates services with an unquoted path that can be exploited
Dll Hijacking
- Invoke-DllHijackingCheck - Checks whether any of the system path folders is modifiable
Programs
- Invoke-InstalledProgramsCheck - Enumerates the applications that are not installed by default
- Invoke-ModifiableProgramsCheck - Enumerates applications which have a modifiable EXE of DLL file
- Invoke-RunningProcessCheck - Enumerates the running processes
Credentials
- Invoke-SamBackupFilesCheck - Checks common locations for the SAM / SYSTEM backup files
- Invoke-UnattendFilesCheck - Enumerates Unattend files and extracts credentials
- Invoke-WinlogonCheck - Checks credentials stored in the Winlogon registry key
- Invoke-CredentialFilesCheck - Lists the Credential files that are stored in the current user AppData folders
- Invoke-CredentialManagerCheck - Enumerates credentials saved in the Credential Manager
- Invoke-GPPPasswordCheck - Lists Group Policy Preferences (GPP) containing a non-empty "cpassword" field
registry
- Invoke-UacCheck - Checks whether UAC (User Access Control) is enabled
- Invoke-LapsCheck - Checks whether LAPS (Local Admin Password Solution) is enabled
- Invoke-PowershellTranscriptionCheck - Checks whether PowerShell Transcription is configured / enabled
- Invoke-RegistryAlwaysInstallElevatedCheck - Checks whether the AlwaysInstallElevated key is set in the registry
- Invoke-LsaProtectionsCheck - Checks whether LSASS is running as a Protected Process (+ additional checks)
Network
- Invoke-TcpEndpointsCheck - Enumerates unusual TCP endpoints on the local machine (IPv4 and IPv6)
- Invoke-UdpEndpointsCheck - Enumerates unusual UDP endpoints on the local machine (IPv4 and IPv6)
Misc
- Invoke-WindowsUpdateCheck - Checks the last update time of the machine
- Invoke-SystemInfoCheck - Gets the name of the operating system and the full version string
- Invoke-LocalAdminGroupCheck - Enumerates the members of the default local admin group
- Invoke-MachineRoleCheck - Gets the role of the machine (workstation, server, domain controller)
- Invoke-SystemStartupHistoryCheck - Gets a list of system startup events
- Invoke-SystemStartupCheck - Gets the last system startup time
- Invoke-SystemDrivesCheck - Gets a list of local drives and network shares that are currently mapped
Use
1. Basic use
From the command line:
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
From PowerShell:
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck
From PowerShell without modifying the policy:
PS C:\Temp\> Get-Content .\PrivescCheck.ps1 | Out-String | IEX
PS C:\Temp\> Invoke-PrivescCheck
2. Extended operation
By default, the field is limited to vulnerability detection, but you can get a lot more information with the option -Extended
:
Invoke-PrivescCheck -Extended
3. Create reference files
You can use the options -Report
and -Format
to save script results to files in various formats. Acceptable forms areTXT
, CSV
, HTML
and XML
. If the -Format
is empty, the default format is TXT
, which is a simple copy of what is printed on our terminal.
Its price -Report
will be used as the primary name for the final report, the extension will be appended automatically depending on the selected formats.
Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%
Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML
You can download the program from here.