5.2 - Tools

Tools

While, more common tools to help us into process are:

• PowerUp: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

• Privesc: https://github.com/itm4n/PrivescCheck

• WinPeas: https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS

More details (not related to AD) are explained here: Windows Privilege Escalation

PowerShell

• Get services with unquoted paths and a space in their name

  Get-WmiObject -Class win32_service | select pathname

• Check permissions info regarding a service

  sc.exe sdshow <service_name>

PowerUp

• Get services with unquoted paths and a space in their name

  Get-ServiceUnquoted -Verbose

• Get services where the current user can write to its binary path or change arguments to the binary

  Get-ModifiableServiceFile -Verbose

• Get services where the user's current configuration can be modified

  Get-ModifiableService -Verbose

• Run all PrivEsc checks

  Invoke-AllChecks

PrivEsc

• Run all PrivEsc checks

  Invoke-PrivEscCheck

WinPeas

• Run all PrivEsc checks

  winPEASx64.exe