Identifying Windows domain system privileges is a vital task for any penetration tester but making sure you’ve captured every data point is a time consuming and difficult task for even the most experienced professional. To help solve this problem we’ve developed Sir Vicerator, a Powershell tool to quickly automate this entire process for you.
As a cyber security community it is important that we share and collaborate wherever possible to ensure that we collectively build the cyber resilience of business and improve our industry as a community.
Our latest example of this is a new tool written by our Head of Assurance, Tom Beeney. This tool is aimed at penetration testers and IT Security admins.
Tom said “The inspiration for this project came from the laborious task of evidence collection during penetration tests. After compromising vulnerable services and achieving privilege escalation on hosts, I would always be concerned that my team and I weren’t reporting all instances of vulnerable services to the client. Manually obtaining all instances across a domain is rarely possible due to the time constraints of testing – to deliver the best outcome for clients I had to find a way to automate the process and thus “Sir Vicerator” was born”.
Tool Overview
‘Sir Vicerator’ is a tool written in PowerShell to automate the task of identifying services within a Windows domain network which are running with SYSTEM privileges. The tool takes a host input file and queries the hosts to extract the configured services and identify those which are running as system and then display on screen which are commonly used within penetration testing engagements to elevate privilege.
The tool outputs all SYSTEM services outside of the WINDOWS directory to raw data files, as well as displaying problematic services to the screen and into a separate csv file for the purposes of making reporting easier for penetration testers and sysadmins alike.
Sir Vicerator is available on the Reliance acsn GitHub (https://github.com/reliance-acsn/SirVicerator)