PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerTools and resides at https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.

The privesc/powerup/allchecks module implements a variety of checks for common Windows misconfigurations useful for privilege escalation. It will check:

  • if you are an admin in a medium integrity process (exploitable with bypassuac)
  • for any unquoted service path issues
  • for any services with misconfigured ACLs (exploitable with service_*)
  • any improper permissions on service executables (exploitable with service_exe_*)
  • for any leftover unattend.xml files
  • if the AlwaysInstallElevated registry key is set
  • if any Autologon credentials are left in the registry
  • for any encrypted web.config strings and application pool passwords
  • for any %PATH% .DLL hijacking opportunities (exploitable with write_dllhijacker)

For more information on these methods, check out FuzzySecurity’s “Windows Privilege Escalation Fundamentals” article.