WatsonPE is a small Local Privilege Escalation scan tool, to automate the LPE search on Windows workstations, servers or dc's. The tool is based on:
- https://book.hacktricks.xyz/
- winPEAS script
- https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/
- PowerUp script
# default call - uses light scan
.\WatsonPE.ps1
# calling help function (colors explanation)
.\WatsonPE.ps1 -h
# calls light scan
.\WatsonPE.ps1 -light
# calls heavy scan (in development)
.\WatsonPE.ps1 -all===== { Computer } =====
- kernel information/system information
- check if domain joined
- PS, Audit, WEF and LAPS Settings
- LSA protection
- credential guard
- wdigest
- Number of cached cred
- Environment Variables
- UAC configuration
- Spooler
- Weak registry settings
===== { Users } =====
- Current logged users
- RDP sessions
- Ever logged users
- Autologin credentials
- Logon Sessions
- localgroups and file access
- HiveNightmare
===== { Processes } =====
- Interesting services (non Microsoft) information
- Modifiable services
- Writable service registry binpath
- PATH Dll Hijacking
===== { Windows Credentials } =====
- Windows Vault
- Credential Manager
- Saved RDP settings
- DPAPI Masterkeys
- DPAPI Credential files
- Remote Desktop Connection Manager credentials
- Kerberos Tickets
- Wifi creds
- Security Package Credentials
- AlwaysInstallElevated
===== { Browser } =====
- Extracting saved passwords for: Firefox, Chrome, Opera, Brave
===== { PuTTY } =====
- PuTTY sessions
- PuTTY ssh host keys
- ssh keys inside registry
===== { interesting files & registry } =====
- Check for unattended files
- Check for SAM & SYSTEM backups
- Check for cached GPP Passwords