/PrivescCheck

Privilege Escalation Enumeration Script for Windows

Primary LanguagePowerShellBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

You can find more information about PrivescCheck here.

Use from a command prompt

Usage #1: Basic usage

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Usage #2: Extended mode

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

Usage #3: Extended mode + Write a report file (default format is raw text)

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"

Usage #4: Extended mode + Write report files in other formats

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"

Use from a PowerShell prompt

1. Load the script as a module

Case #1: Execution policy is already set to Bypass, so simply load the script.

. .\PrivescCheck.ps1

Case #2: Default execution policy is set, so set it to Bypass for the current PowerShell process and load the script.

Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1

Case #3: Execution policy is locked down, so get the file's content and pipe it to Invoke-Expression.

Get-Content .\PrivescCheck.ps1 | Out-String | IEX

2. Run the script

Then, use the Invoke-PrivescCheck cmdlet.

Usage #1: Basic usage

Invoke-PrivescCheck

Usage #2: Extended mode

Invoke-PrivescCheck -Extended

Usage #3: Extended mode + Write a report file (default format is raw text)

Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)"

Usage #4: Extended mode + Write report files in other formats

Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)" -Format TXT,CSV,HTML,XML

Known issues

Metasploit timeout

If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.

It is possible to set a different value thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1.

msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"