Winpeas

winPEAS/winPEASbat/winPEAS.bat

@@ -146,6 +146,10 @@ echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Registered Anti-Virus(AV) ^<_-_-_-_-_-
 WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 
 echo.
 echo.
+echo Checking for defender whitelisted PATHS
+reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
+echo.
+echo.
 echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] PS settings ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
 echo PowerShell v2 Version:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine /v PowerShellVersion
@@ -158,6 +162,9 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Modu
 echo Scriptblog logging settings:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
 echo.
+echo PS default transcript history
+dir %SystemDrive%\transcripts\
+echo.
 echo.
 echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] MOUNTED DISKS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
 echo [i] Maybe you find something interesting
@@ -445,7 +452,7 @@ IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO %systemroot%\system32\ine
 echo.
 echo.
 echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Files an registry that may contain credentials ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
-echo [i] Searching specific files that may contains credentias.
+echo [i] Searching specific files that may contains credentials.
 echo   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
 echo Looking inside HKCU\Software\ORL\WinVNC3\Password
 reg query HKCU\Software\ORL\WinVNC3\Password 2>nul

winPEAS/winPEASexe/README.md

@@ -27,6 +27,9 @@ It should take only a **few seconds** to execute almost all the checks and **som
 
 By default, the progam **sleeps 100ms** before start searching files in each directory. This is made to consume less resources (**stealthier**). You can **avoid this sleep using `searchfast` parameter**.
 
+
+## Where are my COLORS?!?!?!
+
 The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):
 ```
 REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
@@ -79,7 +82,7 @@ Once you have installed and activated it you need to:
   - [x] Environment Variables
   - [x] Internet Settings
   - [x] Current drives information
-  - [x] AV?
+  - [x] AV? whitelisted defender paths?
   - [x] UAC configuration
 
 - **Users Information**
@@ -120,6 +123,7 @@ Once you have installed and activated it you need to:
   - [x] Credential Manager
   - [x] Saved RDP connections
   - [x] Recently run commands
+  - [x] Default PS transcripts files
   - [x] DPAPI Masterkeys
   - [x] DPAPI Credential files
   - [x] Remote Desktop Connection Manager credentials

winPEAS/winPEASexe/winPEAS/Program.cs

@@ -410,7 +410,7 @@ namespace winPEAS
                     else
                         Beaprint.BadPrint("    No AV was detected!!");
 
-                    Beaprint.DictPrint(AVInfo, false);
+                    Beaprint.DictPrint(AVInfo, true);
                 }
                 catch (Exception ex)
                 {
@@ -1403,6 +1403,36 @@ namespace winPEAS
                 }
             }
 
+            void PrintTranscriptPS()
+            {
+                try
+                {
+                    Beaprint.MainPrint("PS default transcripts history", "");
+                    Beaprint.InfoPrint("Read the PS histpry inside these files (if any)");
+                    string drive = Path.GetPathRoot(Environment.SystemDirectory);
+                    string path = drive + @"transcripts\";
+                    if (Directory.Exists(path))
+                    {
+                        string[] fileEntries = Directory.GetFiles(path);
+                        List<string> fileEntriesl = new List<string>(fileEntries);
+                        if (fileEntries.Length > 0) 
+                        {
+                            Dictionary<string, string> colors = new Dictionary<string, string>()
+                            {
+                                { "^.*", Beaprint.ansi_color_bad },
+                            };
+                            Beaprint.ListPrint(fileEntriesl, colors);
+                        }
+                    }
+
+                        
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.GrayPrint(String.Format("{0}", ex));
+                }
+            }
+
             void PrintDPAPIMasterKeys()
             {
                 try
@@ -1611,6 +1641,7 @@ namespace winPEAS
             PrintCredManag();
             PrintSavedRDPInfo();
             PrintRecentRunCommands();
+            PrintTranscriptPS();
             PrintDPAPIMasterKeys();
             PrintDpapiCredFiles();
             PrintRCManFiles();

winPEAS/winPEASexe/winPEAS/SystemInfo.cs

@@ -145,8 +145,10 @@ namespace winPEAS
         public static Dictionary<string, string> GetAVInfo()
         {
             Dictionary<string, string> results = new Dictionary<string, string>();
+            string whitelistpaths = "";
             try
             {
+                whitelistpaths = String.Join("\n    ", MyUtils.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths").Keys);
                 ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct");
                 ManagementObjectCollection data = wmiData.Get();
 
@@ -161,6 +163,9 @@ namespace winPEAS
             {
                 Beaprint.GrayPrint(String.Format("  [X] Exception: {0}", ex.Message));
             }
+            if (!String.IsNullOrEmpty(whitelistpaths))
+                results["whitelistpaths"] = "    " + whitelistpaths; //Add this info the last
+            
             return results;
         }
 

winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscator1.xml

@@ -8,19 +8,19 @@
   <input>
     <loadpaths />
     <asmlist>
-      <inputassembly refid="ab1132df-ee7b-445f-92fd-fb405cce20f6">
+      <inputassembly refid="fafb1980-194e-4899-b247-340974634794">
         <option>honoroas</option>
         <option>stripoa</option>
         <option>library</option>
         <option>transformxaml</option>
-        <file dir="D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="Microsoft.Win32.TaskScheduler.dll" />
+        <file dir="D:\Users\cpolo\Downloads\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="winPEAS.exe" />
       </inputassembly>
-      <inputassembly refid="f33839ff-b6f0-4afa-921f-50f70c620cb7">
+      <inputassembly refid="78325bae-9b77-4590-be9d-4339a6d843ea">
         <option>honoroas</option>
         <option>stripoa</option>
         <option>library</option>
         <option>transformxaml</option>
-        <file dir="D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="winPEAS.exe" />
+        <file dir="D:\Users\cpolo\Downloads\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="Microsoft.Win32.TaskScheduler.dll" />
       </inputassembly>
     </asmlist>
   </input>