void PrintWritableRegServices() { try { Beaprint.MainPrint("Looking if you can modify any service registry"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service"); List <Dictionary <string, string> > regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs); Dictionary <string, string> colorsWR = new Dictionary <string, string>() { { @"\(.*\)", Beaprint.ansi_color_bad }, }; if (regPerms.Count <= 0) { Beaprint.GoodPrint(" [-] Looks like you cannot change the registry of any service..."); } else { foreach (Dictionary <string, string> writeServReg in regPerms) { Beaprint.AnsiPrint(string.Format(" {0} ({1})", writeServReg["Path"], writeServReg["Permissions"]), colorsWR); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintNetShares() { try { Beaprint.MainPrint("Network Shares"); Dictionary <string, string> colorsN = new Dictionary <string, string>() { { commonShares, Beaprint.ansi_color_good }, { "Permissions.*", Beaprint.ansi_color_bad } }; List <Dictionary <string, string> > shares = NetworkInfoHelper.GetNetworkShares("127.0.0.1"); foreach (Dictionary <string, string> share in shares) { string line = string.Format(" {0} (" + Beaprint.ansi_color_gray + "Path: {1}" + Beaprint.NOCOLOR + ")", share["Name"], share["Path"]); if (share["Permissions"].Length > 0) { line += " -- Permissions: " + share["Permissions"]; } Beaprint.AnsiPrint(line, colorsN); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintExplicitLogonEvents() { try { var lastDays = 30; Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var explicitLogonInfos = Logon.GetExplicitLogonEventsInfos(lastDays); foreach (var logonInfo in explicitLogonInfos) { Beaprint.BadPrint($" Subject User : {logonInfo.SubjectUser}\n" + $" Subject Domain : {logonInfo.SubjectDomain}\n" + $" Created (UTC) : {logonInfo.CreatedAtUtc}\n" + $" IP Address : {logonInfo.IpAddress}\n" + $" Process : {logonInfo.Process}\n" + $" Target User : {logonInfo.TargetUser}\n" + $" Target Domain : {logonInfo.TargetDomain}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintAuditPoliciesInfo() { try { Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced"); var policies = AuditPolicies.GetAuditPoliciesInfos(); foreach (var policy in policies) { Beaprint.NoColorPrint($" Domain : {policy.Domain}\n" + $" GPO : {policy.GPO}\n" + $" Type : {policy.Type}\n"); foreach (var entry in policy.Settings) { Beaprint.NoColorPrint($" {entry.Subcategory,50} : {entry.AuditType}"); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintSysmonConfiguration() { Beaprint.MainPrint("Enumerating Sysmon configuration"); Dictionary <string, string> colors = new Dictionary <string, string> { { SysMon.NotDefined, Beaprint.ansi_color_bad }, { "False", Beaprint.ansi_color_bad }, }; try { if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var item in SysMon.GetSysMonInfos()) { Beaprint.AnsiPrint($" Installed: {item.Installed}\n" + $" Hashing Algorithm: {item.HashingAlgorithm.GetDescription()}\n" + $" Options: {item.Options.GetDescription()}\n" + $" Rules: {item.Rules}\n", colors); Beaprint.PrintLineSeparator(); } } catch (Exception) { } }
private static void PrintAppCmd() { try { Beaprint.MainPrint("Looking AppCmd.exe"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe"); var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); if (File.Exists(appCmdPath)) { Beaprint.BadPrint($" AppCmd.exe was found in {appCmdPath}"); } else { Beaprint.NotFoundPrint(); } if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var script = AppCmd.GetExtractAppCmdCredsPowerShellScript(); string args = @$ " {script}"; var processStartInfo = new ProcessStartInfo { UseShellExecute = false, CreateNoWindow = true, FileName = "powershell.exe", Arguments = args, RedirectStandardOutput = true, RedirectStandardError = true, StandardOutputEncoding = Encoding.UTF8 }; using (var process = Process.Start(processStartInfo)) { if (process != null) { while (!process.StandardOutput.EndOfStream) { Beaprint.BadPrint($" {process.StandardOutput.ReadLine()}"); } while (!process.StandardError.EndOfStream) { Console.WriteLine(process.StandardError.ReadLine()); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintLocalGroupPolicy() { try { Beaprint.MainPrint("Display Local Group Policy settings - local users/machine"); var infos = GroupPolicy.GetLocalGroupPolicyInfos(); foreach (var info in infos) { Beaprint.NoColorPrint($" Type : {info.GPOType}\n" + $" Display Name : {info.DisplayName}\n" + $" Name : {info.GPOName}\n" + $" Extensions : {info.Extensions}\n" + $" File Sys Path : {info.FileSysPath}\n" + $" Link : {info.Link}\n" + $" GPO Link : {info.GPOLink.GetDescription()}\n" + $" Options : {info.Options.GetDescription()}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } }
void PrintPossCredsRegs() { try { string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" }; string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; Beaprint.MainPrint("Looking for possible regs with creds"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password"); if (!string.IsNullOrEmpty(winVnc4.Trim())) { Beaprint.BadPrint(winVnc4); } foreach (string regHkcu in passRegHkcu) { Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false); } foreach (string regHklm in passRegHklm) { Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRecentFiles() { try { Beaprint.MainPrint("Recent files --limit 70--"); List <Dictionary <string, string> > recFiles = KnownFileCredsInfo.GetRecentFiles(); Dictionary <string, string> colorF = new Dictionary <string, string>() { { _patternsFileCredsColor, Beaprint.ansi_color_bad }, }; if (recFiles.Count != 0) { foreach (Dictionary <string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70)) { Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintHistFirefox() { try { Beaprint.MainPrint("Looking for GET credentials in Firefox history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List <string> firefoxHist = Firefox.GetFirefoxHistory(); if (firefoxHist.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in firefoxHist) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintCloudCreds() { try { Beaprint.MainPrint("Cloud Credentials"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); List <Dictionary <string, string> > could_creds = KnownFileCredsInfo.ListCloudCreds(); if (could_creds.Count != 0) { foreach (Dictionary <string, string> cc in could_creds) { string formString = " {0} ({1})\n Accessed:{2} -- Size:{3}"; Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"])); System.Console.WriteLine(""); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintDBsFirefox() { try { Beaprint.MainPrint("Looking for Firefox DBs"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List <string> firefoxDBs = Firefox.GetFirefoxDbs(); if (firefoxDBs.Count > 0) { foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red { Beaprint.BadPrint(" Firefox credentials file exists at " + firefoxDB); } Beaprint.InfoPrint("Run SharpWeb (https://github.com/djhohnstein/SharpWeb)"); } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
public static void PrintAppLockerPolicy() { Beaprint.MainPrint("Checking AppLocker effective policy"); try { string[] ruleTypes = { "All" }; var appLockerSettings = SharpAppLocker.GetAppLockerPolicy(SharpAppLocker.PolicyType.Effective, ruleTypes, string.Empty, false, false); Beaprint.NoColorPrint($" AppLockerPolicy version: {appLockerSettings.Version}\n listing rules:\n\n"); foreach (var rule in appLockerSettings.RuleCollection) { PrintFileHashRules(rule); PrintFilePathRules(rule); PrintFilePublisherRules(rule); } } catch (COMException) { Beaprint.ColorPrint(" AppLocker unsupported on this Windows version.", Beaprint.ansi_color_yellow); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintSSHKeysReg() { try { Beaprint.MainPrint("SSH keys in registry"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys"); string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys"); if (ssh_reg.Length == 0) { Beaprint.NotFoundPrint(); } else { foreach (string ssh_key_entry in ssh_reg) { Beaprint.BadPrint(ssh_key_entry); } } } catch (Exception ex) { Beaprint.GrayPrint(string.Format("{0}", ex)); } }
private static void PrintDPAPIMasterKeys() { try { Beaprint.MainPrint("Checking for DPAPI Master Keys"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); var masterKeys = KnownFileCredsInfo.ListMasterKeys(); if (masterKeys.Count != 0) { Beaprint.DictPrint(masterKeys, true); if (MyUtils.IsHighIntegrity()) { Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the masterkey."); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintOtherUsersInterestingFiles() { try { Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n"); // check if admin already, if yes, print a message, if not, try to enumerate all files if (MyUtils.IsHighIntegrity()) { Beaprint.BadPrint(" You are already Administrator, check users home folders manually."); } else // get all files and check them { var users = User.GetOtherUsersFolders(); foreach (var user in users) { Beaprint.GoodPrint($" Checking folder: {user}\n"); var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true); foreach (var file in files) { try { FileAttributes attr = File.GetAttributes(file.FullPath); if ((attr & FileAttributes.Directory) == FileAttributes.Directory) { List <string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (dirRights.Count > 0) { Beaprint.BadPrint($" Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights)); } } else { List <string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (fileRights.Count > 0) { Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights)); } } } catch (Exception) { } } Beaprint.PrintLineSeparator(); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintWifi() { try { Beaprint.MainPrint("Looking for saved Wifi credentials"); foreach (var @interface in new WlanClient().Interfaces) { foreach (var profile in @interface.GetProfiles()) { var xml = @interface.GetProfileXml(profile.profileName); XmlDocument xDoc = new XmlDocument(); xDoc.LoadXml(xml); var keyMaterial = xDoc.GetElementsByTagName("keyMaterial"); if (keyMaterial.Count > 0) { string password = keyMaterial[0].InnerText; Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" + $" password : '******' \n\n"); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintActiveWindow() { try { Beaprint.MainPrint("Current Active Window Application"); string title = ApplicationInfoHelper.GetActiveWindowTitle(); List <string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs); List <string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs); if (permsFile.Count > 0) { Beaprint.BadPrint(" " + title); Beaprint.BadPrint(" File Permissions: " + string.Join(",", permsFile)); } else { Beaprint.GoodPrint(" " + title); } if (permsFolder.Count > 0) { Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title)); Beaprint.BadPrint(" Folder Permissions: " + string.Join(",", permsFile)); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintSecurityPackagesCredentials() { Beaprint.MainPrint("Enumerating Security Packages Credentials"); try { var credentials = (SecurityPackages.GetNtlmCredentials() ?? Enumerable.Empty <NtlmHashInfo>()).ToList(); if (credentials.Any()) { foreach (var credential in credentials) { if (credential != null) { Beaprint.BadPrint($" Version: {credential.Version}\n" + $" Hash: {credential.Hash}\n"); Beaprint.PrintLineSeparator(); } } } else { Beaprint.GoodPrint(" The NTLM security package does not contain any credentials."); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRdpSessions() { try { Beaprint.MainPrint("RDP Sessions"); List <Dictionary <string, string> > rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions(); if (rdp_sessions.Count > 0) { string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}"; string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP"); Beaprint.GrayPrint(header); foreach (Dictionary <string, string> rdpSes in rdp_sessions) { Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU()); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintPowerShellSessionSettings() { try { Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var infos = PowerShell.GetPowerShellSessionSettingsInfos(); foreach (var info in infos) { Beaprint.NoColorPrint($" {"Name",-38} {info.Plugin}"); foreach (var access in info.Permissions) { Beaprint.NoColorPrint($" {access.Principal,-35} {access.Permission,-22}"); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } }
private void PrintLogonSessions() { try { Beaprint.MainPrint("Print Logon Sessions"); var logonSessions = LogonSessions.GetLogonSessions(); foreach (var logonSession in logonSessions) { Beaprint.NoColorPrint($" Method: {logonSession.Method}\n" + $" Logon Server: {logonSession.LogonServer}\n" + $" Logon Server Dns Domain: {logonSession.LogonServerDnsDomain}\n" + $" Logon Id: {logonSession.LogonId}\n" + $" Logon Time: {logonSession.LogonTime}\n" + $" Logon Type: {logonSession.LogonType}\n" + $" Start Time: {logonSession.StartTime}\n" + $" Domain: {logonSession.Domain}\n" + $" Authentication Package: {logonSession.AuthenticationPackage}\n" + $" Start Time: {logonSession.StartTime}\n" + $" User Name: {logonSession.UserName}\n" + $" User Principal Name: {logonSession.UserPrincipalName}\n" + $" User SID: {logonSession.UserSID}\n" ); Beaprint.PrintLineSeparator(); } } catch (Exception) { } }
static void PrintAlwaysInstallElevated() { try { Beaprint.MainPrint("Checking AlwaysInstallElevated"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated"); string path = "Software\\Policies\\Microsoft\\Windows\\Installer"; string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated"); string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated"); if (HKLM_AIE == "1") { Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKLM!"); } if (HKCU_AIE == "1") { Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKCU!"); } if (HKLM_AIE != "1" && HKCU_AIE != "1") { Beaprint.GoodPrint(" AlwaysInstallElevated isn't available"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintCU() { try { Beaprint.MainPrint("Users"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges"); List <string> usersGrps = User.GetMachineUsers(false, false, false, false, true); Beaprint.AnsiPrint(" Current user: "******" Current groups: " + string.Join(", ", currentGroupsNames), ColorsU()); Beaprint.PrintLineSeparator(); Beaprint.ListPrint(usersGrps, ColorsU()); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintMappedDrivesWMI() { try { Beaprint.MainPrint("Enumerate Network Mapped Drives (WMI)"); using (var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_networkconnection")) { using (var data = wmiData.Get()) { foreach (ManagementObject result in data) { Beaprint.NoColorPrint($" Local Name : {result["LocalName"]}\n" + $" Remote Name : {result["RemoteName"]}\n" + $" Remote Path : {result["RemotePath"]}\n" + $" Status : {result["Status"]}\n" + $" Connection State : {result["ConnectionState"]}\n" + $" Persistent : {result["Persistent"]}\n" + $" UserName : {result["UserName"]}\n" + $" Description : {result["Description"]}\n"); Beaprint.PrintLineSeparator(); } } } } catch (Exception e) { } }
private static void PrintDBsChrome() { try { Beaprint.MainPrint("Looking for Chrome DBs"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary <string, string> chromeDBs = Chrome.GetChromeDbs(); if (chromeDBs.ContainsKey("userChromeCookiesPath")) { Beaprint.BadPrint(" Chrome cookies database exists at " + chromeDBs["userChromeCookiesPath"]); Beaprint.InfoPrint("Follow the provided link for further instructions."); } if (chromeDBs.ContainsKey("userChromeLoginDataPath")) { Beaprint.BadPrint(" Chrome saved login database exists at " + chromeDBs["userChromeCookiesPath"]); Beaprint.InfoPrint("Follow the provided link for further instructions."); } if ((!chromeDBs.ContainsKey("userChromeLoginDataPath")) && (!chromeDBs.ContainsKey("userChromeCookiesPath"))) { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintNetworkIfaces() { try { Beaprint.MainPrint("Network Ifaces and known hosts"); Beaprint.LinkPrint("", "The masks are only for the IPv4 addresses"); foreach (Dictionary <string, string> card in NetworkInfoHelper.GetNetCardInfo()) { string formString = " {0}[{1}]: {2} / {3}"; if (card["Gateways"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "Gateways: " + Beaprint.NOCOLOR + "{4}"; } if (card["DNSs"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "DNSs: " + Beaprint.NOCOLOR + "{5}"; } if (card["arp"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "Known hosts:" + Beaprint.NOCOLOR + "\n{6}"; } Console.WriteLine(string.Format(formString, card["Name"], card["PysicalAddr"], card["IPs"], card["Netmasks"].Replace(", 0.0.0.0", ""), card["Gateways"], card["DNSs"], card["arp"])); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintSavedRDPInfo() { try { Beaprint.MainPrint("Saved RDP connections"); List <Dictionary <string, string> > rdps_info = RemoteDesktop.GetSavedRDPConnections(); if (rdps_info.Count > 0) { Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID")); } else { Beaprint.NotFoundPrint(); } foreach (Dictionary <string, string> rdp_info in rdps_info) { Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"])); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintProcessCreationEvents() { try { Beaprint.MainPrint("Process creation events - searching logs (EID 4688) for sensitive data.\n"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var eventInfo in ProcessCreation.GetProcessCreationEventInfos()) { Beaprint.BadPrint($" Created (UTC) : {eventInfo.CreatedAtUtc}\n" + $" Event Id : {eventInfo.EventId}\n" + $" User : {eventInfo.User}\n" + $" Command Line : {eventInfo.Match}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintModifiableServices() { try { Beaprint.MainPrint("Modifiable Services"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:"); Dictionary <string, string> colorsMS = new Dictionary <string, string>() { { ".*", Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(modifiableServices, colorsMS, false, true); } else { Beaprint.GoodPrint(" You cannot modify any service"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }