PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

The purpose of this tool is to help security consultants identify potential weaknesses on Windows machines during penetration tests and Workstation/VDI audits. It is not intended to be used during Red Team engagements although it may still provide you with a lot of useful information.

This tool is heavily inspired from the amazing work that @harmj0y and @mattifestation put in PowerUp. The two original authors decided to switch to DotNet and are now working on the great SeatBelt project, which explains why PowerUp is no longer maintained. Although SeatBelt brings some undeniable benefits, I think that a standalone PowerShell script is still a good way to go for most pentesters, hence the motivation behind the creation of this tool.

You can find more information about PrivescCheck here.

Usage

1. Basic usage

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck

2. Extended mode

By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the -Extended option:

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended

3. Generate report files

You can use the -Report and -Format options to save the results of the script to files in various formats. Accepted formats are TXT, CSV and HTML for now. If -Format is empty, the default format is TXT, which is a simple copy of what is printed on the terminal.

The value of -Report will be used as the base name for the final report, the extension will be automatically appended depending on the chosen format(s).

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%"
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Report "PrivescCheck_$env:COMPUTERNAME"
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck -Report "PrivescCheck_$env:COMPUTERNAME" -Format TXT,CSV,HTML

Bug reporting. Feature Request. Overall enhancement.

• You think you identified a bug or a false positive/negative?
• You think a particular check is missing?
• You think something could be improved?

That's awesome! 🙂 Please let me know by opening an issue and include as much detail as possible.

Especially if it's a bug, I will need:

• The Windows version and the PowerShell version.
• The script output (do not forget to remove sensitive information).