- Helper function for enumerating all processes and threads.
- Check for process and thread permissions.
- Merge and refactor hive file permission checks (CVE-2021-36934).
- Rename helper function 'Get-ModificationRight' to 'Get-ObjectAccessRight', and make it even more generic so that it can be used to check any access right, not just modification rights (which is still the default).
- The helper function 'Get-ObjectAccessRight' now handles access right checks for the Service Control Manager.
- The cmdlet 'Get-ModifiableService' was replaced by the more generic helper function 'Get-ModificationRight'.
- The helper function 'Convert-NameToSid' embedded within 'Get-ModificationRight' was removed as it is no longer needed.
- The helper function 'Get-ModifiableRegistryPath' was replaced by 'Get-ObjectAccessRight'.
- The helper function 'Test-ServiceDiscretionaryAccessControlList' was replaced by 'Get-ObjectAccessRight'.
- The helper function 'Get-ServiceDiscretionaryAccessControlList' was replaced by 'Get-ObjectAccessRight'.
- The helper function 'Convert-SidStringToSid' is not used and was therefore removed.
- Wrapper function for querying an object's security information in a generic way.
- Implement a generic way of analyzing an object's DACL.
- Refactor file, directory, registry key ACL check.
- Add multithreading to root folder permissions check.
- Update check result output (and include execution time).
- Add check type information to check banner (console output).
- Add a Windows API wrapper ('Get-ServiceStatus') for querying a service's status.
- Replaced use of 'Get-Service' for obtaining a service's current status with the new wrapper cmdlet 'Get-ServiceStatus'.
- Refactor service access and DACL check, and merge Service Control Manager check.
- Improve standard Windows error handling (using a dedicated 'Format-Error' helper function).
- Add a helper function for opening services.
- Add multithreading to application file permissions check.
- Refactor application folder enumeration.
- Support for multithreading.
- Add multithreading to COM class registry path permission check.
- Add multithreading to COM class image file permission check.
- Add multithreading to MSI enumeration.
- Benchmark option to measure the time taken by each check.
- Check for the configuration of the default local administrator account.
- Helper function to obtain information about local user accounts.
- Check "Invoke-StartupApplicationPermissionCheck" refactored to remove duplicate code.
- Helper functions "Get-UnquotedPath" and "Get-ExploitableUnquotedPath" merged and refactored.
- Helper function "Test-IsKnownService" (replaced by "Resolve-CommandLine" + "Test-IsMicrosoftFile").
- Check for name resolution protocol configuration.
- Helper function for collecting information about firewall profiles.
- Check for disabled firewall on each network profile.
- Check for registered AMSI providers.
- The web proxy auto-configuration check was refactored to include WPAD settings.
- New wrapper cmdlets for obtaining (Azure) domain information.
- The "Test-IsDomainJoined" cmdlet was modified so that it now relies on (Azure) domain information, which is more reliable than "NetWkstaGetInfo".
- The wrapper cmdlet for "NetWkstaGetInfo" was removed since it's no longer used.
- The "Server SPN target name validation level" is now reported in the SMB configuration check.
- New wrapper cmdlet for the GetFirmwareType API.
- New helper cmdlet "Get-SystemInformation" for collecting system information.
- The system information check is now enriched with the data returned by the new "Get-SystemInformation" helper function.
- The cmdlet "Get-UEFIStatus" now uses the new "Get-FirmwareType" helper function.
- Check for TPM device information. The aim is to provide the same information as the output of the command 'TpmTool.exe GetDeviceInformation' in the form of a PowerShell object.
- Update BitLocker check to adapt severity and description based on the presence of a TPM (and its type).
- Update Point and Print configuration check to be more accurate.
- Check for 'DisableLUAInRepair' registry value which disables the UAC prompt for Windows Installer repair actions.
- Check for permissions of folders located at the root of a 'fixed' drive.
- Complete refactoring of the helper function Get-ModifiablePath.
- Check for COM servers with a missing module.
- Reintroduce the leaked handle check.
- Handle service image path as a command line to prevent false positives when checking file permissions.
- Check for COM registry permissions.
- Helper function for resolving module paths.
- Check for COM module file permissions.
- Check for COM ghost DLLs.
- Check for user privileges granted through GPOs.
- LAPS check performed only if machine is domain-joined.
- Domain membership tested using the Windows API NetWkstaGetInfo rather than the registry.
- Asset files used when "building" the script can now be cached.
- Check list saved in separate file and embedded in script at build time.
- Improper sorting of NAA credential occurrences resulting in data loss.
- SMB server and client configuration check (SMBv1, signing)
- List Windows Defender Exploit Guard ASR rules.
- Defender exclusions can now be obtained through event logs as well.
- Last startup time using tick count.
- Redundant startup application info check
- Redundant hotfix info check
- Redundant service unquoted path info check
- Check have an addition attribute named "Risky", that allows them to be disabled when there is a high risk of triggering EDR.
- Registry key paths and values are now returned in the output of the Point and Print check.
- Checks now have a "Type" (Base, Extended, Audit, Experimental), rather than multiple boolean flags.
- Rework the README, and provide additional information regarding check types.
- Rework the output of the MSI Custom Actions check to make it more readable.
- Prevent system folders from being returned when obtaining a list of installed applications.
- Check for PowerShell execution policy enforced with GPO.
- Check for SCCM cache folders.
- Check for hard coded credentials in the SCCM cache folders.
- Check for proxy auto config URL (proxy.pac)
- The previous version of the SCCM cache folder check was pretty much useless, so it was removed.
- Check to report whether an AppLocker policy is enforced.
- False negative in WSUS check when Windows Update features are turned off.
- Check for dangerous default file extension associations (e.g. '.bat').
- Windows update history is no longer obtained through the registry. This method was not reliable enough.
- Errors were not properly handled during third-party kernel enumeration.
- Add test ID to output CSV file.
- In the LAPS check, the configuration of both LAPS legacy and LAPSv2 is now enumerated.
- Check for cached MSI files that run potentially unsafe Custom Actions.
- Check for AppLocker rules that can be exploited to execute arbitrary code.
- Removed code analyzer decorators because they are not compatible with PSv2.
- Complete refactor of the Credential Guard check to remove the dependency on the Get-ComputerInfo cmdlet, which is only available in PS > v5.1. Instead, the WMI database is directly queried, in addition to the registry settings.
- Added decorators to suppress warnings on unused variables that define Windows structures.
- The Point and Print check now also reports the "InForest" setting, that can be used as an alternative to "ServerList".
- Another attempt at figuring out the vulnerable (Package) Point and Print configurations...
- Improved readability of application permissions check by expanding the array of file system rights.
- In the HTML report, all cells containing raw output results are now scrollable.
- Fixed result discrepancies caused by NTFS filesystem redirection when running from a 32-bit PowerShell.
- Check for SCCM Network Access Account credentials.
- Updated build script to create a copy of 'PrivescCheck.ps1' at the root of the project.
- Restored PSv2 compatibility regarding severity level enumeration.
- Improved result header.
- Improved BIOS mode + Secure Boot check.
- The modifiable application check now displays a warning when a system folder is detected, rather than searching it recursively.
- All the check descriptions were update to follow a more generic phrasing.
- Updated the style of the ASCII and HTML reports.
- The BitLocker check now returns something only if the configuration is vulnerable.
- Move AD domain helpers to the global Helper file.
- The LAPS check now returns something only if the configuration is vulnerable.
- The UAC check now returns something only if the configuration is vulnerable.
- Results are now sorted by severity in the short report.
- The Credential Guard check now returns something only if the configuration is vulnerable.
- The AlwaysInstallElevated check was refactored.
- The Point and Print config check was refactored.
- The WLAN profile check was refactored.
- The Airstrike attack check was refactored.
- The Driver Co-installer check now returns something only if the configuration is vulnerable.
- The LSA protection check now returns something only if the configuration is vulnerable.
- The BIOS mode check now returns something only if the configuration is vulnerable.
- The user privilege check now returns only exploitable privileges.
- The "compliance" aspect was completely removed.
- Reworked the script output using unicode characters.
- Replaced the categories with main techniques from the Mitre Att&ck framework.
- Removed the check "types" ("info"/"vuln") as this information was redundant with the severity.
- Fixed a false negative that caused Credential Guard to be reported as not being running. This could occur when Windows enabled it by default because the machine meets all the hardware and software requirements.
- Only one hash type is stored for each driver in the LOL drivers database to reduce the size of the final script.
- Fixed an latent issue that could cause module names to overlap in the final script.
- Fixed a regression causing false negatives in
Invoke-ServiceUnquotedPathCheck(see issue #48).
- Add a check for vulnerable drivers based on the list provided by loldrivers.io.
- Restructure the source code.
- Improved enumeration of leaked handles for better compatibility with PSv2.
- Check random module names with a regex to ensure they contain only a-z letters.
- The "build" script now generates random variable names for the modules. To do so, it downloads the word list from the "PyFuscation" project. If it cannot download the list, it falls back to using the filename instead.
- The "PrintNightmare" check was fully renamed as "Point and Print configuration", which is more accurate. The code was also completely refactored. The tests that are implemented for the different variants of the exploit should also be more reliable.
- Two of the registry keys in the Point & Print configuration check were incorrect.
- Updated the BitLocker check to report the startup authentication mode (TPM only, TPM+PIN, etc.).
- A helper function was added to extract the BitLocker status and configuration.
- The DLL "SprintCSP.dll" was added to the list of phantom DLLs that can be hijacked (service "StorSvc").
- For each phantom DLL, a link to the (original?) source describing its discovery and exploitation is now provided.
- A check's compliance result is no longer a Boolean. It is now represented as a String ("True", "False", "N/A").
- In HTML reports, the "Compliance" result is handled similarly to "Severity" levels, using a label.
- Services > Invoke-ThirdPartyDriverCheck, for enumerating third-party drivers.
- Modified the Process access rights enumeration to bypass Cortex AMSI detection (AMSI rule flagging the string "CreateThread" as malicious).
- Changed the configuration of the Vault "cred" and "list" checks to enable them only in "Extended" mode to bypass Cortex behavioral detection.
- Updated the help text of the main Invoke-PrivescCheck cmdlet as suggested in PR #45.
- The WinLogon credential check now ensures that the password values are not empty.
- The info check now shows the correct product name when running on Windows 11.
- Getting the name of a process (based on its PID) could fail when enumerating network endpoints. These errors are now silently ignored.
- Misc > Invoke-ExploitableLeakedHandlesCheck
- Added a cache for user group SIDs and deny SIDs. Deny SIDs in particular caused a significant overhead in Get-ModifiablePath. The performance gain is substantial.
- The dates in the hotfix list are now displayed in ISO format to avoid confusion.
- Get-HotFixList missed some update packages because the regular expression used to browse the registry was incorrect.
- The builder now removes all the comments, thus lowering the chance of detection by AMSI.
- Incorrect handling of deny-only groups in file ACL checks.
- Issue with Metasploit caused by the presence of a null byte in the output.
- Second try to supporting deny-only SIDs when checking DACLs (Get-ModificationRight).
- DACL checking is now done in a dedicated cmdlet (Get-ModificationRight) which can currently handle objects of types "File", "Directory" and "Registry Key".
- The Get-ModifiablePath and Get-ModifiableRegistryPath cmdlets now use the generic Get-ModificationRight cmdlet.
- Deny ACEs are now taken into account when checking DACLs.
- The value of the 'DisableWindowsUpdateAccess' setting is now reported in the WSUS check.
- System PATH parsing improved to ensure we do not check empty paths
- Explicit output types where possible
- Rewrite the Builder and the Loader
- Rename "Write-PrivescCheckAsciiReport" to "Show-PrivescCheckAsciiReport"
- Trailing spaces in the entire code (code cleanup)
- Empty catch blocks
- Network > Get-WlanProfileList, a helper function that retrieves the list of saved Wi-Fi profiles through the Windows API
- Network > Convert-WlanXmlProfile, a helper function that converts a WLAN XML profile to a custom PS object
- Network > Invoke-AirstrikeAttackCheck, check whether a workstation would be vulnerable to the Airstrike attack
- Network > Invoke-WlanProfileCheck, this check now detects potential issues in 802.1x Wi-Fi profiles
- A typo in the Print Nightmare check following the previous code refactoring
- Refactored and improved Config > Invoke-PrintNightmareCheck
- Refactored registry key checks
- Misc > Invoke-UserSessionCheck
- Config > Invoke-HardenedUNCPathCheck (@mr_mitm, @itm4n)
- Misc > Invoke-DefenderExclusionCheck
- Config > Invoke-DriverCoInstallerCheck (@SAERXCIT)
- Creds > Invoke-HiveFileShadowCopyPermissionCheck (@SAERXCIT)
- Config > Invoke-PrintNightmareCheck
- XML output report format
- Misc > Invoke-NamedPipePermissionCheck (experimental)
- Network > Invoke-NetworkAdapterCheck
- Invoke-UserCheck now retrieves more information about the current Token
- User > Invoke-UserRestrictedSidCheck in case of WRITE RESTRICTED Tokens
- Group enumeration is now generic
- All privileges are now listed and the check is now considered "INFO"
- Group enumeration is now done using the Windows API
- A "Build" tool to slightly obfuscate the script
- Complete code refactor
- PrivescCheck no longer relies on compiled C# code (back to original PowerUp method)
- Code is now structured and split in "category" files
- LSA Protection and Credential Guard are now separate checks
- Fixed minor bugs
- Services > Invoke-ServiceControlManagerPermissionCheck
- Scheduled Tasks > Invoke-ScheduledTaskUnquotedPathCheck
- Refactored the report generation feature
- Refactored scheduled tasks check
- A 'RunIfAdmin' mode. Some checks are now run even if the script is executed as an administrator.
- A severity level for each check
- Config > Invoke-SccmCacheFolderVulnCheck
- Additional custom checks can now be added as plugins
- A "silent" mode (only the final vulnerability report is displayed)
- Config > Invoke-SccmCacheFolderCheck
- Some report generation functions (HTML, CSV)
- Apps > Invoke-ApplicationsOnStartupVulnCheck
- Credentials > PowerShell History
- basic vulnerability report
- Misc > Invoke-EndpointProtectionCheck
- Fixed a false positive: 'C:' resolves to the current directory
- Fixed a false positive: scheduled tasks running as the current user
- Hardening > Invoke-BitLockerCheck
- Refactored Main function
- Helper > Convert-SidToName
- Misc > Invoke-HotfixCheck
- Applications > Invoke-ProgramDataPermissionCheck
- DLL Hijacking > Invoke-HijackableDllCheck
- Applications > Invoke-ScheduledTasksCheck
- Misc > Invoke-UserHomeFolderCheck
- Programs > Invoke-StartupApplicationPermissionCheck
- Registry > Invoke-WsusConfigurationCheck
- User > Invoke-UserEnvironmentCheck
- Updated Credentials > Invoke-CredentialFileCheck
- Handled exception in "Network > Invoke-WlanProfileCheck" when dealing with servers
- Network > Invoke-WlanProfileCheck
- Credentials > Invoke-VaultListCredentialCheck
- Renamed Credentials > Invoke-CredentialManagerCheck -> Invoke-VaultCredentialCheck
- Credentials > Invoke-GPPCredentialCheck
- Credentials > Invoke-CredentialManagerCheck
- Fixed bug Helper > Get-ModifiablePath (error handling in Split-Path)
- Fixed bug User > Invoke-UserGroupCheck (don't translate SIDs like "S-1-5.*")
- Helper > Get-UEFIStatus
- Helper > Get-SecureBootStatus
- Helper > Get-CredentialGuardStatus
- Helper > Get-LsaRunAsPPLStatus
- Registry > Invoke-LsaProtectionsCheck
- Helper > Get-UnattendSensitiveData
- Credentials > Invoke-UnattendFileCredentialCheck
- Merged Sensitive Files with Credentials
- Moved "Invoke-PrivescCheck.ps1" from "Pentest-Tools" to a dedicated repo.
- User > Invoke-UserCheck
- User > Invoke-UserGroupCheck
- User > Invoke-UserPrivilegeCheck
- Services > Invoke-InstalledServiceCheck
- Services > Invoke-ServicePermissionCheck
- Services > Invoke-ServiceRegistryPermissionCheck
- Services > Invoke-ServiceImagePermissionCheck
- Services > Invoke-ServiceUnquotedPathCheck
- Dll Hijacking > Invoke-DllHijackingCheck
- Sensitive Files > Invoke-SamBackupFilesCheck
- Programs > Invoke-InstalledApplicationCheck
- Programs > Invoke-InstalledApplicationPermissionCheck
- Programs > Invoke-RunningProcessCheck
- Credentials > Invoke-WinLogonCredentialCheck
- Credentials > Invoke-CredentialFileCheck
- Registry > Invoke-UserAccountControlCheck
- Registry > Invoke-LapsCheck
- Registry > Invoke-PowershellTranscriptionCheck
- Registry > Invoke-RegistryAlwaysInstallElevatedCheck
- Network > Invoke-TcpEndpointCheck
- Network > Invoke-UdpEndpointCheck
- Misc > Invoke-WindowsUpdateCheck
- Misc > Invoke-SystemInformationCheck
- Misc > Invoke-LocalAdminGroupCheck
- Misc > Invoke-MachineRoleCheck
- Misc > Invoke-SystemStartupHistoryCheck
- Misc > Invoke-SystemStartupCheck
- Misc > Invoke-SystemDriveCheck