reddit hackernews mail facebook facebook linkedin
windows-privesc-check

windows-privesc-check

Standalone executable to check for simple privilege escalation vectors.

It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

It is written in python and converted to an executable using pyinstaller so it can be easily uploaded and run (as opposed to unzipping python + other dependencies). It can run either as a normal user or as Administrator (obviously it does a better job when running as Administrator because it can read more files).

When run with admin rights, windows-privesc-check has full read access to all secureable objects. This allows it to perform audits for escalation vectors.
A great many of the privileges escalation vectors checked are simply checks for weak security descriptors on Windows securable objects.

An important design goal is that windows-privesc-check can perform as many checks as possible (above) without admin rights. This will make the tool useful to pentesters as well as auditors.Clearly, low-privileged users are unable to see certain parts of the registry and file system. The tool is therefore inherently less able to identify security weaknesses when run as a low-privileged user.

Windows-privesc-check can simply dump raw data that it would normally use to identify security weaknesses. This data can then analysed some other way - or simply stored as a snapshot of system security at the time of the audit.

Given low-privileged credentials (or perhaps using anonymous access), windows-privesc-check should provide basic information which might help the user compromise the remote system.