Add linpeas privilege escalation checks from: Critical: Remote Code Execution via Malicious Obfuscated Malware in Imunify360 A

.github/workflows/CI-master_tests.yml

@@ -212,14 +212,15 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v2
         with:
           ref: ${{ github.head_ref }}
       
       # Setup go
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v2
         with:
-          go-version: '1.23'
+          go-version: 1.17.0-rc1
+          stable: false
       - run: go version
       
       # Build linpeas

linPEAS/builder/linpeas_parts/7_software_information/Imunify360_AiBolit.sh

@@ -0,0 +1,129 @@
+# Title: Software Information - Imunify360/Ai-Bolit RCE (<=32.7.4.0)
+# ID: SI_Imunify360_AiBolit
+# Author: HT Bot
+# Last Update: 13-11-2025
+# Description: Detect Imunify360/Ai-Bolit presence, version and risky execution flags related to the deobfuscation RCE fixed in v32.7.4.0
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $DEBUG, $HOME
+# Initial Functions:
+# Generated Global Variables: $ai_bolit_version, $ai_bolit_vuln, $imunify_pkgs, $ai_bolit_installed, $ps_matches, $units, $writable_webroot, $risk, $vmin, $deobf_refs
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+# Quick detector for Imunify360 / Ai-Bolit installation
+ai_bolit_installed=""
+for p in \
+  /opt/ai-bolit \
+  /opt/ai-bolit/wrapper \
+  /usr/bin/imunify-antivirus \
+  /usr/bin/imunify360-agent \
+  /opt/imunify* \
+  /usr/share/imunify*; do
+  [ -e "$p" ] && ai_bolit_installed=1 && break
+done
+
+# Also consider it present if any package is installed
+imunify_pkgs=$( (rpm -qa 2>/dev/null | grep -Ei '^(imunify|imunify360|imunify-antivirus)'; dpkg -l 2>/dev/null | grep -Ei 'imunify|imunify360') 2>/dev/null )
+if [ "$imunify_pkgs" ] && [ -z "$ai_bolit_installed" ]; then ai_bolit_installed=1; fi
+
+if [ "$ai_bolit_installed" ] || [ "$DEBUG" ]; then
+  print_2title "Imunify360/Ai-Bolit RCE (<=32.7.4.0) exposure check"
+
+  # Show installed packages
+  if [ "$imunify_pkgs" ]; then
+    print_info "Installed Imunify packages (package manager):"
+    printf "%s\n" "$imunify_pkgs"
+    echo ""
+  fi
+
+  # Try to obtain Ai-Bolit version from common locations (do not execute third-party binaries)
+  ai_bolit_version=""
+  if [ -r "/opt/ai-bolit/VERSION" ]; then
+    ai_bolit_version=$(head -n1 /opt/ai-bolit/VERSION 2>/dev/null | tr -d ' \t\r')
+  elif [ -r "/opt/ai-bolit/version" ]; then
+    ai_bolit_version=$(head -n1 /opt/ai-bolit/version 2>/dev/null | tr -d ' \t\r')
+  fi
+
+  if [ "$ai_bolit_version" ]; then
+    printf "Ai-Bolit version: %s\n" "$ai_bolit_version"
+  else
+    printf "Ai-Bolit version: unknown (could not read /opt/ai-bolit/VERSION)\n"
+  fi
+
+  # Determine if version is vulnerable (< 32.7.4.0)
+  ai_bolit_vuln=""
+  if [ "$ai_bolit_version" ]; then
+    vmin=$(printf '%s\n' "$ai_bolit_version" "32.7.4.0" | sort -V | head -n1)
+    if [ "$vmin" = "$ai_bolit_version" ] && [ "$ai_bolit_version" != "32.7.4.0" ]; then
+      ai_bolit_vuln=1
+    fi
+  else
+    # If we cannot read the version but the product is present, assume unknown/possibly vulnerable
+    ai_bolit_vuln="unknown"
+  fi
+
+  # Look for running processes that may invoke Ai-Bolit or Imunify and check for --deobfuscate and privileges
+  ps_matches=$(ps -eo user:12,pid,cmd 2>/dev/null | grep -Ei '(ai-bolit|imunify|scanner\.py)' | grep -v grep)
+  if [ "$ps_matches" ]; then
+    print_info "Running Imunify/Ai-Bolit related processes:"
+    # Highlight --deobfuscate and root user
+    printf "%s\n" "$ps_matches" \
+      | sed -${E} "s, --deobfuscate, ${SED_RED}," \
+      | sed -${E} "s,^root,${SED_RED},"
+    echo ""
+  fi
+
+  # Check systemd units and whether --deobfuscate is in ExecStart
+  if command -v systemctl >/dev/null 2>&1; then
+    units=$(systemctl list-units --type=service --all --no-pager 2>/dev/null | grep -Ei '(imunify|ai-bolit)' | awk '{print $1}' | sort -u)
+    if [ "$units" ]; then
+      print_info "Systemd service definitions (grep ExecStart/User):"
+      for u in $units; do
+        echo "[Unit] $u"
+        systemctl cat "$u" 2>/dev/null | grep -E '^(User=|Group=|ExecStart=)' \
+          | sed -${E} "s, --deobfuscate, ${SED_RED}," \
+          | sed -${E} "s,^User=\s*root,${SED_RED},"
+      done
+      echo ""
+    fi
+  fi
+
+  # Wrapper/orchestrator hint: check common source paths for the --deobfuscate flag (bounded search)
+  deobf_refs=$(grep -RIl --max-depth=4 --binary-files=without-match -E "--deobfuscate" \
+    /opt/imunify* /usr/share/imunify* /opt/ai-bolit* 2>/dev/null | head -n 5)
+  if [ "$deobf_refs" ]; then
+    print_info "Files referencing --deobfuscate (first hits):"
+    printf "%s\n" "$deobf_refs"
+    echo ""
+  fi
+
+  # Simple heuristic: can the current user write to common website roots?
+  writable_webroot=""
+  for w in "$HOME/public_html" "$HOME/www" "$HOME/html" "$HOME/htdocs" "$HOME/public_www"; do
+    if [ -d "$w" ] && [ -w "$w" ]; then writable_webroot=1; echo "Writable webroot detected: $w" | sed -${E} "s,.*,${SED_YELLOW},"; fi
+  done
+  [ "$writable_webroot" ] && echo ""
+
+  # Final risk summary
+  risk="LOW"
+  if [ "$ai_bolit_vuln" = "1" ]; then
+    risk="MEDIUM"
+  elif [ "$ai_bolit_vuln" = "unknown" ]; then
+    risk="MEDIUM (version unknown)"
+  fi
+  if [ "$ps_matches" ] && echo "$ps_matches" | grep -q -- "--deobfuscate" && echo "$ps_matches" | awk '{print $1}' | grep -q '^root$'; then
+    if [ "$ai_bolit_vuln" ]; then risk="HIGH"; fi
+  fi
+
+  print_3title "Ai-Bolit deobfuscation RCE exposure: RISK = $risk"
+  if [ "$ai_bolit_vuln" = "1" ]; then
+    echo "Detected Ai-Bolit < 32.7.4.0. Update to >= 32.7.4.0 or later." | sed -${E} "s,.*,${SED_RED},"
+  elif [ "$ai_bolit_vuln" = "unknown" ]; then
+    echo "Ai-Bolit present but version unknown. Verify patch level (>= 32.7.4.0)." | sed -${E} "s,.*,${SED_YELLOW},"
+  fi
+  echo "If wrapper/services run with --deobfuscate as root, a low-privileged user who can place PHP files in scanned paths may achieve code execution via the scanner." | sed -${E} "s,.*,${SED_YELLOW},"
+  echo ""
+fi

linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh

@@ -1,72 +0,0 @@
-# Title: Software Information - PostgreSQL Event Triggers
-# ID: SI_Postgresql_Event_Triggers
-# Author: HT Bot
-# Last Update: 19-11-2025
-# Description: Detect unsafe PostgreSQL event triggers and postgres_fdw custom scripts that grant temporary SUPERUSER
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $DEBUG, $E, $SED_GREEN, $SED_RED, $SED_YELLOW, $TIMEOUT
-# Initial Functions:
-# Generated Global Variables: $psql_bin, $psql_evt_output, $psql_evt_status, $psql_evt_err_line, $postgres_fdw_dirs, $postgres_fdw_hits, $old_ifs, $evtname, $enabled, $owner, $owner_is_super, $func, $func_owner, $func_owner_is_super, $IFS
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if [ "$DEBUG" ] || { [ "$TIMEOUT" ] && [ "$(command -v psql 2>/dev/null || echo -n '')" ]; }; then
-  print_2title "PostgreSQL event trigger ownership & postgres_fdw hooks"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#postgresql-event-triggers"
-
-  psql_bin="$(command -v psql 2>/dev/null || echo -n '')"
-  if [ "$TIMEOUT" ] && [ "$psql_bin" ]; then
-    psql_evt_output="$($TIMEOUT 5 "$psql_bin" -w -X -q -A -t -d postgres -c "WITH evt AS ( SELECT e.evtname, e.evtenabled, pg_get_userbyid(e.evtowner) AS trig_owner, tr.rolsuper AS trig_owner_super, n.nspname || '.' || p.proname AS function_name, pg_get_userbyid(p.proowner) AS func_owner, fr.rolsuper AS func_owner_super FROM pg_event_trigger e JOIN pg_proc p ON e.evtfoid = p.oid JOIN pg_namespace n ON p.pronamespace = n.oid LEFT JOIN pg_roles tr ON tr.oid = e.evtowner LEFT JOIN pg_roles fr ON fr.oid = p.proowner ) SELECT evtname || '|' || evtenabled || '|' || COALESCE(trig_owner,'?') || '|' || COALESCE(CASE WHEN trig_owner_super THEN 'yes' ELSE 'no' END,'unknown') || '|' || function_name || '|' || COALESCE(func_owner,'?') || '|' || COALESCE(CASE WHEN func_owner_super THEN 'yes' ELSE 'no' END,'unknown') FROM evt WHERE COALESCE(trig_owner_super,false) = false OR COALESCE(func_owner_super,false) = false;" 2>&1)"
-    psql_evt_status=$?
-    if [ $psql_evt_status -eq 0 ]; then
-      if [ "$psql_evt_output" ]; then
-        echo "Non-superuser-owned event triggers were found (trigger|enabled?|owner|owner_is_super|function|function_owner|fn_owner_is_super):" | sed -${E} "s,.*,${SED_RED},"
-        printf "%s\n" "$psql_evt_output" | while IFS='|' read evtname enabled owner owner_is_super func func_owner func_owner_is_super; do
-          case "$enabled" in
-            O) enabled="enabled" ;;
-            D) enabled="disabled" ;;
-            *) enabled="status_$enabled" ;;
-          esac
-          echo "  - $evtname ($enabled) uses $func owned by $func_owner (superuser:$func_owner_is_super); trigger owner: $owner (superuser:$owner_is_super)" | sed -${E} "s,superuser:no,${SED_RED},g"
-        done
-      else
-        echo "No event triggers owned by non-superusers were returned." | sed -${E} "s,.*,${SED_GREEN},"
-      fi
-    else
-      psql_evt_err_line=$(printf '%s\n' "$psql_evt_output" | head -n1)
-      echo "Could not query pg_event_trigger (psql exit $psql_evt_status): $psql_evt_err_line" | sed -${E} "s,.*,${SED_YELLOW},"
-    fi
-  else
-    if ! [ "$TIMEOUT" ]; then
-      echo_not_found "timeout"
-    fi
-    if ! [ "$psql_bin" ]; then
-      echo_not_found "psql"
-    fi
-  fi
-
-  postgres_fdw_dirs="/etc/postgresql /var/lib/postgresql /var/lib/postgres /usr/lib/postgresql /usr/local/lib/postgresql /opt/supabase /opt/postgres /srv/postgres"
-  postgres_fdw_hits=""
-  for d in $postgres_fdw_dirs; do
-    if [ -d "$d" ]; then
-      old_ifs="$IFS"
-      IFS="\n"
-      for f in $(find "$d" -maxdepth 5 -type f \( -name '*postgres_fdw*.sql' -o -name '*postgres_fdw*.psql' -o -name 'after-create.sql' \) 2>/dev/null); do
-        if [ -f "$f" ] && grep -qiE "alter[[:space:]]+role[[:space:]]+postgres[[:space:]]+superuser" "$f" 2>/dev/null; then
-          postgres_fdw_hits="$postgres_fdw_hits\n$f"
-        fi
-      done
-      IFS="$old_ifs"
-    fi
-  done
-
-  if [ "$postgres_fdw_hits" ]; then
-    echo "Detected postgres_fdw custom scripts granting postgres SUPERUSER (check for SupaPwn-style window):" | sed -${E} "s,.*,${SED_RED},"
-    printf "%s\n" "$postgres_fdw_hits" | sed "s,^,  - ,"
-  fi
-fi
-
-echo ""

linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh

@@ -29,7 +29,7 @@ fi
 
 peass{SSH}
 
-grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFile" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
+grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$TIMEOUT" ]; then

linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh

@@ -371,7 +371,7 @@ echo ""
 printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html\n"$NC
 echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
 echo "  RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
-echo "  RED: You should take a look into it" | sed "s,RED,${SED_RED},"
+echo "  RED: You should take a look to it" | sed "s,RED,${SED_RED},"
 echo "  LightCyan: Users with console" | sed "s,LightCyan,${SED_LIGHT_CYAN},"
 echo "  Blue: Users without console & mounted devs" | sed "s,Blue,${SED_BLUE},"
 echo "  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) " | sed "s,Green,${SED_GREEN},"
@@ -514,4 +514,4 @@ else
     HOMESEARCH="$HOME $HOMESEARCH"
   fi
 fi
-GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
+GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"

metasploit/peass.rb

@@ -270,7 +270,7 @@ class MetasploitModule < Msf::Post
     if datastore['CUSTOM_URL'] != ""
       url_peass = datastore['CUSTOM_URL']
     else
-      url_peass = datastore['WINPEASS'].to_s.strip.downcase == 'true' ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"
+      url_peass = datastore['WINPEASS'] ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"
     end
     # If URL is set, check if it is a valid URL or local file
     if url_peass.include?("http://") || url_peass.include?("https://")

winPEAS/winPEASbat/winPEAS.bat

@@ -405,7 +405,7 @@ CALL :T_Progress 1
 
 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
-ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege
+ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
 ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
@@ -707,8 +707,7 @@ EXIT /B
 
 :SetOnce
 REM :: ANSI escape character is set once below - for ColorLine Subroutine
-for /F %%a in ('echo prompt $E ^| cmd') do set "ESC=%%a"
-SET "E=%ESC%["
+SET "E=0x1B["
 SET "PercentageTrack=0"
 EXIT /B
 

winPEAS/winPEASps1/README.md

@@ -19,14 +19,6 @@ Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/re
 powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
 ```
 
-
-## Recent Updates
-
-- Added Active Directory awareness checks to highlight Kerberos-only environments (NTLM restrictions) and time skew issues before attempting ticket-based attacks.
-- winPEAS.ps1 now reviews AD-integrated DNS ACLs to flag zones where low-privileged users can register/modify records (dynamic DNS hijack risk).
-- Enumerates high-value SPN accounts and weak gMSA password readers so you can immediately target Kerberoastable admins or abused service accounts.
-- Surfaces Schannel certificate mapping settings to warn about ESC10-style certificate abuse opportunities when UPN mapping is enabled.
-
 ## Advisory
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

winPEAS/winPEASps1/winPEAS.ps1

@@ -148,244 +148,6 @@ function Get-ClipBoardText {
   }
 }
 
-function Get-DomainContext {
-  try {
-    return [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
-  }
-  catch {
-    return $null
-  }
-}
-
-function Convert-SidToName {
-  param(
-    $SidInput
-  )
-  if ($null -eq $SidInput) { return $null }
-  try {
-    if ($SidInput -is [System.Security.Principal.SecurityIdentifier]) {
-      $sidObject = $SidInput
-    }
-    else {
-      $sidObject = New-Object System.Security.Principal.SecurityIdentifier($SidInput)
-    }
-    return $sidObject.Translate([System.Security.Principal.NTAccount]).Value
-  }
-  catch {
-    try { return $sidObject.Value }
-    catch { return [string]$SidInput }
-  }
-}
-
-function Get-WeakDnsUpdateFindings {
-  param(
-    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
-  )
-  if (-not $DomainContext) { return @() }
-  $domainDN = $DomainContext.GetDirectoryEntry().distinguishedName
-  $forestDN = $DomainContext.Forest.RootDomain.GetDirectoryEntry().distinguishedName
-  $paths = @(
-    "LDAP://CN=MicrosoftDNS,DC=DomainDnsZones,$domainDN",
-    "LDAP://CN=MicrosoftDNS,DC=ForestDnsZones,$forestDN",
-    "LDAP://CN=MicrosoftDNS,$domainDN"
-  )
-  $weakPatterns = @(
-    "authenticated users",
-    "everyone",
-    "domain users"
-  )
-  $dangerousRights = @("GenericAll", "GenericWrite", "CreateChild", "WriteProperty", "WriteDacl", "WriteOwner")
-  $findings = @()
-  foreach ($path in $paths) {
-    try {
-      $container = New-Object System.DirectoryServices.DirectoryEntry($path)
-      $null = $container.NativeGuid
-    }
-    catch { continue }
-    $searcher = New-Object System.DirectoryServices.DirectorySearcher($container)
-    $searcher.Filter = "(objectClass=dnsZone)"
-    $searcher.PageSize = 500
-    $results = $searcher.FindAll()
-    foreach ($result in $results) {
-      try {
-        $zoneEntry = $result.GetDirectoryEntry()
-        $zoneEntry.Options.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
-        $sd = $zoneEntry.ObjectSecurity
-        foreach ($ace in $sd.Access) {
-          if ($ace.AccessControlType -ne 'Allow') { continue }
-          $principal = Convert-SidToName $ace.IdentityReference
-          if (-not $principal) { continue }
-          $principalLower = $principal.ToLower()
-          if (-not ($weakPatterns | Where-Object { $principalLower -like "*${_}*" })) { continue }
-          $rights = $ace.ActiveDirectoryRights.ToString()
-          if (-not ($dangerousRights | Where-Object { $rights -like "*${_}*" })) { continue }
-          $findings += [pscustomobject]@{
-            Zone      = $zoneEntry.Properties["name"].Value
-            Partition = $path.Split(',')[1]
-            Principal = $principal
-            Rights    = $rights
-          }
-        }
-      }
-      catch { continue }
-    }
-  }
-  return ($findings | Sort-Object Zone, Principal -Unique)
-}
-
-function Get-GmsaReadersReport {
-  param(
-    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
-  )
-  if (-not $DomainContext) { return @() }
-  $domainDN = $DomainContext.GetDirectoryEntry().distinguishedName
-  try {
-    $searcher = New-Object System.DirectoryServices.DirectorySearcher
-    $searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$domainDN")
-    $searcher.Filter = "(&(objectClass=msDS-GroupManagedServiceAccount))"
-    $searcher.PageSize = 500
-    [void]$searcher.PropertiesToLoad.Add("sAMAccountName")
-    [void]$searcher.PropertiesToLoad.Add("msDS-GroupMSAMembership")
-    $results = $searcher.FindAll()
-  }
-  catch { return @() }
-  $report = @()
-  foreach ($result in $results) {
-    $name = $result.Properties["samaccountname"]
-    $blobs = $result.Properties["msds-groupmsamembership"]
-    if (-not $blobs) { continue }
-    $principals = @()
-    foreach ($blob in $blobs) {
-      try {
-        $raw = New-Object System.Security.AccessControl.RawSecurityDescriptor (, $blob)
-        foreach ($ace in $raw.DiscretionaryAcl) {
-          $sid = Convert-SidToName $ace.SecurityIdentifier
-          if ($sid) { $principals += $sid }
-        }
-      }
-      catch { continue }
-    }
-    if ($principals.Count -eq 0) { continue }
-    $principals = $principals | Sort-Object -Unique
-    $weak = $principals | Where-Object { $_ -match 'Domain Users|Authenticated Users|Everyone' }
-    $report += [pscustomobject]@{
-      Account        = ($name | Select-Object -First 1)
-      Allowed        = ($principals -join ", ")
-      WeakPrincipals = if ($weak) { $weak -join ", " } else { "" }
-    }
-  }
-  return $report
-}
-
-function Get-PrivilegedSpnTargets {
-  param(
-    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
-  )
-  if (-not $DomainContext) { return @() }
-  $domainDN = $DomainContext.GetDirectoryEntry().distinguishedName
-  $keywords = @(
-    "Domain Admin",
-    "Enterprise Admin",
-    "Administrators",
-    "Exchange",
-    "IT_",
-    "Schema Admin",
-    "Account Operator",
-    "Server Operator",
-    "Backup Operator",
-    "DnsAdmin"
-  )
-  try {
-    $searcher = New-Object System.DirectoryServices.DirectorySearcher
-    $searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$domainDN")
-    $searcher.Filter = "(&(objectClass=user)(servicePrincipalName=*))"
-    $searcher.PageSize = 500
-    [void]$searcher.PropertiesToLoad.Add("sAMAccountName")
-    [void]$searcher.PropertiesToLoad.Add("memberOf")
-    $results = $searcher.FindAll()
-  }
-  catch { return @() }
-  $findings = @()
-  foreach ($res in $results) {
-    $groups = $res.Properties["memberof"]
-    if (-not $groups) { continue }
-    $matchedGroups = @()
-    foreach ($group in $groups) {
-      $cn = ($group -split ',')[0] -replace '^CN=',''
-      if ($keywords | Where-Object { $cn -like "*${_}*" }) {
-        $matchedGroups += $cn
-      }
-    }
-    if ($matchedGroups.Count -gt 0) {
-      $findings += [pscustomobject]@{
-        User   = ($res.Properties["samaccountname"] | Select-Object -First 1)
-        Groups = ($matchedGroups | Sort-Object -Unique) -join ', '
-      }
-    }
-  }
-  return ($findings | Sort-Object User | Select-Object -First 12)
-}
-
-function Get-NtlmPolicySummary {
-  try {
-    $msv = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -ErrorAction Stop
-  }
-  catch { return $null }
-  $lsa = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -ErrorAction SilentlyContinue
-  return [pscustomobject]@{
-    RestrictReceiving = $msv.RestrictReceivingNTLMTraffic
-    RestrictSending   = $msv.RestrictSendingNTLMTraffic
-    LmCompatibility   = if ($lsa) { $lsa.LmCompatibilityLevel } else { $null }
-  }
-}
-
-function Get-TimeSkewInfo {
-  param(
-    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
-  )
-  if (-not $DomainContext) { return $null }
-  try {
-    $pdc = $DomainContext.PdcRoleOwner.Name
-  }
-  catch { return $null }
-  try {
-    $stripchart = w32tm /stripchart /computer:$pdc /dataonly /samples:3 2>$null
-    $sample = $stripchart | Where-Object { $_ -match ',' } | Select-Object -Last 1
-    if (-not $sample) { return $null }
-    $parts = $sample.Split(',')
-    if ($parts.Count -lt 2) { return $null }
-    $offsetString = $parts[1].Trim().TrimEnd('s')
-    [double]$offsetSeconds = 0
-    if (-not [double]::TryParse($offsetString, [ref]$offsetSeconds)) { return $null }
-    return [pscustomobject]@{
-      Source        = $pdc
-      OffsetSeconds = $offsetSeconds
-      RawSample     = $sample
-    }
-  }
-  catch {
-    return $null
-  }
-}
-
-function Get-AdcsSchannelInfo {
-  $info = [ordered]@{
-    MappingValue = $null
-    UpnMapping   = $false
-    ServiceState = $null
-  }
-  try {
-    $schannel = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -Name 'CertificateMappingMethods' -ErrorAction Stop
-    $info.MappingValue = $schannel.CertificateMappingMethods
-    if (($schannel.CertificateMappingMethods -band 0x4) -eq 0x4) { $info.UpnMapping = $true }
-  }
-  catch { }
-  $svc = Get-Service -Name certsrv -ErrorAction SilentlyContinue
-  if ($svc) { $info.ServiceState = $svc.Status }
-  return [pscustomobject]$info
-}
-
-
 function Search-Excel {
   [cmdletbinding()]
   Param (
@@ -1464,95 +1226,6 @@ Write-Host -ForegroundColor Blue "=========|| LISTENING PORTS"
 Start-Process NETSTAT.EXE -ArgumentList "-ano" -Wait -NoNewWindow
 
 
-######################## ACTIVE DIRECTORY / IDENTITY MISCONFIG CHECKS ########################
-Write-Host ""
-if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| ACTIVE DIRECTORY / IDENTITY MISCONFIG CHECKS"
-
-$domainContext = Get-DomainContext
-if (-not $domainContext) {
-  Write-Host "Host appears to be in a workgroup or the AD context could not be resolved. Skipping domain-specific checks." -ForegroundColor DarkGray
-}
-else {
-  $ntlmStatus = Get-NtlmPolicySummary
-  if ($ntlmStatus) {
-    $recvValue = if ($ntlmStatus.RestrictReceiving -ne $null) { [int]$ntlmStatus.RestrictReceiving } else { -1 }
-    $sendValue = if ($ntlmStatus.RestrictSending -ne $null) { [int]$ntlmStatus.RestrictSending } else { -1 }
-    $lmValue = if ($ntlmStatus.LmCompatibility -ne $null) { [int]$ntlmStatus.LmCompatibility } else { -1 }
-    $ntlmMsg = "Receiving:{0} Sending:{1} LMCompat:{2}" -f $recvValue, $sendValue, $lmValue
-    if ($recvValue -ge 1 -or $sendValue -ge 1 -or $lmValue -ge 5) {
-      Write-Host "[!] NTLM is restricted/disabled ($ntlmMsg). Expect Kerberos-only auth paths (sync time before Kerberoasting)." -ForegroundColor Yellow
-    }
-    else {
-      Write-Host "[i] NTLM restrictions appear relaxed ($ntlmMsg)."
-    }
-  }
-
-  $timeSkew = Get-TimeSkewInfo -DomainContext $domainContext
-  if ($timeSkew) {
-    $offsetAbs = [math]::Abs($timeSkew.OffsetSeconds)
-    $timeMsg = "Offset vs {0}: {1:N3}s (sample: {2})" -f $timeSkew.Source, $timeSkew.OffsetSeconds, $timeSkew.RawSample.Trim()
-    if ($offsetAbs -gt 5) {
-      Write-Host "[!] Significant Kerberos time skew detected - $timeMsg" -ForegroundColor Yellow
-    }
-    else {
-      Write-Host "[i] Kerberos time offset looks OK - $timeMsg"
-    }
-  }
-
-  $dnsFindings = @(Get-WeakDnsUpdateFindings -DomainContext $domainContext)
-  if ($dnsFindings.Count -gt 0) {
-    Write-Host "[!] AD-integrated DNS zones allow low-priv principals to write records (dynamic DNS hijack / service MITM risk)." -ForegroundColor Yellow
-    $dnsFindings | Format-Table Zone,Partition,Principal,Rights -AutoSize | Out-String | Write-Host
-  }
-  else {
-    Write-Host "[i] No obvious insecure dynamic DNS ACLs found with current privileges."
-  }
-
-  $spnFindings = @(Get-PrivilegedSpnTargets -DomainContext $domainContext)
-  if ($spnFindings.Count -gt 0) {
-    Write-Host "[!] High-value SPN accounts identified (prime Kerberoast targets):" -ForegroundColor Yellow
-    $spnFindings | Format-Table User,Groups -AutoSize | Out-String | Write-Host
-  }
-  else {
-    Write-Host "[i] No privileged SPN users detected via quick LDAP search."
-  }
-
-  $gmsaReport = @(Get-GmsaReadersReport -DomainContext $domainContext)
-  if ($gmsaReport.Count -gt 0) {
-    $weakGmsa = $gmsaReport | Where-Object { $_.WeakPrincipals -ne "" }
-    if ($weakGmsa) {
-      Write-Host "[!] gMSA passwords readable by low-priv groups/principals: " -ForegroundColor Yellow
-      $weakGmsa | Select-Object Account, WeakPrincipals | Format-Table -AutoSize | Out-String | Write-Host
-    }
-    else {
-      Write-Host "[i] gMSA accounts discovered (review allowed readers below)."
-      $gmsaReport | Select-Object Account, Allowed | Sort-Object Account | Select-Object -First 5 | Format-Table -Wrap | Out-String | Write-Host
-    }
-  }
-  else {
-    Write-Host "[i] No gMSA objects found via LDAP."
-  }
-
-  $adcsInfo = Get-AdcsSchannelInfo
-  if ($adcsInfo.MappingValue -ne $null) {
-    $hex = ('0x{0:X}' -f [int]$adcsInfo.MappingValue)
-    if ($adcsInfo.UpnMapping) {
-      Write-Host ("[!] Schannel CertificateMappingMethods={0} (UPN mapping allowed) - ESC10 certificate abuse possible if you can edit another user's UPN." -f $hex) -ForegroundColor Yellow
-    }
-    else {
-      Write-Host ("[i] Schannel CertificateMappingMethods={0} (UPN mapping flag not set)." -f $hex)
-    }
-    if ($adcsInfo.ServiceState) {
-      Write-Host ("[i] AD CS service state: {0}" -f $adcsInfo.ServiceState)
-    }
-  }
-  else {
-    Write-Host "[i] Could not read Schannel certificate mapping configuration." -ForegroundColor DarkGray
-  }
-}
-
-
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| ARP Table"
@@ -1650,7 +1323,7 @@ Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow
-Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege"
+Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege"
 Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow
 Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow