AUTOMATED ENUMERATION
Run winPEAS
Most comprehensive auto-enum — Color-coded findings
.\winPEASx64.exe
or: .\winPEASany.bat
Example Output
winPEAS output:
[!] Possible privesc:
SeImpersonatePrivilege: ENABLED
[!] Unquoted service path:
C:\Program Files\My App\service.exe
[!] Writable service:
CustomSvc -> C:\custom\svc.exe
PowerUp.ps1
PowerShell privesc checker — Finds service misconfigs
Import-Module .\PowerUp.ps1
Invoke-AllChecks
Example Output
Import-Module .\PowerUp.ps1
Invoke-AllChecks
[*] Checking service permissions...
[!] CustomSvc - Users have AllAccess
[*] Checking unquoted service paths...
[!] VulnService - C:\Program Files\My App\svc.exe
Seatbelt
Detailed system enum — GhostPack tool
.\Seatbelt.exe -group=all
Example Output
.\Seatbelt.exe -group=all
====== InterestingFiles ======
C:\Users\admin\Desktop\passwords.txt
====== TokenPrivileges ======
SeImpersonatePrivilege: Enabled
====== SavedRDPConnections ======
DC01.corp.local - admin
SharpUp
C# version of PowerUp — Quick audit
.\SharpUp.exe audit
Example Output
.\SharpUp.exe audit
=== Modifiable Services ===
Name: CustomSvc
Path: C:\custom\svc.exe
Permissions: Everyone [AllAccess]
(Can change service binary path)
windows-exploit-suggester
Match patches to exploits — Run systeminfo on target first
python3 windows-exploit-suggester.py --database <db> --systeminfo <sysinfo.txt>
Example Output
python3 wes.py sysinfo.txt
[E] MS17-010: EternalBlue (KB4013389)
[E] CVE-2019-1458: WizardOpium (KB4530684)
[E] CVE-2021-36934: HiveNightmare
[M] MS16-032: Secondary Logon (KB3143141)