Privilege Escalation Enumeration Script for Windows
This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.
The purpose of this tool is to help security consultants identify potential weaknesses on Windows machines during penetration tests and Workstation/VDI audits. It is not intended to be used during Red Team engagements although it may still provide you with a lot of useful information.
This tool is heavily inspired from the amazing work that @harmj0y and @mattifestation put in PowerUp. The two original authors decided to switch to DotNet and are now working on the great SeatBelt project, which explains why PowerUp is no longer maintained. Although SeatBelt brings some undeniable benefits, I think that a standalone PowerShell script is still a good way to go for most pentesters, hence the motivation behind the creation of this tool.
You can find more information about PrivescCheck here.
From a command prompt:
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
From a PowerShell prompt:
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck
By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the
-Extendedoption:
From a command prompt:
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
From a PowerShell prompt:
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended
You can use the
-Reportand
-Formatoptions to save the results of the script to files in various formats. Accepted formats are
TXT,
CSVand
HTMLfor now. If
-Formatis empty, the default format is
TXT, which is a simple copy of what is printed on the terminal.
The value of
-Reportwill be used as the base name for the final report, the extension will be automatically appended depending on the chosen format(s).
From a command prompt:
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%" C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML"
From a PowerShell prompt:
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Report "PrivescCheck_$env:COMPUTERNAME" PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Report "PrivescCheck_$env:COMPUTERNAME" -Format TXT,CSV,HTML
That's awesome! :slightlysmilingface: Please let me know by opening an issue and include as much detail as possible.
Especially if it's a bug, I will need: - The Windows version and the PowerShell version. - The script output (do not forget to remove sensitive information).