Reintroduce check for leaked handles

build/Checks.csv

@@ -66,6 +66,7 @@
 "NET_AIRSTRIKE",                   "Invoke-AirstrikeAttackCheck",                "TA0001 - Initial Access",       "Network selection from lock screen",  "Low",      "List",   "Extended",     "True",       "False", "Check whether the 'Do not display network selection UI' policy is enabled on workstations (CVE-2021-28316 - Airstrike attack)."
 "UPDATE_HISTORY",                  "Invoke-WindowsUpdateCheck",                  "TA0004 - Privilege Escalation", "Last Windows Update date",            "None",     "Table",  "Extended",     "True",       "False", "Get information about the latest Windows update. Note that this check might be unreliable."
 "UPDATE_HOTFIX",                   "Invoke-HotFixCheck",                         "TA0004 - Privilege Escalation", "Latest updates installed",            "Medium",   "Table",  "Base",         "True",       "False", "Check whether a Windows security update was installed within the last 31 days."
+"MISC_LEAKED_HANDLES",             "Invoke-ExploitableLeakedHandleCheck",        "TA0004 - Privilege Escalation", "Exploitable leaked handles",          "Medium",   "List",   "Extended",     "False",      "False", "Check whether the current user has access to a process that contains a leaked handle to a privileged process, thread, or file object."
 "MISC_MSI_CUSTOM_ACTIONS",         "Invoke-MsiCustomActionsCheck",               "TA0004 - Privilege Escalation", "MSI unsafe Custom Actions",           "None",     "List",   "Extended",     "True",       "False", "Get information about cached MSI files that execute potentially unsafe Custom Actions. Note that a manual analysis is required to determine if the returned MSI files are actually vulnerable."
 "MISC_AVEDR",                      "Invoke-EndpointProtectionCheck",             "TA0005 - Defense Evasion",      "Endpoint protection software",        "None",     "Table",  "Extended",     "True",       "False", "Get information about the installed security products (AV, EDR). Note that this check follows a keyword-based approach and thus might not be completely reliable."
 "MISC_SYSINFO",                    "Invoke-SystemInfoCheck",                     "TA0043 - Reconnaissance",       "Windows version",                     "None",     "Table",  "Extended",     "True",       "False", "Get information about the Windows version. Note that this information might be useful if the update history cannot be obtained."
@@ -75,5 +76,4 @@
 "MISC_MACHINE_ROLE",               "Invoke-MachineRoleCheck",                    "TA0043 - Reconnaissance",       "Machine role",                        "None",     "Table",  "Extended",     "True",       "False", "Get information about the machine's role. Is it a Workstation, a Server, or a Domain Controller."
 "MISC_STARTUP_EVENTS",             "Invoke-SystemStartupHistoryCheck",           "TA0004 - Privilege Escalation", "System startup history",              "None",     "Table",  "Extended",     "True",       "False", "Get information about the startup history. Note that this information might be useful if the exploitation of a service requires a reboot but the current user does not have the privileges to shut down the system."
 "MISC_DRIVES",                     "Invoke-SystemDrivesCheck",                   "TA0043 - Reconnaissance",       "Filesystem drives",                   "None",     "Table",  "Extended",     "True",       "False", "Get information about the partitions, removable storages, and mapped network shares."
-"MISC_NAMED_PIPES",                "Invoke-NamedPipePermissionsCheck",           "TA0004 - Privilege Escalation", "Named pipe permissions",              "None",     "List",   "Experimental", "False",      "False", "Check whether the current user has any write permissions on other users' named pipes."
-"MISC_LEAKED_HANDLES",             "Invoke-ExploitableLeakedHandlesCheck",       "TA0004 - Privilege Escalation", "Exploitable leaked handles",          "None",     "List",   "Experimental", "False",      "False", "Check whether the current user has access to a process that contains a leaked handle to a privileged object such as a process, thread or file."
+"MISC_NAMED_PIPES",                "Invoke-NamedPipePermissionsCheck",           "TA0004 - Privilege Escalation", "Named pipe permissions",              "None",     "List",   "Experimental", "False",      "False", "Check whether the current user has any write permissions on other users' named pipes."

info/CHANGELOG.md

@@ -6,6 +6,10 @@
 
 - Check for COM servers with a missing module.
 
+### Changed
+
+- Reintroduce the leaked handle check.
+
 ## 2024-06-24
 
 ### Added