AdvancedTools and Techniques for Privilege Escalation
PowerView
Is a PowerShell tool to gain network situational awareness on Windows domains.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Get-GPPPassword
Retrieves the plaintext password and other information for accounts pushed through
Group Policy Preferences.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
Invoke- ACLpwn
is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured.
https://github.com/fox-it/Invoke-ACLPwn
BloodHound
Uses graph theory to reveal the hidden and often unintended relationships within
an Active Directory environment.
https://github.com/BloodHoundAD/BloodHound
PyKEK (Python Kerberos Exploitation Kit),
a python library to manipulate KRB5-related data.
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
Grouper
PowerShell script for helping to find vulnerable settings in AD Group Policy.
https://github.com/l0ss/Grouper
ADRecon
Is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a
specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.
https://github.com/sense-of-security/ADRecon
ADACLScanner one script for ACL’s in Active Directory. https://github.com/canix1/
ADACLScanner
ACLight a useful script for advanced discovery of Domain Privileged Accounts that could be targeted — including Shadow Admins.
https://github.com/cyberark/ACLight
LAPSToolk
Is a tool to audit and attack LAPS environments.
https://github.com/leoloobeek/LAPSToolkit
PingCastle
Is a free, Windows-based utility to audit the risk level of your AD infrastructure and check for vulnerable practices.
https://www.pingcastle.com/download
RiskySPNs
Is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
https://github.com/cyberark/RiskySPN
Mystique
Is a PowerShell tool to play with Kerberos S4U extensions, this module can assist blue teams to
identify risky Kerberos delegation configurations as well as red teams to impersonate arbitrary users by
leveraging KCD with Protocol Transition.
https://github.com/machosec/Mystique
Rubeus
Is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin
Delpy’s Kekeo project.
https://github.com/GhostPack/Rubeus
kekeo
Is a little toolbox I have started to manipulate Microsoft Kerberos in C (and for fun).
https://github.com/gentilkiwi/kekeo
Local Escalation
UACMe
Is an open source assessment tool that contains many methods for bypassing Windows
User Account Control on multiple versions of the operating system.
https://github.com/hfiref0x/UACME
windows-kernel-exploits
a collection windows kernel exploit.
https://github.com/SecWiki/windows-kernel-exploits
PowerUp
aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
The Elevate
Kit demonstrates how to use third-party privilege escalation attacks with CobaltStrike’s Beacon payload.
https://github.com/rsmudge/ElevateKit
Sherlock
Is a powerShell script to quickly find missing software patches for local privilege escalationvulnerabilities.
https://github.com/rasta-mouse/Sherlock
Tokenvator
Is tool to elevate privilege with Windows Tokens.