PrivescCheck
PrivescCheck copied to clipboard
itm4n
Privilege Escalation Enumeration Script for Windows
Great tool! But I suppose I figure out some buggy testcase: if thread's token has deny only SID and file's ACE has deny only rule for that SID, _Get-ModifiablePath()_ still...
When building the script, the file `src\02_Helpers.ps1` is blocked by AMSI. ``` C:\PATH\TO\PrivescCheck>powershell -ep bypass -c ".\Build.ps1" [OK] Loaded module file 00_Main.ps1 [OK] Loaded module file 01_Win32.ps1 [KO] Failed to...
A common pattern I recognized is admins placing applications in directories created in drive roots, e.g.: ``` C:\Install C:\ORACLE C:\SuperAccounting ``` Some installers also do this by default. Since these...
I ran the script on a Server 2022 system with KB5033118 installed. Since this update apparently doesn't create a registry key in the [expected format](https://github.com/itm4n/PrivescCheck/blob/2b0903952dc9cf1a9278734fd8e957951ba20a19/src/check/Updates.ps1#L68) Get-HotFixList misses this update. As...
PrivescCheck covers the majority of the host checks I'd perform except SMB signing, which is often useful to know, especially as there are a bunch of different and whacky (like...
Hi, It would interesting if PrivescCheck was able to detect whether ASR is configured or not, and if there is a misconfiguration among the ASR rules (cf. [win10-asr-get.ps1](https://github.com/directorcia/Office365/blob/master/win10-asr-get.ps1)). Below an...
Under specific conditions, the function `Invoke-ServicesImagePermissionsCheck` incorrectly reports some service binary permissions as vulnerable. Below is an example when the script is executed while the current directory is `C:\Users\USERNAME`. It...