- Incorrect handling of deny-only groups in file ACL checks.
- Issue with Metasploit caused by the presence of a null byte in the output.
- Second try to supporting deny-only SIDs when checking DACLs (Get-AclModificationRights).
- DACL checking is now done in a dedicated cmdlet (Get-AclModificationRights) which can currently handle objects of types "File", "Directory" and "Registry Key".
- The Get-ModifiablePath and Get-ModifiableRegistryPath cmdlets now use the generic Get-AclModificationRights cmdlet.
- Deny ACEs are now taken into account when checking DACLs.
- The value of the 'DisableWindowsUpdateAccess' setting is now reported in the WSUS check.
- System PATH parsing improved to ensure we do not check empty paths
- Explicit output types where possible
- Rewrite the Builder and the Loader
- Rename "Write-PrivescCheckAsciiReport" to "Show-PrivescCheckAsciiReport"
- Trailing spaces in the entire code (code cleanup)
- Empty catch blocks
- Network > Get-WlanProfileList, a helper function that retrieves the list of saved Wi-Fi profiles through the Windows API
- Network > Convert-WlanXmlProfile, a helper function that converts a WLAN XML profile to a custom PS object
- Network > Invoke-AirstrikeAttackCheck, check whether a workstation would be vulnerable to the Airstrike attack
- Network > Invoke-WlanProfilesCheck, this check now detects potential issues in 802.1x Wi-Fi profiles
- A typo in the Print Nightmare check following the previous code refactoring
- Refactored and improved Config > Invoke-PrintNightmareCheck
- Refactored registry key checks
- Misc > Invoke-UserSessionListCheck
- Config > Invoke-HardenedUNCPathCheck (@mr_mitm, @itm4n)
- Misc > Invoke-DefenderExclusionsCheck
- Config > Invoke-DriverCoInstallersCheck (@SAERXCIT)
- Creds > Invoke-SensitiveHiveShadowCopyCheck (@SAERXCIT)
- Config > Invoke-PrintNightmareCheck
- XML output report format
- Misc > Invoke-NamedPipePermissionsCheck (experimental)
- Network > Invoke-NetworkAdaptersCheck
- Invoke-UserCheck now retrieves more information about the current Token
- User > Invoke-UserRestrictedSidsCheck in case of WRITE RESTRICTED Tokens
- Group enumeration is now generic
- All privileges are now listed and the check is now considered "INFO"
- Group enumeration is now done using the Windows API
- A "Build" tool to slightly obfuscate the script
- Complete code refactor
- PrivescCheck no longer relies on compiled C# code (back to original PowerUp method)
- Code is now structured and split in "category" files
- LSA Protection and Credential Guard are now separate checks
- Fixed minor bugs
- Services > Invoke-SCMPermissionsCheck
- Scheduled Tasks > Invoke-ScheduledTasksUnquotedPathCheck
- Refactored the report generation feature
- Refactored scheduled tasks check
- A 'RunIfAdmin' mode. Some checks are now run even if the script is executed as an administrator.
- A severity level for each check
- Config > Invoke-SccmCacheFolderVulnCheck
- Additional custom checks can now be added as plugins
- A "silent" mode (only the final vulnerability report is displayed)
- Config > Invoke-SccmCacheFolderCheck
- Some report generation functions (HTML, CSV)
- Apps > Invoke-ApplicationsOnStartupVulnCheck
- Credentials > PowerShell History
- basic vulnerability report
- Misc > Invoke-EndpointProtectionCheck
- Fixed a false positive: 'C:' resolves to the current directory
- Fixed a false positive: scheduled tasks running as the current user
- Hardening > Invoke-BitlockerCheck
- Refactored Main function
- Helper > Convert-SidToName
- Misc > Invoke-HotfixCheck
- Applications > Invoke-ProgramDataCheck
- DLL Hijacking > Invoke-HijackableDllsCheck
- Applications > Invoke-ScheduledTasksCheck
- Misc > Invoke-UsersHomeFolderCheck
- Programs > Invoke-ApplicationsOnStartupCheck
- Registry > Invoke-WsusConfigCheck
- User > Invoke-UserEnvCheck
- Updated Credentials > Invoke-CredentialFilesCheck
- Handled exception in "Network > Invoke-WlanProfilesCheck" when dealing with servers
- Network > Invoke-WlanProfilesCheck
- Credentials > Invoke-VaultListCheck
- Renamed Credentials > Invoke-CredentialManagerCheck -> Invoke-VaultCredCheck
- Credentials > Invoke-GPPPasswordCheck
- Credentials > Invoke-CredentialManagerCheck
- Fixed bug Helper > Get-ModifiablePath (error handling in Split-Path)
- Fixed bug User > Invoke-UserGroupsCheck (don't translate SIDs like "S-1-5.*")
- Helper > Get-UEFIStatus
- Helper > Get-SecureBootStatus
- Helper > Get-CredentialGuardStatus
- Helper > Get-LsaRunAsPPLStatus
- Registry > Invoke-LsaProtectionsCheck
- Helper > Get-UnattendSensitiveData
- Credentials > Invoke-UnattendFilesCheck
- Merged Sensitive Files with Credentials
- Moved "Invoke-PrivescCheck.ps1" from "Pentest-Tools" to a dedicated repo.
- User > Invoke-UserCheck
- User > Invoke-UserGroupsCheck
- User > Invoke-UserPrivilegesCheck
- Services > Invoke-InstalledServicesCheck
- Services > Invoke-ServicesPermissionsCheck
- Services > Invoke-ServicesPermissionsRegistryCheck
- Services > Invoke-ServicesImagePermissionsCheck
- Services > Invoke-ServicesUnquotedPathCheck
- Dll Hijacking > Invoke-DllHijackingCheck
- Sensitive Files > Invoke-SamBackupFilesCheck
- Programs > Invoke-InstalledProgramsCheck
- Programs > Invoke-ModifiableProgramsCheck
- Programs > Invoke-RunningProcessCheck
- Credentials > Invoke-WinlogonCheck
- Credentials > Invoke-CredentialFilesCheck
- Registry > Invoke-UacCheck
- Registry > Invoke-LapsCheck
- Registry > Invoke-PowershellTranscriptionCheck
- Registry > Invoke-RegistryAlwaysInstallElevatedCheck
- Network > Invoke-TcpEndpointsCheck
- Network > Invoke-UdpEndpointsCheck
- Misc > Invoke-WindowsUpdateCheck
- Misc > Invoke-SystemInfoCheck
- Misc > Invoke-LocalAdminGroupCheck
- Misc > Invoke-MachineRoleCheck
- Misc > Invoke-SystemStartupHistoryCheck
- Misc > Invoke-SystemStartupCheck
- Misc > Invoke-SystemDrivesCheck