Merge pull request #499 from peass-ng/update_PEASS-linpeas-HTB_Environment__Laravel_env_overrid_20250907_013120

[LINPEAS] Add privilege escalation check: HTB Environment Laravel env override (CV...

build_lists/sensitive_files.yaml

@@ -895,6 +895,14 @@ search:
                 type: f
                 search_in: 
                   - common
+          
+          - name: "credentials.tfrc.json"
+            value: 
+                type: f
+                bad_regex: ".*"
+                search_in:
+                  - common
+                  
 
   - name: Racoon
     value:
@@ -1265,7 +1273,7 @@ search:
                 type: f
                 bad_regex: ".*"
                 search_in:
-                  - common 
+                  - common
   
   - name: Cloud Credentials
     value:
@@ -2059,6 +2067,11 @@ search:
                 type: f
                 search_in: 
                   - common
+          - name: "private-keys-v1.d/*.key"
+            value: 
+                type: f
+                search_in: 
+                  - common
 
           - name: "*.gnupg"
             value: 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh

@@ -6,7 +6,7 @@
 #              which can allow passwordless root via hostname/DNS manipulation.
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, print_3title, print_info, echo_not_found
+# Functions Used: print_2title, print_3title, echo_not_found
 # Global Variables:
 # Initial Functions:
 # Generated Global Variables: $rfile, $perms, $owner, $g, $o, $any_rhosts, $shown, $f, $p
@@ -15,7 +15,6 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#r-commands-and-rhosts"
 
   echo ""
   print_3title "Listening r-services (TCP 512-514)"

linPEAS/builder/linpeas_parts/variables/sudoVB1.sh

@@ -13,5 +13,5 @@
 # Small linpeas: 1
 
 
-sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|peass{SUDOVB1_HERE}"
-sudoVB2="peass{SUDOVB2_HERE}"
+sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
+sudoVB2="peass{SUDOVB2_HERE}"

linPEAS/builder/linpeas_parts/variables/sudovB.sh

@@ -1,7 +1,7 @@
 # Title: Variables - sudovB
 # ID: sudovB
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 04-10-2025
 # Description: Sudo version bad regex
 # License: GNU GPL
 # Version: 1.0
@@ -13,4 +13,4 @@
 # Small linpeas: 1
 
 
-sudovB="[01].[012345678].[0-9]+|1.9.[01234][^0-9]|1.9.[01234]$|1.9.5p1"
+sudovB="[01].[012345678].[0-9]+|1.9.[01234][^0-9]|1.9.[01234]$|1.9.5p1|1\.9\.[6-9]|1\.9\.1[0-7]"

winPEAS/winPEASexe/README.md

@@ -74,10 +74,23 @@ winpeas.exe -lolbas  #Execute also additional LOLBAS search check
 
 The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
 
+New in this version:
+- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
+
+
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
+### New (AD-aware) checks
+
+- Active Directory quick checks now include:
+  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
+  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
+
+These checks are lightweight, read-only, and only run when the host is domain-joined.
+
+
 ## Where are my COLORS?!?!?!
 
 The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):

winPEAS/winPEASexe/Tests/App.config

@@ -39,7 +39,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
+        <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Linq" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

winPEAS/winPEASexe/Tests/packages.config

@@ -39,7 +39,7 @@
   <package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net452" />
   <package id="System.Text.Encoding" version="4.3.0" targetFramework="net452" />
   <package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net452" />
-  <package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
+  <package id="System.Text.RegularExpressions" version="4.3.1" targetFramework="net48" />
   <package id="System.Threading" version="4.3.0" targetFramework="net452" />
   <package id="System.Threading.Tasks" version="4.3.0" targetFramework="net452" />
   <package id="System.Threading.Timer" version="4.3.0" targetFramework="net452" />

winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj

@@ -83,6 +83,10 @@
     <Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
     </Reference>
+    <Reference Include="System.Text.RegularExpressions, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
+      <HintPath>..\packages\System.Text.RegularExpressions.4.3.1\lib\net463\System.Text.RegularExpressions.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="System.Xml.Linq" />
     <Reference Include="System.Data.DataSetExtensions" />
     <Reference Include="Microsoft.CSharp" />

winPEAS/winPEASexe/winPEAS/App.config

@@ -32,7 +32,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Bcl.AsyncInterfaces" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Win32.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
@@ -156,7 +156,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs

@@ -0,0 +1,275 @@
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+
+namespace winPEAS.Checks
+{
+    // Lightweight AD-oriented checks for common escalation paths (gMSA readable password, AD CS template control)
+    internal class ActiveDirectoryInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint("Active Directory Quick Checks");
+
+            new List<Action>
+            {
+                PrintGmsaReadableByCurrentPrincipal,
+                PrintAdcsEsc4LikeTemplates
+            }.ForEach(action => CheckRunner.Run(action, isDebug));
+        }
+
+        private static HashSet<string> GetCurrentSidSet()
+        {
+            var sids = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+            try
+            {
+                var id = WindowsIdentity.GetCurrent();
+                sids.Add(id.User.Value);
+                foreach (var g in id.Groups)
+                {
+                    sids.Add(g.Value);
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("    [!] Error obtaining current SIDs: " + ex.Message);
+            }
+            return sids;
+        }
+
+        private static string GetRootDseProp(string prop)
+        {
+            try
+            {
+                using (var root = new DirectoryEntry("LDAP://RootDSE"))
+                {
+                    return root.Properties[prop]?.Value as string;
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint($"    [!] Error accessing RootDSE ({prop}): {ex.Message}");
+                return null;
+            }
+        }
+
+        private static string GetProp(SearchResult r, string name)
+        {
+            return (r.Properties.Contains(name) && r.Properties[name].Count > 0)
+                ? r.Properties[name][0]?.ToString()
+                : null;
+        }
+
+        // Detect gMSA objects where the current principal (or one of its groups) can retrieve the managed password
+        private void PrintGmsaReadableByCurrentPrincipal()
+        {
+            try
+            {
+                Beaprint.MainPrint("gMSA readable managed passwords");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html",
+                    "Look for Group Managed Service Accounts you can read (msDS-ManagedPassword)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var defaultNC = GetRootDseProp("defaultNamingContext");
+                if (string.IsNullOrEmpty(defaultNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve defaultNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int total = 0, readable = 0;
+
+                using (var baseDe = new DirectoryEntry("LDAP://" + defaultNC))
+                using (var ds = new DirectorySearcher(baseDe))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(&(objectClass=msDS-GroupManagedServiceAccount))";
+                    ds.PropertiesToLoad.Add("sAMAccountName");
+                    ds.PropertiesToLoad.Add("distinguishedName");
+                    // Who can read the managed password
+                    ds.PropertiesToLoad.Add("PrincipalsAllowedToRetrieveManagedPassword");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        total++;
+                        var name = GetProp(r, "sAMAccountName") ?? GetProp(r, "distinguishedName") ?? "<unknown>";
+                        var dn = GetProp(r, "distinguishedName") ?? "";
+
+                        bool canRead = false;
+                        // Attribute may be absent or empty
+                        var allowedDns = r.Properties["principalsallowedtoretrievemanagedpassword"];
+                        if (allowedDns != null)
+                        {
+                            foreach (var val in allowedDns)
+                            {
+                                try
+                                {
+                                    using (var de = new DirectoryEntry("LDAP://" + val.ToString()))
+                                    {
+                                        var sidObj = de.Properties["objectSid"]?.Value as byte[];
+                                        if (sidObj == null) continue;
+                                        var sid = new SecurityIdentifier(sidObj, 0).Value;
+                                        if (currentSidSet.Contains(sid))
+                                        {
+                                            canRead = true;
+                                        }
+                                    }
+                                }
+                                catch { /* ignore DN resolution issues */ }
+                            }
+                        }
+
+                        if (canRead)
+                        {
+                            readable++;
+                            Beaprint.BadPrint($"  You can retrieve managed password for gMSA: {name}  (DN: {dn})");
+                        }
+                    }
+                }
+
+                if (readable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No gMSA with readable managed password found (checked {total}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint($"  [*] Hint: If such gMSA is member of Builtin\\Remote Management Users on a target, WinRM may be allowed.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        // Detect AD CS certificate templates where current principal has dangerous control rights (ESC4-style)
+        private void PrintAdcsEsc4LikeTemplates()
+        {
+            try
+            {
+                Beaprint.MainPrint("AD CS templates with dangerous ACEs (ESC4)");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html#esc4",
+                    "If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var configNC = GetRootDseProp("configurationNamingContext");
+                if (string.IsNullOrEmpty(configNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve configurationNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int checkedTemplates = 0;
+                int vulnerable = 0;
+
+                var templatesDn = $"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,{configNC}";
+
+                using (var deBase = new DirectoryEntry(templatesDn))
+                using (var ds = new DirectorySearcher(deBase))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(objectClass=pKICertificateTemplate)";
+                    ds.PropertiesToLoad.Add("cn");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        checkedTemplates++;
+                        string templateCn = GetProp(r, "cn") ?? "<unknown>";
+
+                        // Fetch security descriptor (DACL)
+                        DirectoryEntry de = null;
+                        try
+                        {
+                            de = r.GetDirectoryEntry();
+                            de.Options.SecurityMasks = SecurityMasks.Dacl;
+                            de.RefreshCache(new[] { "ntSecurityDescriptor" });
+                        }
+                        catch (Exception)
+                        {
+                            de?.Dispose();
+                            continue;
+                        }
+
+                        try
+                        {
+                            var sd = de.ObjectSecurity; // ActiveDirectorySecurity
+                            var rules = sd.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                            bool hit = false;
+                            var hitRights = new HashSet<string>();
+
+                            foreach (ActiveDirectoryAccessRule rule in rules)
+                            {
+                                if (rule.AccessControlType != AccessControlType.Allow) continue;
+                                var sid = (rule.IdentityReference as SecurityIdentifier)?.Value;
+                                if (string.IsNullOrEmpty(sid)) continue;
+                                if (!currentSidSet.Contains(sid)) continue;
+
+                                var rights = rule.ActiveDirectoryRights;
+                                bool dangerous =
+                                    rights.HasFlag(ActiveDirectoryRights.GenericAll) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteDacl) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteOwner) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteProperty) ||
+                                    rights.HasFlag(ActiveDirectoryRights.ExtendedRight);
+
+                                if (dangerous)
+                                {
+                                    hit = true;
+                                    if (rights.HasFlag(ActiveDirectoryRights.GenericAll)) hitRights.Add("GenericAll");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteDacl)) hitRights.Add("WriteDacl");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteOwner)) hitRights.Add("WriteOwner");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteProperty)) hitRights.Add("WriteProperty");
+                                    if (rights.HasFlag(ActiveDirectoryRights.ExtendedRight)) hitRights.Add("ExtendedRight");
+                                }
+                            }
+
+                            if (hit)
+                            {
+                                vulnerable++;
+                                Beaprint.BadPrint($"  Dangerous rights over template: {templateCn}  (Rights: {string.Join(",", hitRights)})");
+                            }
+                        }
+                        catch (Exception)
+                        {
+                            // ignore templates we couldn't read
+                        }
+                        finally
+                        {
+                            de?.Dispose();
+                        }
+                    }
+                }
+
+                if (vulnerable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No templates with dangerous rights found (checked {checkedTemplates}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint("  [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -90,6 +90,7 @@ namespace winPEAS.Checks
                 new SystemCheck("servicesinfo", new ServicesInfo()),
                 new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                 new SystemCheck("networkinfo", new NetworkInfo()),
+                new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                 new SystemCheck("cloudinfo", new CloudInfo()),
                 new SystemCheck("windowscreds", new WindowsCreds()),
                 new SystemCheck("browserinfo", new BrowserInfo()),

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -84,6 +84,7 @@ namespace winPEAS.Checks
                 PrintLSAInfo,
                 PrintNtlmSettings,
                 PrintLocalGroupPolicy,
+                PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
@@ -1131,6 +1132,94 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPotentialGPOAbuse()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.NoColorPrint("    Host is not joined to a domain or domain info is unavailable.");
+                    return;
+                }
+
+                // Build a friendly group list for the current user to quickly spot interesting memberships
+                var currentGroups = winPEAS.Info.UserInfo.User.GetUserGroups(Checks.CurrentUserName, Checks.CurrentUserDomainName) ?? new System.Collections.Generic.List<string>();
+                var hasGPCO = currentGroups.Any(g => string.Equals(g, "Group Policy Creator Owners", System.StringComparison.InvariantCultureIgnoreCase));
+
+                if (hasGPCO)
+                {
+                    Beaprint.BadPrint("    [!] Current user is member of 'Group Policy Creator Owners' — can create/own new GPOs. If you can link a GPO to an OU that applies here, you can execute code as SYSTEM via scheduled task/startup script.");
+                }
+
+                var infos = GroupPolicy.GetLocalGroupPolicyInfos();
+
+                bool anyFinding = false;
+                foreach (var info in infos)
+                {
+                    var fileSysPath = info.FileSysPath?.ToString();
+                    if (string.IsNullOrEmpty(fileSysPath))
+                    {
+                        continue;
+                    }
+
+                    // Only look at domain GPOs stored in SYSVOL
+                    var isSysvolPath = fileSysPath.StartsWith(@"\", System.StringComparison.InvariantCultureIgnoreCase) &&
+                                       fileSysPath.IndexOf(@"\SysVol\", System.StringComparison.InvariantCultureIgnoreCase) >= 0 &&
+                                       fileSysPath.IndexOf(@"\Policies\", System.StringComparison.InvariantCultureIgnoreCase) >= 0;
+
+                    if (!isSysvolPath)
+                    {
+                        continue;
+                    }
+
+                    // Check write/equivalent permissions on common abuse locations inside the GPO
+                    var pathsToCheck = new System.Collections.Generic.List<string>
+                    {
+                        fileSysPath,
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Scripts\Startup"),
+                        System.IO.Path.Combine(fileSysPath, @"User\Scripts\Logon"),
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Preferences\ScheduledTasks")
+                    };
+
+                    foreach (var p in pathsToCheck)
+                    {
+                        var perms = PermissionsHelper.GetPermissionsFolder(p, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                        if (perms != null && perms.Count > 0)
+                        {
+                            if (!anyFinding)
+                            {
+                                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Why it matters");
+                            }
+                            anyFinding = true;
+                            Beaprint.BadPrint($"    [!] Writable applied GPO detected");
+                            Beaprint.NoColorPrint($"        GPO Display Name : {info.DisplayName}");
+                            Beaprint.NoColorPrint($"        GPO Name         : {info.GPOName}");
+                            Beaprint.NoColorPrint($"        GPO Link         : {info.Link}");
+                            Beaprint.NoColorPrint($"        Path             : {p}");
+                            foreach (var entry in perms)
+                            {
+                                Beaprint.NoColorPrint($"          -> {entry}");
+                            }
+                            Beaprint.GrayPrint("        Hint: Abuse by adding an immediate Scheduled Task or Startup script to execute as SYSTEM on gpupdate.");
+                        }
+                    }
+                }
+
+                if (!anyFinding && !hasGPCO)
+                {
+                    Beaprint.NoColorPrint("    No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.");
+                }
+            }
+            catch (Exception ex)
+            {
+                // Avoid noisy stack traces in normal runs
+                Beaprint.GrayPrint($"    [!] Error while checking potential GPO abuse: {ex.Message}");
+            }
+        }
+
+
         private static void PrintPowerShellSessionSettings()
         {
             try

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -129,6 +129,7 @@ namespace winPEAS.Helpers
             Console.WriteLine(LCYAN + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        activedirectoryinfo" + GRAY + "   Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
             Console.WriteLine(LCYAN + "        cloudinfo" + GRAY + "            Enumerate cloud information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
             Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);