AI Summary: PrivescCheck is a PowerShell script designed for identifying common Windows vulnerabilities and configuration issues outside the scope of public security standards, facilitating exploitation and post-exploitation tasks. It allows users to run various checks—including basic, extended, and audit checks—generate human-readable reports in multiple formats (TXT, HTML, CSV, XML), and includes options for silent execution and risky checks, making it suitable for penetration testing, research, and auditing purposes. Notably, the tool performs context-aware access control checks to provide accurate findings based on the current user’s privileges.

README

PrivescCheck

Quickly identify common Windows vulnerabilities and configuration issues that are not necessarily covered by public security standards, and collect useful information for exploitation and post-exploitation tasks.

[!IMPORTANT] A major aspect to be aware of when using this tool is that all access control checks are done in the context of the current user. Therefore, if it is run with administrator privileges, a lot of vulnerability checks are actually skipped to avoid generating incorrect findings.

:rocket: Quick Start

Download the script here: PrivescCheck.ps1

[!TIP] The link above can also be used directly in a PowerShell terminal with (New-Object Net.WebClient).DownloadString(...).

Use Case 1 (Pentest): Run Basic Checks Only

Is there an obvious way to escalate privileges locally?

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Use Case 2 (Research): Run Extended Checks + Write Human-Readable Reports

Is there additional information that can be leveraged for post-exploitation or for finding vulnerabilities in third-party software?

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

Use Case 3 (Audit): Run All Checks + Write All Reports

Are there configuration issues that are not covered by common security standards?

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML"

:open_book: Detailed Usage

Invoke-PrivescCheck [-Extended] [-Audit] [-Experimental] [-Report <PREFIX>]
    [-Format <FORMAT>[,...]] [-Risky] [-Silent] [-Force]

    -Extended
        Include all "extended" checks in the scan (see README).

    -Audit
        Include all "audit" checks in the scan.

    -Experimental
        Include all "experimental" checks in the scan. Use only if you know
        what you are doing.

    -Report <PREFIX>
        Generate at least one report file. The output filename will be
        "PREFIX.txt" by default. The extension is automatically appended
        based on the report format (see "-Format <FORMAT>[,...]").

    -Format <FORMAT>[,...]
        Specify the format of the output report file(s). If not set, the
        default value is "TXT". Supported formats are: "TXT", "HTML", "CSV",
        and "XML".

    -Risky
        Include checks marked as "risky", i.e. checks that are likely to
        trigger a blocking action by an endpoint protection solution. Use with
        caution.

    -Silent
        Suppress terminal output. This can be useful if you want to run the
        script as part of a batch file, in a scheduled task for instance.

    -Force
        Force execution and ignore warnings. Typically, the script stops if
        it is executed with administrator privileges. Use this option to
        execute it anyway.

Report Format > TXT (-Format TXT)

Use the option -Report <PREFIX> (with -Format TXT) to specify that you want to generate a raw text report. The output is similar to what you would see in the terminal, except that it contains only ASCII characters for better (retro-)compatibility will all text editors.

Report Format > HTML (-Format HTML)

Use the option -Report <PREFIX> with -Format HTML to specify that you want to generate an HTML report. The output file can be opened in a web browser. It is more convenient for visualizing the data than the raw text report. Additionally, it offers sorting and filtering capabilities!

Report Format > CSV (-Format CSV) & XML (-Format XML)

Use the option -Report <PREFIX> with -Format CSV or -Format XML to specify that you want to generate a CSV or XML report. The output file is intended to facilitate the parsing of the results by automated reporting tools.

[!NOTE] Although the output format is not documented (yet), you can easily figure it out by analyzing the structure of an already generated file. You can use the Id value of each check to uniquely identify them.

Check Type > Base

Checks of type Base will always be executed, unless the script is run as an administrator. They are mainly intended for identifying privilege escalation vulnerabilities, or other important issues.

Check Type > Extended (-Extended)

Checks of type Extended can only be executed if the option -Extended is specified on the command line. They are mainly intended for providing additional information that could be useful for exploit development, or post-exploitation.

Check Type > Audit (-Audit)

Checks of type Audit can only be executed if the option -Audit is specified on the command line. They are mainly intended for providing information that is relevant in the context of a configuration audit.

:bulb: Tips & Tricks

PowerShell Execution Policy

By default, the PowerShell execution policy is set to Restricted on clients, and RemoteSigned on servers, when a new powershell.exe process is started. These policies block the execution of (unsigned) scripts, but they can be overridden within the current scope as follows.

Set-ExecutionPolicy Bypass -Scope Process -Force
. .\PrivescCheck.ps1

However, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.

Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-Expression

PowerShell Version 2

A common way to bypass Constrained Language Mode consists in using PSv2 as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this retro-compatibility.

[!NOTE] Although PowerShell version 2 is still enabled by default on recent versions of Windows (PowerShell 2.0 removal from Windows), it cannot run without the .Net framework version 2.0, which requires a manual install.

Metasploit timeout

If you run this script within a Meterpreter session, you will likely get a “timeout” error. This is because Metasploit uses a default timeout value of 15 seconds, which is not enough for a typical execution of the script to complete.

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.

It is possible to set a different timeout thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1, but you might want to set an even higher value.

msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"

:bookmark_tabs: Credits

• Word list - CBHue/PyFuscation
• Vulnerable driver list - https://www.loldrivers.io/api/drivers.csv