PowerUp

项目地址：https://github.com/HarmJ0y/PowerUp/blob/master/README.md
用来在Windows系统中进行提权。包含几个模块来识别/利用含有漏洞的服务，例如dll劫持，脆弱的注册表设置，和发现提权可能。

Service Enumeration:

引用

Get-ServiceUnquoted             -   returns services with unquoted paths that also have a space in the name
Get-ServiceEXEPerms             -   returns services where the current user can write to the service binary path
Get-ServicePerms                -   returns services the current user can modify

Service Abuse:

引用

Invoke-ServiceUserAdd           -   modifies a modifiable service to create a user and add it to the local administrators
Write-UserAddServiceBinary      -   writes out a patched C# service binary that adds a local administrative user
Write-ServiceEXE                -   replaces a service binary with one that adds a local administrator user
Restore-ServiceEXE              -   restores a replaced service binary with the original executable

DLL Hijacking:

引用

Invoke-FindDLLHijack            -   finds DLL hijacking opportunities for currently running processes
Invoke-FindPathDLLHijack        -   finds service %PATH% .DLL hijacking opportunities

Registry Checks:

引用

Get-RegAlwaysInstallElevated    -   checks if the AlwaysInstallElevated registry key is set
Get-RegAutoLogon                -   checks for Autologon credentials in the registry

Misc. Checks:

引用

Get-UnattendedInstallFiles      -   finds remaining unattended installation files

Helpers:

引用

Invoke-AllChecks                -   runs all current escalation checks and returns a report
Write-UserAddMSI                -   write out a MSI installer that prompts for a user to be added
Invoke-ServiceStart             -   starts a given service
Invoke-ServiceStop              -   stops a given service
Invoke-ServiceEnable            -   enables a given service
Invoke-ServiceDisable           -   disables a given service
Get-ServiceDetails              -   returns detailed information about a service