PrivescCheck: Privilege Escalation Enumeration Script for Windows

PrivescCheck aims to discover Windows problems which can be used for escalating privileges. He also collects various information which may be useful for exploitation and post-exploitation.

The purpose of this y is to help security researchers identify potential weaknesses on Windows machines during pentests and Workstation/VDI audits. It is not intended to be used for purely professional use by Red Teamers, although it may provide you with a lot of useful information about the security of your systems.

get help 768x391

Specifications

Current User

  • Invoke-UserCheck - Gets the username and SID of the current user
  • Invoke-UserGroupsCheck - Enumerates groups the current user belongs to except default and low-privileged ones
  • Invoke-UserPrivilegesCheck – Enumerates the high potential privileges of the current user's token

Services

  • Invoke-InstalledServicesCheck - Enumerates non-default services
  • Invoke-ServicesPermissionsCheck - Enumerates the services the current can modify through the service control manager
  • Invoke-ServicesPermissionsRegistryCheck - Enumerates services that can be modified in the registry
  • Invoke-ServicesImagePermissionsCheck - Enumerates all the services that have a modifiable binary (or argument)
  • Invoke-ServicesUnquotedPathCheck - Enumerates services with an unquoted path that can be exploited

Dll

  • Invoke-DllHijackingCheck - Checks whether any of the system path folders is modifiable

Programs

  • Invoke-InstalledProgramsCheck - Enumerates the applications that are not installed by default
  • Invoke-ModifiableProgramsCheck - Enumerates applications which have a modifiable EXE of DLL file
  • Invoke-RunningProcessCheck - Enumerates the running processes

Credentials

  • Invoke-SamBackupFilesCheck - Checks common locations for the SAM / SYSTEM backup files
  • Invoke-UnattendFilesCheck - Enumerates Unattend files and extracts credentials
  • Invoke-WinlogonCheck - Checks credentials stored in the Winlogon registry key
  • Invoke-CredentialFilesCheck - Lists the Credential files that are stored in the current user AppData folders
  • Invoke-CredentialManagerCheck - Enumerates credentials saved in the Credential Manager
  • Invoke-GPPPasswordCheck - Lists Group Policy Preferences (GPP) containing a non-empty "cpassword" field

registry

  • Invoke-UacCheck - Checks whether UAC (User Access Control) is enabled
  • Invoke-LapsCheck – Checks whether LAPS (Local Admin Solution) is enabled
  • Invoke-PowershellTranscriptionCheck - Checks whether PowerShell Transcription is configured / enabled
  • Invoke-RegistryAlwaysInstallElevatedCheck - Checks whether the AlwaysInstallElevated key is set in the registry
  • Invoke-LsaProtectionsCheck – Checks whether LSASS is running as a Protected (+ additional checks)

Network

  • Invoke-TcpEndpointsCheck - Enumerates unusual TCP endpoints on the local machine (IPv4 and IPv6)
  • Invoke-UdpEndpointsCheck - Enumerates unusual UDP endpoints on the local machine (IPv4 and IPv6)

Misc

  • Invoke-WindowsUpdateCheck - Checks the last update time of the machine
  • Invoke-SystemInfoCheck - Gets the name of the operating system and the full version string
  • Invoke-LocalAdminGroupCheck - Enumerates the members of the default local admin group
  • Invoke-MachineRoleCheck – Gets the role of the machine (workstation, , domain controller)
  • Invoke-SystemStartupHistoryCheck - Gets a list of system startup events
  • Invoke-SystemStartupCheck - Gets the last system startup time
  • Invoke-SystemDrivesCheck - Gets a list of local drives and network shares that are currently mapped

Use

1. Basic use

From the command line:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

From PowerShell:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck

From PowerShell without modifying the policy:

PS C:\Temp\> Get-Content .\PrivescCheck.ps1 | Out-String | IEX
PS C:\Temp\> Invoke-PrivescCheck

2. Extended operation

By default, the field is limited to vulnerability detection, but you can get a lot more information with the option -Extended:

Invoke-PrivescCheck -Extended

3. Create reference files

You can use the options -Reportand -Formatto save script results to files in various formats. Acceptable forms areTXTCSVHTMLand XML. If the -Formatis empty, the default format is TXT, which is a simple copy of what is printed on our terminal.

Its price -Reportwill be used as the primary name for the final report, the extension will be appended automatically depending on the selected formats.

Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%
Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML

You can download the program from here.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
PrivescCheck, Windows, check

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).