WinPEAS v2.0-beta by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com) /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ [+] Legend: Red Indicates a special privilege over an object or something is misconfigured Green Indicates that some protection is enabled or something is well configured Cyan Indicates active users Blue Indicates disabled users LightYellow Indicates links [?] You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation Creating Dynamic lists, this could take a while, please wait... - Checking if domain... - Getting Win32_UserAccount info... - Creating current user groups list... - Creating active users list (local only)... - Creating disabled users list... - Admin users list... - Creating AppLocker bypass list... - Creating files/directories list for search... ==========================================(System Information)========================================== [+] Basic System Information [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits Hostname: ATOM ProductName: Windows 10 Enterprise EditionID: Enterprise ReleaseId: 2009 BuildBranch: vb_release CurrentMajorVersionNumber: 10 CurrentVersion: 6.3 Architecture: x86 ProcessorCount: 2 SystemLang: en-US KeyboardLang: English (United States) TimeZone: (UTC-08:00) Pacific Time (US & Canada) IsVirtualMachine: True Current Time: 6/10/2021 9:45:17 AM HighIntegrity: False PartOfDomain: False Hotfixes: KB4601554, KB4562830, KB4570334, KB4577586, KB4580325, KB4586864, KB4589212, KB5000842, KB5000981, [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) [*] OS Version: 20H2 (19042) [*] Enumerating installed KBs... [*] Finished. Found 0 vulnerabilities. [+] Showing All Microsoft Updates HotFix ID : KB4601554 Installed At (UTC) : 4/5/2021 11:33:15 AM Title : 2021-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601554) Client Application ID : MoUpdateOrchestrator Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. ================================================================================================= HotFix ID : KB4589212 Installed At (UTC) : 4/5/2021 11:31:44 AM Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4589212) Client Application ID : MoUpdateOrchestrator Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. ================================================================================================= HotFix ID : KB4577586 Installed At (UTC) : 4/5/2021 11:31:35 AM Title : Update for Removal of Adobe Flash Player for Windows 10 Version 20H2 for x64-based systems (KB4577586) Client Application ID : MoUpdateOrchestrator Description : This update will remove Adobe Flash Player from your Windows machine. After you install this item, you may have to restart your computer. ================================================================================================= HotFix ID : KB5000842 Installed At (UTC) : 4/5/2021 10:52:37 AM Title : 2021-03 Cumulative Update Preview for Windows 10 Version 20H2 for x64-based Systems (KB5000842) Client Application ID : MoUpdateOrchestrator Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. ================================================================================================= HotFix ID : KB5000802 Installed At (UTC) : 4/3/2021 9:52:24 AM Title : 2021-03 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5000802) Client Application ID : MoUpdateOrchestrator Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer. ================================================================================================= HotFix ID : KB4023057 Installed At (UTC) : 4/3/2021 9:38:34 AM Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4023057) Client Application ID : MoUpdateOrchestrator Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. ================================================================================================= HotFix ID : KB4601050 Installed At (UTC) : 4/3/2021 9:38:33 AM Title : 2021-02 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601050) Client Application ID : MoUpdateOrchestrator Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system. ================================================================================================= HotFix ID : KB2267602 Installed At (UTC) : 4/1/2021 8:18:26 PM Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1767.0) Client Application ID : MoUpdateOrchestrator Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. ================================================================================================= HotFix ID : KB4052623 Installed At (UTC) : 4/1/2021 8:17:33 PM Title : Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2102.4) Client Application ID : MoUpdateOrchestrator Description : This package will update Microsoft Defender Antivirus antimalware platform's components on the user machine. ================================================================================================= HotFix ID : KB2267602 Installed At (UTC) : 4/1/2021 6:12:43 PM Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1761.0) Client Application ID : Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed. ================================================================================================= [+] System Last Shutdown Date/time (from Registry) Last Shutdown Date/time : 4/14/2021 5:45:59 AM [+] User Environment Variables [?] Check for some passwords or keys in the env variables Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\;C:\Users\jason\AppData\Roaming\npm;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps SESSIONNAME: Console PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC USERDOMAIN: ATOM PROCESSOR_ARCHITECTURE: x86 ProgramW6432: C:\Program Files DriverData: C:\Windows\System32\Drivers\DriverData PUBLIC: C:\Users\Public APPDATA: C:\Users\jason\AppData\Roaming windir: C:\WINDOWS LOCALAPPDATA: C:\Users\jason\AppData\Local CommonProgramW6432: C:\Program Files\Common Files OneDrive: C:\Users\jason\OneDrive USERPROFILE: C:\Users\jason ProgramFiles: C:\Program Files (x86) PROCESSOR_LEVEL: 23 CommonProgramFiles(x86): C:\Program Files (x86)\Common Files HOMEPATH: \Users\jason COMPUTERNAME: ATOM PROCESSOR_ARCHITEW6432: AMD64 USERNAME: jason NUMBER_OF_PROCESSORS: 2 PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD SystemRoot: C:\WINDOWS ComSpec: C:\WINDOWS\system32\cmd.exe LOGONSERVER: \\ATOM TEMP: C:\Users\jason\AppData\Local\Temp ProgramFiles(x86): C:\Program Files (x86) CommonProgramFiles: C:\Program Files (x86)\Common Files TMP: C:\Users\jason\AppData\Local\Temp USERDOMAIN_ROAMINGPROFILE: ATOM PROCESSOR_REVISION: 0102 PROMPT: $P$G ALLUSERSPROFILE: C:\ProgramData SystemDrive: C: PSModulePath: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ OS: Windows_NT ProgramData: C:\ProgramData HOMEDRIVE: C: [+] System Environment Variables [?] Check for some passwords or keys in the env variables ComSpec: C:\WINDOWS\system32\cmd.exe DriverData: C:\Windows\System32\Drivers\DriverData OS: Windows_NT PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE: AMD64 TEMP: C:\WINDOWS\TEMP TMP: C:\WINDOWS\TEMP USERNAME: SYSTEM windir: C:\WINDOWS NUMBER_OF_PROCESSORS: 2 PROCESSOR_LEVEL: 23 PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD PROCESSOR_REVISION: 0102 Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\ PSModulePath: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ [+] Audit Settings [?] Check what is being logged Not Found [+] Audit Policy Settings - Classic & Advanced [+] WEF Settings [?] Windows Event Forwarding, is interesting to know were are sent the logs Not Found [+] LAPS Settings [?] If installed, local administrator password is changed frequently and is restricted by ACL LAPS Enabled: LAPS not installed [+] Wdigest [?] If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest Wdigest is not enabled [+] LSA Protection [?] If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection LSA Protection is not enabled [+] Credentials Guard [?] If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard CredentialGuard is not enabled Virtualization Based Security Status: Not enabled Configured: False Running: False [+] Cached Creds [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials [+] AV Information [X] Exception: Object reference not set to an instance of an object. No AV was detected!! Not Found [+] Windows Defender configuration Local Settings Group Policy Settings [+] UAC Status [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries EnableLUA: 1 LocalAccountTokenFilterPolicy: 1 FilterAdministratorToken: 1 [*] LocalAccountTokenFilterPolicy set to 1. [+] Any local account can be used for lateral movement. [+] PowerShell Settings PowerShell v2 Version: 2.0 PowerShell v5 Version: 5.1.19041.1 PowerShell Core Version: Transcription Settings: Module Logging Settings: Scriptblock Logging Settings: PS history file: PS history size: [+] Enumerating PowerShell Session Settings using the registry You must be an administrator to run this check [+] PS default transcripts history [i] Read the PS history inside these files (if any) [+] HKCU Internet Settings CertificateRevocation: 1 DisableCachingOfSSLPages: 0 IE5_UA_Backup_Flag: 5.0 PrivacyAdvanced: 1 SecureProtocols: 2688 User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) ZonesSecurityUpgrade: System.Byte[] WarnonZoneCrossing: 0 EnableNegotiate: 1 MigrateProxy: 1 ProxyEnable: 0 [+] HKLM Internet Settings ActiveXCache: C:\Windows\Downloaded Program Files CodeBaseSearchPath: CODEBASE EnablePunycode: 1 MinorVersion: 0 WarnOnIntranet: 1 [+] Drives Information [?] Remember that you should search more info inside the other drives C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 5 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories]) [+] Checking WSUS [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus Not Found [+] Checking AlwaysInstallElevated [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated AlwaysInstallElevated isn't available [+] Enumerate LSA settings - auth packages included auditbasedirectories : 0 auditbaseobjects : 0 Bounds : 00-30-00-00-00-20-00-00 crashonauditfail : 0 LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : "" Notification Packages : scecli Authentication Packages : msv1_0 LsaCfgFlagsDefault : 0 SecureBoot : 1 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 fullprivilegeauditing : 80 LsaCfgFlags : 0 LsaPid : 684 ProductType : 6 [+] Enumerating NTLM Settings LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default) NTLM Signing Settings ClientRequireSigning : False ClientNegotiateSigning : True ServerRequireSigning : False ServerNegotiateSigning : False LdapSigning : Negotiate signing (Negotiate signing) Session Security NTLMMinClientSec : 536870912 (Require 128-bit encryption) NTLMMinServerSec : 536870912 (Require 128-bit encryption) NTLM Auditing and Restrictions InboundRestrictions : (Not defined) OutboundRestrictions : (Not defined) InboundAuditing : (Not defined) OutboundExceptions : [+] Display Local Group Policy settings - local users/machine Type : user Display Name : Local Group Policy Name : Local Group Policy Extensions : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}] File Sys Path : C:\WINDOWS\System32\GroupPolicy\User Link : Local GPO Link : Local Machine Options : All Sections Enabled ================================================================================================= [+] Checking AppLocker effective policy AppLockerPolicy version: 1 listing rules: [X] Exception: Object reference not set to an instance of an object. [+] Enumerating Printers (WMI) Name: Microsoft XPS Document Writer Status: Unknown Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA) Is default: False Is network printer: False ================================================================================================= Name: Microsoft Print to PDF Status: Unknown Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA) Is default: True Is network printer: False ================================================================================================= Name: Fax Status: Unknown Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA) Is default: False Is network printer: False ================================================================================================= [+] Enumerating Named Pipes Name Sddl eventlog O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122) ROUTER O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY) SearchTextHarvester O:SYG:SYD:P(D;;FA;;;NU)(D;;FA;;;BG)(A;;FR;;;IU)(A;;FA;;;SY)(A;;FA;;;BA) vgauth-service O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA) [+] Enumerating AMSI registered providers Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE} Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2102.4-0\X86\MpOav.dll" ================================================================================================= [+] Enumerating Sysmon configuration You must be an administrator to run this check [+] Enumerating Sysmon process creation logs (1) You must be an administrator to run this check [+] Installed .NET versions CLR Versions 4.0.30319 .NET Versions 4.8.04084 .NET & AMSI (Anti-Malware Scan Interface) support .NET version supports AMSI : True OS supports AMSI : True [!] The highest .NET version is enrolled in AMSI! ==============================(Interesting Events information)============================== [+] Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials You must be an administrator to run this check [+] Printing Account Logon Events (4624) for the last 10 days. You must be an administrator to run this check [+] Process creation events - searching logs (EID 4688) for sensitive data. You must be an administrator to run this check [+] PowerShell events - script block logs (EID 4104) - searching for sensitive data. [+] Displaying Power off/on events for last 5 days 6/9/2021 9:48:00 PM : Startup ===========================================(Users Information)=========================================== [+] Users [?] Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups Current user: jason Current groups: Domain Users, Everyone, Users, Interactive, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication ================================================================================================= ATOM\Administrator: Built-in account for administering the computer/domain |->Groups: Administrators |->Password: CanChange-NotExpi-Req ATOM\DefaultAccount(Disabled): A user account managed by the system. |->Groups: System Managed Accounts Group |->Password: CanChange-NotExpi-NotReq ATOM\Guest: Built-in account for guest access to the computer/domain |->Groups: Guests |->Password: NotChange-NotExpi-NotReq ATOM\jason |->Groups: Users |->Password: CanChange-NotExpi-Req ATOM\WDAGUtilityAccount(Disabled): A user account managed and used by the system for Windows Defender Application Guard scenarios. |->Password: CanChange-Expi-Req [+] Current User Idle Time Current User : ATOM\jason Idle Time : 11h:57m:09s:188ms [+] Display Tenant information (DsRegCmd.exe /status) Tenant is NOT Azure AD Joined. [+] Current Token privileges [?] Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation SeShutdownPrivilege: DISABLED SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED SeUndockPrivilege: DISABLED SeIncreaseWorkingSetPrivilege: DISABLED SeTimeZonePrivilege: DISABLED [+] Clipboard text [+] Logged users ATOM\Administrator ATOM\jason [+] Display information about local users Computer Name : ATOM User Name : Administrator User Id : 500 Is Enabled : True User Type : Administrator Comment : Built-in account for administering the computer/domain Last Logon : 6/9/2021 9:49:28 PM Logons Count : 128 Password Last Set : 3/31/2021 3:03:21 AM ================================================================================================= Computer Name : ATOM User Name : DefaultAccount User Id : 503 Is Enabled : False User Type : Guest Comment : A user account managed by the system. Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/1/1970 12:00:00 AM ================================================================================================= Computer Name : ATOM User Name : Guest User Id : 501 Is Enabled : True User Type : Guest Comment : Built-in account for guest access to the computer/domain Last Logon : 6/10/2021 9:28:52 AM Logons Count : 0 Password Last Set : 1/1/1970 12:00:00 AM ================================================================================================= Computer Name : ATOM User Name : jason User Id : 1002 Is Enabled : True User Type : User Comment : Last Logon : 6/10/2021 7:37:23 AM Logons Count : 65 Password Last Set : 3/30/2021 1:14:57 PM ================================================================================================= Computer Name : ATOM User Name : WDAGUtilityAccount User Id : 504 Is Enabled : False User Type : Guest Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios. Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 4/1/2021 3:51:54 AM ================================================================================================= [+] RDP Sessions SessID pSessionName pUserName pDomainName State SourceIP 1 Console jason ATOM Active 239.0.112.237 [+] Ever logged users ATOM\Administrator ATOM\jason [+] Home folders found C:\Users\Administrator C:\Users\All Users C:\Users\Default C:\Users\Default User C:\Users\jason : jason [AllAccess] C:\Users\Public : Interactive [WriteData/CreateFiles] [+] Looking for AutoLogon credentials Not Found [+] Password Policies [?] Check for a possible brute-force Domain: Builtin SID: S-1-5-32 MaxPasswordAge: 42.22:47:31.7437440 MinPasswordAge: 00:00:00 MinPasswordLength: 0 PasswordHistoryLength: 0 PasswordProperties: 0 ================================================================================================= Domain: ATOM SID: S-1-5-21-1199094703-3580107816-3092147818 MaxPasswordAge: 42.00:00:00 MinPasswordAge: 00:00:00 MinPasswordLength: 0 PasswordHistoryLength: 0 PasswordProperties: 0 ================================================================================================= [+] Print Logon Sessions Method: WMI Logon Server: Logon Server Dns Domain: Logon Id: 326667 Logon Time: Logon Type: Interactive Start Time: 6/9/2021 9:48:36 PM Domain: ATOM Authentication Package: NTLM Start Time: 6/9/2021 9:48:36 PM User Name: jason User Principal Name: User SID: ================================================================================================= =======================================(Processes Information)======================================= [+] Interesting Processes -non Microsoft- [?] Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes explorer(3740)[C:\WINDOWS\Explorer.EXE] -- POwn: jason Command Line: C:\WINDOWS\Explorer.EXE ================================================================================================= r'm4rio(4724)[C:\Users\jason\AppData\Roaming\heedv1\__update__\r'm4rio.exe] -- POwn: jason Permissions: jason [AllAccess] Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv1\__update__ (jason [AllAccess]) Command Line: C:\Users\jason\AppData\Roaming\heedv1\__update__\r'm4rio.exe --updated --force-run ================================================================================================= node(2688)[C:\Program Files\nodejs\node.exe] -- POwn: jason Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client3 -p 8083 ================================================================================================= cmd(6680)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client2 -p 8082 ================================================================================================= RuntimeBroker(7072)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding ================================================================================================= r'm4rio(5296)[C:\Users\jason\AppData\Roaming\heedv2\__update__\r'm4rio.exe] -- POwn: jason Permissions: jason [AllAccess] Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv2\__update__ (jason [AllAccess]) Command Line: C:\Users\jason\AppData\Roaming\heedv2\__update__\r'm4rio.exe --updated --force-run ================================================================================================= cmd(368)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client3 -p 8083 ================================================================================================= WinStore.App(8824)[C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe] -- POwn: jason Command Line: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca ================================================================================================= conhost(836)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4 ================================================================================================= SearchApp(6904)[C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe] -- POwn: jason Command Line: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca ================================================================================================= ApplicationFrameHost(8812)[C:\WINDOWS\system32\ApplicationFrameHost.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding ================================================================================================= PING(8216)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason Command Line: ping -n 300 127.0.0.1 ================================================================================================= RuntimeBroker(6244)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding ================================================================================================= dllhost(2892)[C:\WINDOWS\system32\DllHost.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F} ================================================================================================= RuntimeBroker(7780)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding ================================================================================================= vm3dservice(7976)[C:\Windows\System32\vm3dservice.exe] -- POwn: jason Command Line: "C:\Windows\System32\vm3dservice.exe" -u ================================================================================================= RuntimeBroker(8960)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding ================================================================================================= vmtoolsd(8124)[C:\Program Files\VMware\VMware Tools\vmtoolsd.exe] -- POwn: jason Command Line: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr ================================================================================================= cmd(5424)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\run.bat" ================================================================================================= cmd(5404)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\clean.bat" ================================================================================================= svchost(1200)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc ================================================================================================= node(2472)[C:\Program Files\nodejs\node.exe] -- POwn: jason Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client1 -p 8081 ================================================================================================= cmd(2396)[C:\WINDOWS\SysWOW64\cmd.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\cmd.exe ================================================================================================= YourPhone(8660)[C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe] -- POwn: jason Command Line: "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe" -ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca ================================================================================================= cmd(8364)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason Command Line: cmd ================================================================================================= svchost(5272)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc ================================================================================================= node(2452)[C:\Program Files\nodejs\node.exe] -- POwn: jason Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client2 -p 8082 ================================================================================================= StartMenuExperienceHost(6596)[C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe] -- POwn: jason Command Line: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca ================================================================================================= r'm4rio(9196)[C:\Users\jason\AppData\Roaming\heedv2\__update__\r'm4rio.exe] -- POwn: jason Permissions: jason [AllAccess] Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv2\__update__ (jason [AllAccess]) Command Line: C:\Users\jason\AppData\Roaming\heedv2\__update__\r'm4rio.exe --updated --force-run ================================================================================================= cmd(560)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client1 -p 8081 ================================================================================================= p'ayload(8552)[C:\Users\jason\AppData\Roaming\heedv2\__update__\p'ayload.exe] -- POwn: jason Permissions: jason [AllAccess] Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv2\__update__ (jason [AllAccess]) Command Line: C:\Users\jason\AppData\Roaming\heedv2\__update__\p'ayload.exe --updated --force-run ================================================================================================= PING(9096)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason Command Line: ping -n 30 127.0.0.1 ================================================================================================= sihost(5220)[C:\WINDOWS\system32\sihost.exe] -- POwn: jason Command Line: sihost.exe ================================================================================================= taskhostw(5396)[C:\WINDOWS\system32\taskhostw.exe] -- POwn: jason Command Line: taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} ================================================================================================= conhost(864)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4 ================================================================================================= winpeas(2272)[C:\Users\jason\AppData\winpeas.exe] -- POwn: jason -- isDotNet Permissions: jason [AllAccess] Possible DLL Hijacking folder: C:\Users\jason\AppData (jason [AllAccess]) Command Line: winpeas ================================================================================================= r'myshell(7616)[C:\Users\jason\AppData\Roaming\heedv1\__update__\r'myshell.exe] -- POwn: jason Permissions: jason [AllAccess] Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv1\__update__ (jason [AllAccess]) Command Line: C:\Users\jason\AppData\Roaming\heedv1\__update__\r'myshell.exe --updated --force-run ================================================================================================= ShellExperienceHost(7720)[C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe] -- POwn: jason Command Line: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca ================================================================================================= svchost(1284)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup ================================================================================================= conhost(5356)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4 ================================================================================================= UserOOBEBroker(7268)[C:\Windows\System32\oobe\UserOOBEBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding ================================================================================================= RuntimeBroker(6724)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding ================================================================================================= conhost(5132)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4 ================================================================================================= conhost(5720)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4 ================================================================================================= RuntimeBroker(7492)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding ================================================================================================= svchost(5324)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService ================================================================================================= ========================================(Services Information)======================================== [+] Interesting Services -non Microsoft- [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ALG(Application Layer Gateway Service)[C:\WINDOWS\System32\alg.exe] - Manual - Stopped Provides support for 3rd party protocol plug-ins for Internet Connection Sharing ================================================================================================= Apache2.4(Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 ================================================================================================= AppVClient(Microsoft App-V Client)[C:\WINDOWS\system32\AppVClient.exe] - Disabled - Stopped Manages App-V users and virtual applications ================================================================================================= diagnosticshub.standardcollector.service(Microsoft (R) Diagnostics Hub Standard Collector Service)[C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe] - Manual - Stopped Diagnostics Hub Standard Collector Service. When running, this service collects real time ETW events and processes them. ================================================================================================= EFS(Encrypting File System (EFS))[C:\WINDOWS\System32\lsass.exe] - Manual - Stopped Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, applications will be unable to access encrypted files. ================================================================================================= Fax(Fax)[C:\WINDOWS\system32\fxssvc.exe] - Manual - Stopped Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network. ================================================================================================= KeyIso(CNG Key Isolation)[C:\WINDOWS\system32\lsass.exe] - Manual - Running The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements. ================================================================================================= MSDTC(Distributed Transaction Coordinator)[C:\WINDOWS\System32\msdtc.exe] - Manual - Running Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will fail. If this service is disabled, any services that explicitly depend on it will fail to start. ================================================================================================= Netlogon(Netlogon)[C:\WINDOWS\system32\lsass.exe] - Manual - Stopped Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start. ================================================================================================= perceptionsimulation(Windows Perception Simulation Service)[C:\WINDOWS\system32\PerceptionSimulation\PerceptionSimulationService.exe] - Manual - Stopped Enables spatial perception simulation, virtual camera management and spatial input simulation. ================================================================================================= Redis(Redis)["C:\Program Files\Redis\redis-server.exe" --service-run "C:\Program Files\Redis\redis.windows-service.conf"] - Auto - Running This service runs the Redis server ================================================================================================= RpcLocator(Remote Procedure Call (RPC) Locator)[C:\WINDOWS\system32\locator.exe] - Manual - Stopped In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and later versions of Windows, this service does not provide any functionality and is present for application compatibility. ================================================================================================= SamSs(Security Accounts Manager)[C:\WINDOWS\system32\lsass.exe] - Auto - Running The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled. ================================================================================================= SecurityHealthService(Windows Security Service)[C:\WINDOWS\system32\SecurityHealthService.exe] - Manual - Running Windows Security Service handles unified device protection and health information ================================================================================================= SensorDataService(Sensor Data Service)[C:\WINDOWS\System32\SensorDataService.exe] - Manual - Stopped Delivers data from a variety of sensors ================================================================================================= SgrmBroker(System Guard Runtime Monitor Broker)[C:\WINDOWS\system32\SgrmBroker.exe] - Auto - Running Monitors and attests to the integrity of the Windows platform. ================================================================================================= SNMPTRAP(SNMP Trap)[C:\WINDOWS\System32\snmptrap.exe] - Manual - Stopped Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents and forwards the messages to SNMP management programs running on this computer. If this service is stopped, SNMP-based programs on this computer will not receive SNMP trap messages. If this service is disabled, any services that explicitly depend on it will fail to start. ================================================================================================= spectrum(Windows Perception Service)[C:\WINDOWS\system32\spectrum.exe] - Manual - Stopped Enables spatial perception, spatial input, and holographic rendering. ================================================================================================= Spooler(Print Spooler)[C:\WINDOWS\System32\spoolsv.exe] - Auto - Running This service spools print jobs and handles interaction with the printer. If you turn off this service, you won't be able to print or see your printers. ================================================================================================= sppsvc(Software Protection)[C:\WINDOWS\system32\sppsvc.exe] - Auto - Stopped Enables the download, installation and enforcement of digital licenses for Windows and Windows applications. If the service is disabled, the operating system and licensed applications may run in a notification mode. It is strongly recommended that you not disable the Software Protection service. ================================================================================================= ssh-agent(OpenSSH Authentication Agent)[C:\WINDOWS\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped Agent to hold private keys used for public key authentication. ================================================================================================= TieringEngineService(Storage Tiers Management)[C:\WINDOWS\system32\TieringEngineService.exe] - Manual - Stopped Optimizes the placement of data in storage tiers on all tiered storage spaces in the system. ================================================================================================= UevAgentService(User Experience Virtualization Service)[C:\WINDOWS\system32\AgentService.exe] - Disabled - Stopped Provides support for application and OS settings roaming ================================================================================================= VaultSvc(Credential Manager)[C:\WINDOWS\system32\lsass.exe] - Manual - Running Provides secure storage and retrieval of credentials to users, applications and security service packages. ================================================================================================= vds(Virtual Disk)[C:\WINDOWS\System32\vds.exe] - Manual - Stopped Provides management services for disks, volumes, file systems, and storage arrays. ================================================================================================= VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running Alias Manager and Ticket Service ================================================================================================= vm3dservice(VMware SVGA Helper Service)[C:\WINDOWS\system32\vm3dservice.exe] - Auto - Running Helps VMware SVGA driver by collecting and conveying user mode information ================================================================================================= VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running Provides support for synchronizing objects between the host and guest operating systems. ================================================================================================= VSS(Volume Shadow Copy)[C:\WINDOWS\system32\vssvc.exe] - Manual - Stopped Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. ================================================================================================= wbengine(Block Level Backup Engine Service)["C:\WINDOWS\system32\wbengine.exe"] - Manual - Stopped The WBENGINE service is used by Windows Backup to perform backup and recovery operations. If this service is stopped by a user, it may cause the currently running backup or recovery operation to fail. Disabling this service may disable backup and recovery operations using Windows Backup on this computer. ================================================================================================= wmiApSrv(WMI Performance Adapter)[C:\WINDOWS\system32\wbem\WmiApSrv.exe] - Manual - Stopped Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated. ================================================================================================= CredentialEnrollmentManagerUserSvc_5519f(CredentialEnrollmentManagerUserSvc_5519f)[C:\WINDOWS\system32\CredentialEnrollmentManager.exe] - Manual - Stopped Credential Enrollment Manager ================================================================================================= [+] Modifiable Services [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services You cannot modify any service [+] Looking if you can modify any service registry [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions [-] Looks like you cannot change the registry of any service... [+] Checking write permissions in PATH folders (DLL Hijacking) [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking C:\WINDOWS\system32 C:\WINDOWS C:\WINDOWS\System32\Wbem C:\WINDOWS\System32\WindowsPowerShell\v1.0\ C:\Program Files\nodejs\ C:\WINDOWS\System32\OpenSSH\ ====================================(Applications Information)==================================== [+] Current Active Window Application http-server [+] Installed Applications --Via Program Files/Uninstall registry-- [?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software C:\Program Files (x86)\Microsoft\Edge\Application ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20201118234329.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20201118234330.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20201118234448.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210401035419.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210401040453.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210402195548.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210402200419.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210402200420.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210413023100.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) ==> C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20210413023115.pma (Authenticated Users [DeleteSubdirectoriesAndFiles]) C:\Program Files\Common Files C:\Program Files\CUAssistant C:\Program Files\desktop.ini C:\Program Files\Internet Explorer C:\Program Files\Microsoft Update Health Tools C:\Program Files\ModifiableWindowsApps C:\Program Files\nodejs C:\Program Files\Redis C:\Program Files\rempl C:\Program Files\Uninstall Information C:\Program Files\VMware C:\Program Files\Windows Defender C:\Program Files\Windows Defender Advanced Threat Protection C:\Program Files\Windows Mail C:\Program Files\Windows Media Player C:\Program Files\Windows Multimedia Platform C:\Program Files\Windows NT C:\Program Files\Windows Photo Viewer C:\Program Files\Windows Portable Devices C:\Program Files\Windows Security C:\Program Files\Windows Sidebar C:\Program Files\WindowsApps C:\Program Files\WindowsPowerShell [+] Autorun Applications [?] Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Key: Common Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Key: Common Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Key: Shell Folder: None (PATH Injection) File: explorer.exe ================================================================================================= RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot Key: AlternateShell Folder: None (PATH Injection) File: cmd.exe ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers Key: Adobe Type Manager Folder: None (PATH Injection) File: atmfd.dll ================================================================================================= RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers Key: Adobe Type Manager Folder: None (PATH Injection) File: atmfd.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: aux Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midi Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midimapper Folder: None (PATH Injection) File: midimap.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: mixer Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.imaadpcm Folder: None (PATH Injection) File: imaadp32.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msadpcm Folder: None (PATH Injection) File: msadp32.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msg711 Folder: None (PATH Injection) File: msg711.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msgsm610 Folder: None (PATH Injection) File: msgsm32.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.cvid Folder: None (PATH Injection) File: iccvid.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.i420 Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.iyuv Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.mrle Folder: None (PATH Injection) File: msrle32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.msvc Folder: None (PATH Injection) File: msvidc32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.uyvy Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yuy2 Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvu9 Folder: None (PATH Injection) File: tsbyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvyu Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wave Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wavemapper Folder: None (PATH Injection) File: msacm32.drv ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.l3acm Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\l3codeca.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: aux Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midi Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midimapper Folder: None (PATH Injection) File: midimap.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: mixer Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.imaadpcm Folder: None (PATH Injection) File: imaadp32.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msadpcm Folder: None (PATH Injection) File: msadp32.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msg711 Folder: None (PATH Injection) File: msg711.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msgsm610 Folder: None (PATH Injection) File: msgsm32.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.cvid Folder: None (PATH Injection) File: iccvid.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.i420 Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.iyuv Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.mrle Folder: None (PATH Injection) File: msrle32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.msvc Folder: None (PATH Injection) File: msvidc32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.uyvy Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yuy2 Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvu9 Folder: None (PATH Injection) File: tsbyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvyu Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wave Folder: None (PATH Injection) File: wdmaud.drv ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wavemapper Folder: None (PATH Injection) File: msacm32.drv ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.l3acm Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\l3codeca.acm ================================================================================================= RegPath: HKLM\Software\Classes\htmlfile\shell\open\command Folder: C:\Program Files\Internet Explorer File: C:\Program Files\Internet Explorer\IEXPLORE.EXE %1 (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Classes\htmlfile\shell\open\command Folder: C:\Program Files\Internet Explorer File: C:\Program Files\Internet Explorer\IEXPLORE.EXE %1 (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _wowarmhw Folder: None (PATH Injection) File: wowarmhw.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _xtajit Folder: None (PATH Injection) File: xtajit.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: advapi32 Folder: None (PATH Injection) File: advapi32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: clbcatq Folder: None (PATH Injection) File: clbcatq.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: combase Folder: None (PATH Injection) File: combase.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: COMDLG32 Folder: None (PATH Injection) File: COMDLG32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: coml2 Folder: None (PATH Injection) File: coml2.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: DifxApi Folder: None (PATH Injection) File: difxapi.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: gdi32 Folder: None (PATH Injection) File: gdi32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: gdiplus Folder: None (PATH Injection) File: gdiplus.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: IMAGEHLP Folder: None (PATH Injection) File: IMAGEHLP.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: IMM32 Folder: None (PATH Injection) File: IMM32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: kernel32 Folder: None (PATH Injection) File: kernel32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: MSCTF Folder: None (PATH Injection) File: MSCTF.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: MSVCRT Folder: None (PATH Injection) File: MSVCRT.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: NORMALIZ Folder: None (PATH Injection) File: NORMALIZ.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: NSI Folder: None (PATH Injection) File: NSI.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: ole32 Folder: None (PATH Injection) File: ole32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: OLEAUT32 Folder: None (PATH Injection) File: OLEAUT32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: PSAPI Folder: None (PATH Injection) File: PSAPI.DLL ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: rpcrt4 Folder: None (PATH Injection) File: rpcrt4.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: sechost Folder: None (PATH Injection) File: sechost.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: Setupapi Folder: None (PATH Injection) File: Setupapi.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHCORE Folder: None (PATH Injection) File: SHCORE.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHELL32 Folder: None (PATH Injection) File: SHELL32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHLWAPI Folder: None (PATH Injection) File: SHLWAPI.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: user32 Folder: None (PATH Injection) File: user32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: WLDAP32 Folder: None (PATH Injection) File: WLDAP32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: wow64 Folder: None (PATH Injection) File: wow64.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: wow64win Folder: None (PATH Injection) File: wow64win.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: WS2_32 Folder: None (PATH Injection) File: WS2_32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _Wow64 Folder: None (PATH Injection) File: Wow64.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _Wow64cpu Folder: None (PATH Injection) File: Wow64cpu.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _Wow64win Folder: None (PATH Injection) File: Wow64win.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: LPK Folder: None (PATH Injection) File: LPK.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Key: StubPath Folder: C:\WINDOWS\system32 File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Key: StubPath Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Key: StubPath Folder: C:\WINDOWS\system32 File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Key: StubPath Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho.dll (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho.dll (Unquoted and Space detected) ================================================================================================= Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) ================================================================================================= Folder: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup FolderPerms: jason [AllAccess] File: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) FilePerms: jason [AllAccess] ================================================================================================= Folder: C:\windows\tasks FolderPerms: Authenticated Users [WriteData/CreateFiles] ================================================================================================= Folder: C:\windows\system32\tasks FolderPerms: Authenticated Users [WriteData/CreateFiles] ================================================================================================= Folder: C:\windows File: C:\windows\system.ini ================================================================================================= Folder: C:\windows File: C:\windows\win.ini ================================================================================================= Key: From WMIC Folder: C:\WINDOWS\system32 File: C:\WINDOWS\system32\SecurityHealthSystray.exe ================================================================================================= Key: From WMIC Folder: C:\Program Files (x86)\Windows Defender File: C:\Program Files (x86)\Windows Defender\MSASCuiL.exe ================================================================================================= Key: From WMIC Folder: C:\WINDOWS\system32 File: C:\WINDOWS\system32\vm3dservice.exe -u ================================================================================================= Key: From WMIC Folder: C:\Program Files\VMware\VMware Tools File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr ================================================================================================= [+] Scheduled Applications --Non Microsoft-- [?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries (ATOM\Administrator) SoftwareUpdates: C:\Users\jason\appdata\roaming\cache\run.bat Permissions file: jason [WriteData/CreateFiles AllAccess] Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess] Trigger: At log on of ATOM\jason ================================================================================================= (ATOM\Administrator) UpdateServer: C:\Users\jason\appdata\roaming\cache\http-server.bat Permissions file: jason [WriteData/CreateFiles AllAccess] Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess] Trigger: At log on of ATOM\jason ================================================================================================= [+] Device Drivers --Non Microsoft-- [?] Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys VMware vSockets Service - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys MEGASAS RAID Controller Driver for Windows - 6.714.20.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys MEGASAS RAID Controller Driver for Windows - 7.710.10.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1015 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys SmartRAID, SmartHBA PQI Storport Driver - 1.50.1.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmusbmouse.sys VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys =========================================(Network Information)========================================= [+] Network Shares ADMIN$ (Path: C:\WINDOWS) C$ (Path: C:\) IPC$ (Path: ) Software_Updates (Path: C:\Software_Updates) -- Permissions: AllAccess [+] Enumerate Network Mapped Drives (WMI) [+] Host File [+] Network Ifaces and known hosts [?] The masks are only for the IPv4 addresses Ethernet0[00:50:56:B9:19:40]: 10.10.10.237, fe80::4443:2eb1:7e92:1001%6, dead:beef::dcef:749c:7081:f07f, dead:beef::4443:2eb1:7e92:1001 / 255.255.255.0 Gateways: 10.10.10.2, fe80::250:56ff:feb9:5677%6 DNSs: 1.1.1.1 Known hosts: 10.10.10.2 00-50-56-B9-56-77 Dynamic 10.10.10.255 FF-FF-FF-FF-FF-FF Static 224.0.0.22 01-00-5E-00-00-16 Static 224.0.0.251 01-00-5E-00-00-FB Static 224.0.0.252 01-00-5E-00-00-FC Static 239.255.255.250 01-00-5E-7F-FF-FA Static Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0 DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1 Known hosts: 224.0.0.22 00-00-00-00-00-00 Static 239.255.255.250 00-00-00-00-00-00 Static [+] Current TCP Listening Ports [?] Check for services restricted from the outside Enumerating IPv4 connections Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name TCP 0.0.0.0 80 0.0.0.0 0 Listening 2656 httpd TCP 0.0.0.0 135 0.0.0.0 0 Listening 916 svchost TCP 0.0.0.0 443 0.0.0.0 0 Listening 2656 httpd TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 5040 0.0.0.0 0 Listening 5896 svchost TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 6379 0.0.0.0 0 Listening 1312 redis-server TCP 0.0.0.0 8081 0.0.0.0 0 Listening 2472 node TCP 0.0.0.0 8082 0.0.0.0 0 Listening 2452 node TCP 0.0.0.0 8083 0.0.0.0 0 Listening 2688 node TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 49664 0.0.0.0 0 Listening 684 lsass TCP 0.0.0.0 49665 0.0.0.0 0 Listening 540 wininit TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1096 svchost TCP 0.0.0.0 49667 0.0.0.0 0 Listening 1476 svchost TCP 0.0.0.0 49668 0.0.0.0 0 Listening 2348 spoolsv TCP 0.0.0.0 49669 0.0.0.0 0 Listening 676 services TCP 10.10.10.237 139 0.0.0.0 0 Listening 4 System TCP 10.10.10.237 445 10.10.14.240 58704 Established 4 System TCP 10.10.10.237 57367 10.10.14.186 1234 Close Wait 4724 C:\Users\jason\AppData\Roaming\heedv1\__update__\r'm4rio.exe TCP 10.10.10.237 57451 10.10.14.186 5555 Established 7616 r'myshell TCP 10.10.10.237 57778 10.10.14.186 1234 SYN Sent 5296 r'm4rio TCP 10.10.10.237 57792 10.10.14.186 1234 SYN Sent 9196 r'm4rio TCP 10.10.10.237 57839 10.10.14.240 4444 Established 8552 C:\Users\jason\AppData\Roaming\heedv2\__update__\p'ayload.exe Enumerating IPv6 connections Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name TCP [::] 80 [::] 0 Listening 2656 httpd TCP [::] 135 [::] 0 Listening 916 svchost TCP [::] 443 [::] 0 Listening 2656 httpd TCP [::] 445 [::] 0 Listening 4 System TCP [::] 5985 [::] 0 Listening 4 System TCP [::] 6379 [::] 0 Listening 1312 redis-server TCP [::] 47001 [::] 0 Listening 4 System TCP [::] 49664 [::] 0 Listening 684 lsass TCP [::] 49665 [::] 0 Listening 540 wininit TCP [::] 49666 [::] 0 Listening 1096 svchost TCP [::] 49667 [::] 0 Listening 1476 svchost TCP [::] 49668 [::] 0 Listening 2348 spoolsv TCP [::] 49669 [::] 0 Listening 676 services [+] Current UDP Listening Ports [?] Check for services restricted from the outside Enumerating IPv4 connections Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name UDP 0.0.0.0 5050 *:* 5896 svchost UDP 0.0.0.0 5353 *:* 2120 svchost UDP 0.0.0.0 5355 *:* 2120 svchost UDP 10.10.10.237 137 *:* 4 System UDP 10.10.10.237 138 *:* 4 System UDP 10.10.10.237 1900 *:* 6460 svchost UDP 10.10.10.237 55229 *:* 6460 svchost UDP 127.0.0.1 1900 *:* 6460 svchost UDP 127.0.0.1 49561 *:* 2944 svchost UDP 127.0.0.1 55230 *:* 6460 svchost Enumerating IPv6 connections Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name UDP [::] 5353 *:* 2120 svchost UDP [::] 5355 *:* 2120 svchost UDP [::1] 1900 *:* 6460 svchost UDP [::1] 55228 *:* 6460 svchost UDP [fe80::4443:2eb1:7e92:1001%6] 1900 *:* 6460 svchost UDP [fe80::4443:2eb1:7e92:1001%6] 55227 *:* 6460 svchost [+] Firewall Rules [?] Showing only DENY rules (too many ALLOW rules always) Current Profiles: PUBLIC FirewallEnabled (Domain): True FirewallEnabled (Private): True FirewallEnabled (Public): True DENY rules: (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:* Node.js: Server-side JavaScript (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:* Node.js: Server-side JavaScript (2)redis-server[C:\redis\redis-server.exe]: DENY UDP IN from *:* --> *:* redis-server (2)redis-server[C:\redis\redis-server.exe]: DENY TCP IN from *:* --> *:* redis-server (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:* Node.js: Server-side JavaScript (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:* Node.js: Server-side JavaScript [+] DNS cached --limit 70-- Entry Name Data [+] Enumerating Internet settings, zone and proxy configuration General Settings Hive Key Value HKCU CertificateRevocation 1 HKCU DisableCachingOfSSLPages 0 HKCU IE5_UA_Backup_Flag 5.0 HKCU PrivacyAdvanced 1 HKCU SecureProtocols 2688 HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32) HKCU ZonesSecurityUpgrade System.Byte[] HKCU WarnonZoneCrossing 0 HKCU EnableNegotiate 1 HKCU MigrateProxy 1 HKCU ProxyEnable 0 HKLM ActiveXCache C:\Windows\Downloaded Program Files HKLM CodeBaseSearchPath CODEBASE HKLM EnablePunycode 1 HKLM MinorVersion 0 HKLM WarnOnIntranet 1 Zone Maps No URLs configured Zone Auth Settings No Zone Auth Settings =========================================(Windows Credentials)========================================= [+] Checking Windows Vault [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault Not Found [+] Checking Credential manager [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string Username: ATOM\jason Password: kidvscat_electron_@123 Target: ATOM\jason PersistenceType: Enterprise LastWriteTime: 3/31/2021 2:53:49 AM ================================================================================================= [+] Saved RDP connections Not Found [+] Remote Desktop Server/Client Settings RDP Server Settings Network Level Authentication : Block Clipboard Redirection : Block COM Port Redirection : Block Drive Redirection : Block LPT Port Redirection : Block PnP Device Redirection : Block Printer Redirection : Allow Smart Card Redirection : RDP Client Settings Disable Password Saving : True Restricted Remote Administration : False [+] Recently run commands a: cmd\1 MRUList: acdb b: compmgmt.msc\1 c: appwiz.cpl\1 d: control panel\1 [+] Checking for DPAPI Master Keys [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi MasterKey: C:\Users\jason\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199094703-3580107816-3092147818-1002\a96996a9-5aec-4f82-a145-68ee2de5ea3f Accessed: 6/9/2021 9:51:01 PM Modified: 3/30/2021 1:17:16 PM ================================================================================================= [+] Checking for DPAPI Credential Files [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi CredFile: C:\Users\jason\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D Description: Local Credential Data MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f Accessed: 6/10/2021 9:37:30 AM Modified: 4/6/2021 7:25:24 PM Size: 11184 ================================================================================================= CredFile: C:\Users\jason\AppData\Roaming\Microsoft\Credentials\9F6E8E76E5D3AE66EB8D50DDC3B0A7EC Description: Enterprise Credential Data MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f Accessed: 6/10/2021 9:37:30 AM Modified: 3/31/2021 2:53:49 AM Size: 490 ================================================================================================= [i] Follow the provided link for further instructions in how to decrypt the creds file [+] Checking for RDCMan Settings Files [?] Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager Not Found [+] Looking for Kerberos tickets [?] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88 Not Found [+] Looking for saved Wifi credentials [X] Exception: The service has not been started [+] Looking AppCmd.exe [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe Not Found You must be an administrator to run this check [+] Looking SSClient.exe [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm Not Found [+] Enumerating SSCM - System Center Configuration Manager settings [+] Enumerating Security Packages Credentials Version: NetNTLMv2 Hash: jason::ATOM:1122334455667788:4564d122e14b33033b82e622d8eb0fba:010100000000000031ae0a0a185ed701ab34453b556bc22e000000000800300030000000000000000000000000200000d988e26717dc0995e3de07a42464a811de3cf900e1440d01b5a99a91dfa357780a00100000000000000000000000000000000000090000000000000000000000 ================================================================================================= ========================================(Browsers Information)======================================== [+] Showing saved credentials for Firefox Info: if no credentials were listed, you might need to close the browser and try again. [+] Looking for Firefox DBs [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history Not Found [+] Looking for GET credentials in Firefox history [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history Not Found [+] Showing saved credentials for Chrome Info: if no credentials were listed, you might need to close the browser and try again. [+] Looking for Chrome DBs [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history Not Found [+] Looking for GET credentials in Chrome history [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history Not Found [+] Chrome bookmarks Not Found [+] Showing saved credentials for Opera Info: if no credentials were listed, you might need to close the browser and try again. [+] Showing saved credentials for Brave Browser Info: if no credentials were listed, you might need to close the browser and try again. [+] Showing saved credentials for Internet Explorer (unsupported) Info: if no credentials were listed, you might need to close the browser and try again. [+] Current IE tabs [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history Not Found [+] Looking for GET credentials in IE history [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history [+] IE favorites http://go.microsoft.com/fwlink/p/?LinkId=255142 ==============================(Interesting files and registry)============================== [+] Putty Sessions Not Found [+] Putty SSH Host keys Not Found [+] SSH keys in registry [?] If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry Not Found [+] SuperPutty configuration files [+] Enumerating Office 365 endpoints synced by OneDrive. SID: S-1-5-19 ================================================================================================= SID: S-1-5-20 ================================================================================================= SID: S-1-5-21-1199094703-3580107816-3092147818-1002 ================================================================================================= SID: S-1-5-21-1199094703-3580107816-3092147818-500 ================================================================================================= SID: S-1-5-18 ================================================================================================= [+] Cloud Credentials [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files Not Found [+] Unattend Files [+] Looking for common SAM & SYSTEM backups [+] Looking for McAfee Sitelist.xml Files [+] Cached GPP Passwords [+] Looking for possible regs with creds [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry Not Found Not Found Not Found Not Found [+] Looking for possible password files in users homes [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml [+] Searching for Oracle SQL Developer config files [+] Slack files & directories note: check manually if something is found [+] Looking for LOL Binaries and Scripts (can be slow) [?] https://lolbas-project.github.io/ [!] Check skipped, if you want to run it, please specify '-lolbas' argument [+] Enumerating Outlook download files [+] Enumerating machine and user certificate files [+] Searching known files that can contain creds in home [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlskey.der C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlscert.der C:\Users\jason\NTUSER.DAT [+] Looking for documents --limit 100-- C:\Users\jason\Downloads\PortableKanban\User Guide.pdf C:\Users\jason\Documents\UAT_Testing_Procedures.pdf [+] Office Most Recent Files -- limit 50 Last Access Date User Application Document [+] Recent files --limit 70-- Not Found [+] Looking inside the Recycle Bin for creds files [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files Not Found [+] Searching hidden files or folders in C:\Users home (can be slow) C:\Users\All Users\ntuser.pol C:\Users\jason\AppData\Roaming\heedv2\CURRENT~RF2155514.TMP C:\Users\jason\AppData\Local\Temp\BITE0BD.tmp C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2 C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1 C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2 C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1 [+] Searching interesting files in other users home directories (can be slow) Checking folder: c:\users\administrator ================================================================================================= [+] Searching executable files in non-default folders with write (equivalent) permissions (can be slow) File Permissions "C:\Users\jason\Downloads\PortableKanban\PortableKanban.exe": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\opener.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mkdirp.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mime.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\http-server.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\hs.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\he.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Downloads\node_modules\.bin\ecstatic.ps1": jason [AllAccess] File Permissions "C:\Users\jason\Desktop\winPEASany.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\winpeas.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv3\__installer.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv2\__installer.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv2\__update__\r'm4rio.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv2\__update__\p'ayload.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv1\__installer.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv1\__update__\r'myshell.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\heedv1\__update__\r'm4rio.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\cache\run.bat": jason [WriteData/CreateFiles AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\cache\http-server.bat": jason [WriteData/CreateFiles AllAccess] File Permissions "C:\Users\jason\AppData\Roaming\cache\clean.bat": jason [WriteData/CreateFiles AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\Uninstall heedv3.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\heedv3.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\resources\elevate.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\Uninstall heedv2.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\heedv2.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\resources\elevate.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\Uninstall heedv1.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\heedv1.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\resources\elevate.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Skype.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python3.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.SkypeApp_kzf8qxf38zg5c\Skype.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe": jason [AllAccess] File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe": jason [AllAccess] [+] Looking for Linux shells/distributions - wsl.exe, bash.exe /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/