Need help with PrivescCheck?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

itm4n
1.0K Stars 178 Forks BSD 3-Clause "New" or "Revised" License 106 Commits 0 Opened issues

Description

Privilege Escalation Enumeration Script for Windows

Services available

!
?

Need anything else?

Contributors list

# 47,363
C++
windows...
dll-hij...
Windows
105 commits

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

The purpose of this tool is to help security consultants identify potential weaknesses on Windows machines during penetration tests and Workstation/VDI audits. It is not intended to be used during Red Team engagements although it may still provide you with a lot of useful information.

This tool is heavily inspired from the amazing work that @harmj0y and @mattifestation put in PowerUp. The two original authors decided to switch to DotNet and are now working on the great SeatBelt project, which explains why PowerUp is no longer maintained. Although SeatBelt brings some undeniable benefits, I think that a standalone PowerShell script is still a good way to go for most pentesters, hence the motivation behind the creation of this tool.

You can find more information about PrivescCheck here.

Usage

1. Basic usage

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck

2. Extended mode

By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the

-Extended
option:

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended

3. Generate report files

You can use the

-Report
and
-Format
options to save the results of the script to files in various formats. Accepted formats are
TXT
,
CSV
and
HTML
for now. If
-Format
is empty, the default format is
TXT
, which is a simple copy of what is printed on the terminal.

The value of

-Report
will be used as the base name for the final report, the extension will be automatically appended depending on the chosen format(s).

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%"
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Report "PrivescCheck_$env:COMPUTERNAME"
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Report "PrivescCheck_$env:COMPUTERNAME" -Format TXT,CSV,HTML

Bug reporting. Feature Request. Overall enhancement.

  • You think you identified a bug or a false positive/negative?
  • You think a particular check is missing?
  • You think something could be improved?

That's awesome! :slightlysmilingface: Please let me know by opening an issue and include as much detail as possible.

Especially if it's a bug, I will need: - The Windows version and the PowerShell version. - The script output (do not forget to remove sensitive information).

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.