- The "PrintNightmare" check was fully renamed as "Point and Print configuration", which is more accurate. The code was also completely refactored. The tests that are implemented for the different variants of the exploit should also be more reliable.
- Two of the registry keys in the Point & Print configuration check were incorrect.
- Updated the BitLocker check to report the startup authentication mode (TPM only, TPM+PIN, etc.).
- A helper function was added to extract the BitLocker status and configuration.
- The DLL "SprintCSP.dll" was added to the list of phantom DLLs that can be hijacked (service "StorSvc").
- For each phantom DLL, a link to the (original?) source describing its discovery and exploitation is now provided.
- A check's compliance result is no longer a Boolean. It is now represented as a String ("True", "False", "N/A").
- In HTML reports, the "Compliance" result is handled similarly to "Severity" levels, using a label.
- Services > Invoke-ThirdPartyDriversCheck, for enumerating third-party drivers.
- Modified the Process access rights enumeration to bypass Cortex AMSI detection (AMSI rule flagging the string "CreateThread" as malicious).
- Changed the configuration of the Vault "cred" and "list" checks to enable them only in "Extended" mode to bypass Cortex behavioral detection.
- Updated the help text of the main Invoke-PrivescCheck cmdlet as suggested in PR #45.
- The WinLogon credential check now ensures that the password values are not empty.
- The info check now shows the correct product name when running on Windows 11.
- Getting the name of a process (based on its PID) could fail when enumerating network endpoints. These errors are now silently ignored.
- Misc > Invoke-ExploitableLeakedHandlesCheck
- Added a cache for user group SIDs and deny SIDs. Deny SIDs in particular caused a significant overhead in Get-ModifiablePath. The performance gain is substantial.
- The dates in the hotfix list are now displayed in ISO format to avoid confusion.
- Get-HotFixList missed some update packages because the regular expression used to browse the registry was incorrect.
- The builder now removes all the comments, thus lowering the chance of detection by AMSI.
- Incorrect handling of deny-only groups in file ACL checks.
- Issue with Metasploit caused by the presence of a null byte in the output.
- Second try to supporting deny-only SIDs when checking DACLs (Get-AclModificationRights).
- DACL checking is now done in a dedicated cmdlet (Get-AclModificationRights) which can currently handle objects of types "File", "Directory" and "Registry Key".
- The Get-ModifiablePath and Get-ModifiableRegistryPath cmdlets now use the generic Get-AclModificationRights cmdlet.
- Deny ACEs are now taken into account when checking DACLs.
- The value of the 'DisableWindowsUpdateAccess' setting is now reported in the WSUS check.
- System PATH parsing improved to ensure we do not check empty paths
- Explicit output types where possible
- Rewrite the Builder and the Loader
- Rename "Write-PrivescCheckAsciiReport" to "Show-PrivescCheckAsciiReport"
- Trailing spaces in the entire code (code cleanup)
- Empty catch blocks
- Network > Get-WlanProfileList, a helper function that retrieves the list of saved Wi-Fi profiles through the Windows API
- Network > Convert-WlanXmlProfile, a helper function that converts a WLAN XML profile to a custom PS object
- Network > Invoke-AirstrikeAttackCheck, check whether a workstation would be vulnerable to the Airstrike attack
- Network > Invoke-WlanProfilesCheck, this check now detects potential issues in 802.1x Wi-Fi profiles
- A typo in the Print Nightmare check following the previous code refactoring
- Refactored and improved Config > Invoke-PrintNightmareCheck
- Refactored registry key checks
- Misc > Invoke-UserSessionListCheck
- Config > Invoke-HardenedUNCPathCheck (@mr_mitm, @itm4n)
- Misc > Invoke-DefenderExclusionsCheck
- Config > Invoke-DriverCoInstallersCheck (@SAERXCIT)
- Creds > Invoke-SensitiveHiveShadowCopyCheck (@SAERXCIT)
- Config > Invoke-PrintNightmareCheck
- XML output report format
- Misc > Invoke-NamedPipePermissionsCheck (experimental)
- Network > Invoke-NetworkAdaptersCheck
- Invoke-UserCheck now retrieves more information about the current Token
- User > Invoke-UserRestrictedSidsCheck in case of WRITE RESTRICTED Tokens
- Group enumeration is now generic
- All privileges are now listed and the check is now considered "INFO"
- Group enumeration is now done using the Windows API
- A "Build" tool to slightly obfuscate the script
- Complete code refactor
- PrivescCheck no longer relies on compiled C# code (back to original PowerUp method)
- Code is now structured and split in "category" files
- LSA Protection and Credential Guard are now separate checks
- Fixed minor bugs
- Services > Invoke-SCMPermissionsCheck
- Scheduled Tasks > Invoke-ScheduledTasksUnquotedPathCheck
- Refactored the report generation feature
- Refactored scheduled tasks check
- A 'RunIfAdmin' mode. Some checks are now run even if the script is executed as an administrator.
- A severity level for each check
- Config > Invoke-SccmCacheFolderVulnCheck
- Additional custom checks can now be added as plugins
- A "silent" mode (only the final vulnerability report is displayed)
- Config > Invoke-SccmCacheFolderCheck
- Some report generation functions (HTML, CSV)
- Apps > Invoke-ApplicationsOnStartupVulnCheck
- Credentials > PowerShell History
- basic vulnerability report
- Misc > Invoke-EndpointProtectionCheck
- Fixed a false positive: 'C:' resolves to the current directory
- Fixed a false positive: scheduled tasks running as the current user
- Hardening > Invoke-BitlockerCheck
- Refactored Main function
- Helper > Convert-SidToName
- Misc > Invoke-HotfixCheck
- Applications > Invoke-ProgramDataCheck
- DLL Hijacking > Invoke-HijackableDllsCheck
- Applications > Invoke-ScheduledTasksCheck
- Misc > Invoke-UsersHomeFolderCheck
- Programs > Invoke-ApplicationsOnStartupCheck
- Registry > Invoke-WsusConfigCheck
- User > Invoke-UserEnvCheck
- Updated Credentials > Invoke-CredentialFilesCheck
- Handled exception in "Network > Invoke-WlanProfilesCheck" when dealing with servers
- Network > Invoke-WlanProfilesCheck
- Credentials > Invoke-VaultListCheck
- Renamed Credentials > Invoke-CredentialManagerCheck -> Invoke-VaultCredCheck
- Credentials > Invoke-GPPPasswordCheck
- Credentials > Invoke-CredentialManagerCheck
- Fixed bug Helper > Get-ModifiablePath (error handling in Split-Path)
- Fixed bug User > Invoke-UserGroupsCheck (don't translate SIDs like "S-1-5.*")
- Helper > Get-UEFIStatus
- Helper > Get-SecureBootStatus
- Helper > Get-CredentialGuardStatus
- Helper > Get-LsaRunAsPPLStatus
- Registry > Invoke-LsaProtectionsCheck
- Helper > Get-UnattendSensitiveData
- Credentials > Invoke-UnattendFilesCheck
- Merged Sensitive Files with Credentials
- Moved "Invoke-PrivescCheck.ps1" from "Pentest-Tools" to a dedicated repo.
- User > Invoke-UserCheck
- User > Invoke-UserGroupsCheck
- User > Invoke-UserPrivilegesCheck
- Services > Invoke-InstalledServicesCheck
- Services > Invoke-ServicesPermissionsCheck
- Services > Invoke-ServicesPermissionsRegistryCheck
- Services > Invoke-ServicesImagePermissionsCheck
- Services > Invoke-ServicesUnquotedPathCheck
- Dll Hijacking > Invoke-DllHijackingCheck
- Sensitive Files > Invoke-SamBackupFilesCheck
- Programs > Invoke-InstalledProgramsCheck
- Programs > Invoke-ModifiableProgramsCheck
- Programs > Invoke-RunningProcessCheck
- Credentials > Invoke-WinlogonCheck
- Credentials > Invoke-CredentialFilesCheck
- Registry > Invoke-UacCheck
- Registry > Invoke-LapsCheck
- Registry > Invoke-PowershellTranscriptionCheck
- Registry > Invoke-RegistryAlwaysInstallElevatedCheck
- Network > Invoke-TcpEndpointsCheck
- Network > Invoke-UdpEndpointsCheck
- Misc > Invoke-WindowsUpdateCheck
- Misc > Invoke-SystemInfoCheck
- Misc > Invoke-LocalAdminGroupCheck
- Misc > Invoke-MachineRoleCheck
- Misc > Invoke-SystemStartupHistoryCheck
- Misc > Invoke-SystemStartupCheck
- Misc > Invoke-SystemDrivesCheck