PrivKit: simple beacon object file that detects privilege escalation vulnerabilities
PrivKit
PrivKit is an open-source tool that empowers red teamers and penetration testers to quickly identify common Windows local privilege escalation vectors using Cobalt Strike Beacon Object Files (BOFs).
Features
PrivKit offers a comprehensive suite of privilege escalation checks, including:
| Check | Description |
|---|---|
| AlwaysInstallElevatedCheck | Checks for AlwaysInstallElevated misconfiguration in HKCU and HKLM |
| AutologonCheck | Enumerates stored Autologon credentials in Winlogon registry |
| CredentialManagerCheck | Dumps credentials from Windows Credential Manager |
| HijackablePathCheck | Identifies writable directories in system PATH |
| ModifiableAutorunCheck | Finds writable autorun executables in Run/RunOnce keys |
| ModifiableSVCCheck | Finds services with modifiable permissions (DACL) |
| TokenPrivilegesCheck | Enumerates current process token privileges |
| UnquotedSVCPathCheck | Detects unquoted service paths with spaces |
| PowerShellHistoryCheck | Checks for PowerShell PSReadLine history file |
| UACStatusCheck | Checks UAC status, integrity level, and admin group membership |
Why BOFs?
- In-memory execution – No files dropped to disk
- Lightweight – Minimal beacon footprint
- Fast – Native execution speed
- Stealthy – Runs within beacon’s process context
- Cross-architecture – Supports both x64 and x86
PrivKit is written in C and compiled as Beacon Object Files, making it compatible with Cobalt Strike 4.x on Windows targets.
Download
[pastacode lang=”bash” manual=”git%20clone%20https%3A%2F%2Fgithub.com%2Fmertdas%2FPrivKit.git%0Acd%20PrivKit%0A.%2Fmake_all.sh” message=”” highlight=”” provider=”manual”/]
Use
Run All Checks
Execute all privilege escalation checks at once:
[pastacode lang=”bash” manual=”beacon%3E%20PrivCheck” message=”” highlight=”” provider=”manual”/]
Run Individual Checks
Run specific checks as needed:
[pastacode lang=”bash” manual=”beacon%3E%20AlwaysInstallElevatedCheck%0Abeacon%3E%20AutologonCheck%0Abeacon%3E%20CredentialManagerCheck%0Abeacon%3E%20HijackablePathCheck%0Abeacon%3E%20ModifiableAutorunCheck%0Abeacon%3E%20ModifiableSVCCheck%0Abeacon%3E%20TokenPrivilegesCheck%0Abeacon%3E%20UnquotedSVCPathCheck%0Abeacon%3E%20PowerShellHistoryCheck%0Abeacon%3E%20UACStatusCheck” message=”” highlight=”” provider=”manual”/]
Copyright (C) 2023 mertdas
Source: https://github.com/mertdas/
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
