{"id":13599733,"url":"https://github.com/itm4n/PrivescCheck","last_synced_at":"2025-04-10T17:32:06.122Z","repository":{"id":38023568,"uuid":"234315083","full_name":"itm4n/PrivescCheck","owner":"itm4n","description":"Privilege Escalation Enumeration Script for Windows","archived":false,"fork":false,"pushed_at":"2024-10-29T14:55:09.000Z","size":5746,"stargazers_count":2948,"open_issues_count":0,"forks_count":426,"subscribers_count":80,"default_branch":"master","last_synced_at":"2024-10-29T15:35:18.249Z","etag":null,"topics":["pentest-tool","pentesting","privilege-escalation","windows","windows-privilege-escalation"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itm4n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-16T12:28:10.000Z","updated_at":"2024-10-29T14:55:13.000Z","dependencies_parsed_at":"2023-02-16T01:30:41.124Z","dependency_job_id":"4c1b2656-6044-4efe-b78c-965ecd4c6c0a","html_url":"https://github.com/itm4n/PrivescCheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itm4n","download_url":"https://codeload.github.com/itm4n/PrivescCheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248243488,"owners_count":21071054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pentest-tool","pentesting","privilege-escalation","windows","windows-privilege-escalation"],"created_at":"2024-08-01T17:01:10.247Z","updated_at":"2025-04-10T17:32:06.085Z","avatar_url":"https://github.com/itm4n.png","language":"PowerShell","readme":"# PrivescCheck\n\nThis script aims to identify __Local Privilege Escalation__ (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.\n\n## Getting started\n\nAfter downloading the [script](https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1) and copying it onto the target Windows machine, run it using one of the commands below.\n\n\u003e [!NOTE]\n\u003e You __don't__ need to clone the entire repository. The file `PrivescCheck.ps1` is a standalone PowerShell script that contains all the code required by `PrivescCheck` to run.\n\n\u003e [!IMPORTANT]\n\u003e In the commands below, the first `.` (dot) is used for \"dot sourcing\" the script, so that the functions and cmdlets can be used in the __current scope__ (see PowerShell [dot sourcing feature](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_scripts#script-scope-and-dot-sourcing)).\n\n### Basic checks only\n\nQuickly identify important issues, such as local privilege escalation vulnerabilities.\n\n```bat\npowershell -ep bypass -c \". .\\PrivescCheck.ps1; Invoke-PrivescCheck\"\n```\n\n### Extended checks + human-readable reports\n\nIdentify important issues, but also gather additional information, and save the results to report files that are easy to read.\n\n```bat\npowershell -ep bypass -c \". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML\"\n```\n\n### All checks + all reports\n\nPerform extended and audit checks, and save the results to human-readable reports, but also machine-readable files, which can later be parsed for automated report generation.\n\n```bat\npowershell -ep bypass -c \". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML\"\n```\n\n## Check types\n\nAll the checks implemented in PrivescCheck have a __Type__. This value, and the flags specified on the command line, will determine if they are run, or not.\n\n### Base\n\nChecks of type `Base` will always be executed, unless the script is run as an administrator. They are mainly intended for identifying privilege escalation vulnerabilities, or other important issues.\n\n### Extended\n\nChecks of type `Extended` can only be executed if the option `-Extended` is specified on the command line. They are mainly intended for providing additional information that could be useful for exploit development, or post-exploitation.\n\n### Audit\n\nChecks of type `Audit` can only be executed if the option `-Audit` is specified on the command line. They are mainly intended for providing information that is relevant in the context of a configuration audit.\n\n### Experimental\n\nChecks of type `Experimental` can only be executed if the option `-Experimental` is specified on the command line. These are unstable checks that need further work. Use them with caution.\n\n## Tips and tricks\n\n### PowerShell execution policy\n\nBy default, the PowerShell [execution policy](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies) is set to `Restricted` on clients, and `RemoteSigned` on servers, when a new `powershell.exe` process is started. These policies block the execution of (unsigned) scripts, but they can be overriden within the current scope as follows.\n\n```powershell\nSet-ExecutionPolicy Bypass -Scope Process -Force\n. .\\PrivescCheck.ps1\n```\n\nHowever, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.\n\n```powershell\nGet-Content .\\PrivescCheck.ps1 | Out-String | Invoke-Expression\n```\n\n### PowerShell version 2\n\nA common way to bypass [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) consists in starting PowerShell __version 2__ as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this compatibility.\n\n\u003e [!NOTE]\n\u003e Although PowerShell version 2 is still enabled by default on recent versions of Windows, it cannot run without the .Net framework version 2.0, which requires a manual install.\n\n## Known issues\n\n### Metasploit timeout\n\nIf you run this script within a Meterpreter session, you will likely get a \"timeout\" error. Metasploit has a \"response timeout\" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.\n\n```console\nmeterpreter \u003e load powershell\nLoading extension powershell...Success.\nmeterpreter \u003e powershell_import /local/path/to/PrivescCheck.ps1\n[+] File successfully imported. No result was returned.\nmeterpreter \u003e powershell_execute \"Invoke-PrivescCheck\"\n[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.\n```\n\nIt is possible to set a different value thanks to the `-t` option of the `sessions` command ([documentation](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/)). In the following example, a timeout of 2 minutes is set for the session with ID `1`.\n\n```console\nmsf6 exploit(multi/handler) \u003e sessions -t 120 -i 1\n[*] Starting interaction with 1...\nmeterpreter \u003e powershell_execute \"Invoke-PrivescCheck\"\n```\n","funding_links":[],"categories":["PowerShell","PowerShell (153)","Red Team","Operating Systems","Windows"],"sub_categories":["Privilege Escalation","Windows","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitm4n%2FPrivescCheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitm4n%2FPrivescCheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitm4n%2FPrivescCheck/lists"}