Overview: Understanding the Two Attack Layers
When assessing a Windows environment, you typically work with two distinct layers:
Local Machine / Host
Scenario: “I have a shell on one Windows box. How do I escalate to admin/System here?”
Tools: WinPEAS, Watson, Seatbelt, PowerUp, SharpUp, manual commands
Domain / Active Directory
Scenario: “I have domain creds somewhere. How do I find paths to Domain Admin or other juicy targets?”
Tools: BloodHound (with SharpHound), PowerView, ADRecon
Tool Focus Summary:
- Watson → local Windows, focuses on missing patches / kernel priv-esc
- WinPEAS → local Windows, broad priv-esc enumeration
- BloodHound → AD/domain-wide, graph-based attack path mapping
- Seatbelt, PowerUp, PowerView → additional context and specialized checks
Mental Model:
- WinPEAS & Watson = “what can I do on THIS Windows machine?”
- BloodHound & PowerView = “what can I do in THIS Windows DOMAIN?”
1. WinPEAS – The Comprehensive Local Enumeration Tool
What is WinPEAS?
WinPEAS (Windows Privilege Escalation Awesome Script) is a host enumeration tool you run on compromised Windows machines where you already have code execution.
Key Focus Areas:
- Weak service permissions
- Unquoted service paths
- Services running as SYSTEM with modifiable binaries/paths
- Weak file/folder ACLs
- Interesting registry keys (auto-runs, credentials, AlwaysInstallElevated)
- Stored credentials in files, registry, cached config
- Token privileges and integrity levels
- Scheduled tasks
- Installed exploitable software
Input / Output:
- Input: Executable on victim machine
- Output: Comprehensive text dump with color-coded potential issues
Strengths vs Weaknesses:
| Strengths | Weaknesses |
|---|---|
| Broad coverage | Very noisy output |
| Quick identification of multiple vectors | May trigger EDR/AV |
| Excellent for CTF/OSCP practice | Requires manual result interpretation |
2. Watson – Windows Patch Vulnerability Specialist
What is Watson?
Watson is a focused tool that checks for missing patches and known kernel vulnerabilities on compromised Windows systems.
Primary Focus:
- Windows OS version/build analysis
- Installed patches assessment
- Known kernel/privilege-escalation vulnerabilities
- CVE/MS bulletin correlation
Mental Model Comparison:
🔍 Windows Privilege Escalation Tool Selector
This interactive helper is designed for Windows Privilege Escalation scenarios. Answer the questions below to determine which Windows Privilege Escalation tools are most relevant for your current situation.
- WinPEAS = Full body medical check-up
- Watson = Specialist doctor checking for critical vaccination gaps
When to Use Which:
- Old Windows (7/2008) → Run Watson early
- Modern Windows (10/11) → Start with WinPEAS/Seatbelt
- No misconfigs found → Fall back to Watson for patch analysis
3. BloodHound – Active Directory Attack Path Visualization
What is BloodHound?
BloodHound uses graph theory to reveal hidden attack paths in Active Directory environments.
Architecture:
- Ingestors (SharpHound) – Collect AD data from environment
- GUI/Neo4j Database – Analyze and visualize attack paths
AD Object Modeling:
- Nodes: Users, computers, groups, domains, GPOs, OUs
- Edges: “Member of”, “Local admin on”, “Has session on”, “Can RDP to”
Key Capabilities:
- Find paths from low-privilege users to Domain Admin
- Identify machines with shortest paths to high-value groups
- Locate risky ACLs (GenericAll, WriteDacl)
- Discover users with local admin on multiple machines
Mental Model:
BloodHound = Google Maps for Active Directory
- Input: Current user position
- Output: Shortest route to destination (Domain Admin)
4. Seatbelt – Focused .NET-Based Enumeration
What is Seatbelt?
Seatbelt is a C#/.NET-based enumeration tool for security-focused Windows checks.
Key Checks:
- Interesting processes and services
- Installed software inventory
- Security product detection
- Credential storage locations
- PowerShell history and settings
- RDP/firewall configuration
- Domain/AD information
WinPEAS vs Seatbelt:
| WinPEAS | Seatbelt |
|---|---|
| All-in-one bash-style script | Modular .NET-based tool |
| Comprehensive coverage | Specific check execution |
| CTF-oriented | Red team OPSEC-friendly |
5. PowerUp – Privilege Escalation Automation
What is PowerUp?
PowerUp is a PowerShell script focused on finding and exploiting local privilege escalation vectors.
Primary Functions:
- Misconfigured service identification
- Unquoted service path detection
- Weak ACL discovery on files/folders
- Automated exploitation capabilities
PowerUp vs WinPEAS:
- PowerUp: PowerShell-based, can auto-exploit findings
- WinPEAS: Compiled binary, focuses on discovery over exploitation
6. PowerView – AD Reconnaissance Workhorse
What is PowerView?
PowerView is a PowerShell tool for manual Active Directory enumeration and misconfiguration discovery.
Key Features:
- Domain user/group/computer enumeration
- Local admin position identification
- Session and logon tracking
- ACL and permission analysis
- Unconstrained delegation discovery
- Kerberoastable user identification
BloodHound vs PowerView:
| BloodHound | PowerView |
|---|---|
| Visual graph-based analysis | CLI text-based output |
| Automated path discovery | Manual query execution |
| Big picture overview | Detailed specific information |
7. Comprehensive Tool Comparison Table
| Tool | Scope | Execution Location | Primary Focus |
|---|---|---|---|
| WinPEAS | Local Host | Victim Windows Machine | Broad privilege escalation enumeration |
| Watson | Local Host | Victim Windows Machine | Patch/OS-based vulnerability assessment |
| Seatbelt | Local Host | Victim Windows Machine | Modular security checks, .NET-based |
| PowerUp | Local Host | Victim Windows Machine | Local privilege escalation discovery/exploitation |
| BloodHound | Domain/AD | Ingestor in domain, GUI on attacker | AD graph attack path visualization |
| PowerView | Domain/AD | Domain-joined machine | AD enumeration via PowerShell |
8. Practical Usage Methodology
Local Privilege Escalation Workflow:
- Initial Assessment: Run WinPEAS for broad enumeration
- Quick Patch Check: Execute Watson for kernel vulnerabilities
- Focused Analysis: Use Seatbelt for specific security checks
- Exploitation: Leverage PowerUp for automated exploitation
Domain Enumeration Strategy:
- Initial Recon: Use PowerView for manual AD enumeration
- Data Collection: Execute SharpHound for BloodHound data
- Path Analysis: Import data into BloodHound for visualization
- Target Selection: Identify shortest paths to high-value targets
Key Takeaways
Tool Selection Guidelines:
- Standalone Windows: Focus on WinPEAS, Watson, PowerUp
- Domain Environment: Combine BloodHound with PowerView
- OPSEC Concerns: Prefer Seatbelt over WinPEAS
- Old Systems: Prioritize Watson for kernel exploits
Operational Security Considerations:
- WinPEAS is noisy but comprehensive
- Seatbelt offers better OPSEC for red team operations
- BloodHound ingestion can trigger detection mechanisms
- Always consider tool detection profiles in monitored environments
Learning Path Recommendation:
- Start with WinPEAS for local enumeration
- Practice with BloodHound for AD concepts
- Advance to Seatbelt and PowerView for professional operations
- Understand manual techniques underlying all automated tools
This comprehensive toolset provides complete coverage for Windows privilege escalation and Active Directory enumeration, from initial foothold to domain compromise
