Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

PrivescCheck

PrivescCheck is a single-file PowerShell script that enumerates common local privilege escalation paths and configuration weaknesses on a Windows host. It bundles checks for unquoted service paths, weak service / scheduled task / file ACLs, writable PATH entries, AlwaysInstallElevated, credential material in the registry / unattend files / user dirs, vulnerable driver presence (loldrivers.io), UAC and LSA settings, hardening misconfigurations, and a long list of post-exploitation tidbits. Output goes to stdout and optionally to TXT / HTML / CSV / XML report files.

Run as a standard user

All access-control checks run in the context of the current user. If you launch it as administrator, most vulnerability checks are skipped to avoid false positives. Use -Force only if you knowingly want to enumerate the host as admin (typically for the -Audit use case below).

Usage

Drop PrivescCheck.ps1 on the host and dot-source it. The three common invocations:

powershell
# 1. Pentest: quick "is there an obvious LPE here?" pass
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

# 2. Research / post-ex: extended checks + readable report
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

# 3. Config audit: every check, every report format
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML"

Useful flags:

  • -Extended: extra post-exploitation / recon checks (installed software, network info, etc.).
  • -Audit: configuration-hardening checks that go beyond pure LPE.
  • -Experimental: opt-in unstable checks.
  • -Risky: include checks likely to trip EDR. Skip on engagements with active monitoring.
  • -Silent: no terminal output, write the report only. Handy when running through a beacon, scheduled task, or Meterpreter session.
  • -Format TXT,HTML,CSV,XML: pick any combination. HTML is the most useful for triage (sortable, filterable); CSV / XML feed automated report tooling.

Loading the script when execution policy blocks it

The -ep bypass flag covers most cases, but a GPO-enforced execution policy will ignore it. Read the file in and pipe it through Invoke-Expression:

powershell
Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-Expression
Invoke-PrivescCheck

If even file access is restricted, fetch and execute in memory:

powershell
IEX (New-Object Net.WebClient).DownloadString('https://github.com/itm4n/PrivescCheck/releases/latest/download/PrivescCheck.ps1')
Invoke-PrivescCheck