f

Bump System.Text.RegularExpressions from 4.3.0 to 4.3.1 in /winPEAS/winPEASexe/Tests

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh

@@ -0,0 +1,139 @@
+# Title: Processes & Cron & Services & Timers - Legacy r-commands and host-based trust
+# ID: PR_Rcommands_trust
+# Author: HT Bot
+# Last Update: 27-08-2025
+# Description: Detect legacy r-services (rsh/rlogin/rexec) exposure and dangerous host-based trust (.rhosts/hosts.equiv),
+#              which can allow passwordless root via hostname/DNS manipulation.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, echo_not_found
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $rfile, $perms, $owner, $g, $o, $any_rhosts, $shown, $f, $p
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust"
+
+  echo ""
+  print_3title "Listening r-services (TCP 512-514)"
+  if command -v ss >/dev/null 2>&1; then
+    ss -ltnp 2>/dev/null | awk '$1 ~ /^LISTEN$/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "ss"
+  elif command -v netstat >/dev/null 2>&1; then
+    netstat -ltnp 2>/dev/null | awk '$6 ~ /LISTEN/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "netstat"
+  else
+    echo_not_found "ss|netstat"
+  fi
+
+  echo ""
+  print_3title "systemd units exposing r-services"
+  if command -v systemctl >/dev/null 2>&1; then
+    systemctl list-unit-files 2>/dev/null | grep -E '^(rlogin|rsh|rexec)\.(socket|service)\b' || echo_not_found "rlogin|rsh|rexec units"
+    systemctl list-sockets 2>/dev/null | grep -E '\b(rlogin|rsh|rexec)\.socket\b' || true
+  else
+    echo_not_found "systemctl"
+  fi
+
+  echo ""
+  print_3title "inetd/xinetd configuration for r-services"
+  if [ -f /etc/inetd.conf ]; then
+    grep -vE '^\s*#|^\s*$' /etc/inetd.conf 2>/dev/null | grep -Ei '\b(shell|login|exec|rsh|rlogin|rexec)\b' 2>/dev/null || echo "  No r-services found in /etc/inetd.conf"
+  else
+    echo_not_found "/etc/inetd.conf"
+  fi
+  if [ -d /etc/xinetd.d ]; then
+    # Print enabled r-services in xinetd
+    for f in /etc/xinetd.d/*; do
+      [ -f "$f" ] || continue
+      if grep -qiE '\b(service|disable)\b' "$f" 2>/dev/null; then
+        if grep -qiE 'service\s+(rsh|rlogin|rexec|shell|login|exec)\b' "$f" 2>/dev/null; then
+          # Only warn if not disabled
+          if ! grep -qiE '^\s*disable\s*=\s*yes\b' "$f" 2>/dev/null; then
+            echo "  $(basename "$f") may enable r-services:"; grep -iE '^(\s*service|\s*disable)' "$f" 2>/dev/null | sed 's/^/    /'
+          fi
+        fi
+      fi
+    done
+  else
+    echo_not_found "/etc/xinetd.d"
+  fi
+
+  echo ""
+  print_3title "Installed r-service server packages"
+  if command -v dpkg >/dev/null 2>&1; then
+    dpkg -l 2>/dev/null | grep -E '\b(rsh-server|rsh-redone-server|krb5-rsh-server|inetutils-inetd|openbsd-inetd|xinetd|netkit-rsh)\b' || echo "  No related packages found via dpkg"
+  elif command -v rpm >/dev/null 2>&1; then
+    rpm -qa 2>/dev/null | grep -Ei '\b(rsh|rlogin|rexec|xinetd)\b' || echo "  No related packages found via rpm"
+  else
+    echo_not_found "dpkg|rpm"
+  fi
+
+  echo ""
+  print_3title "/etc/hosts.equiv and /etc/shosts.equiv"
+  for f in /etc/hosts.equiv /etc/shosts.equiv; do
+    if [ -f "$f" ]; then
+      perms=$(stat -c %a "$f" 2>/dev/null)
+      owner=$(stat -c %U "$f" 2>/dev/null)
+      echo "  $f (perm $perms, owner $owner)"
+      # Print non-comment lines
+      awk 'NF && $0 !~ /^\s*#/ {print "    " $0}' "$f" 2>/dev/null
+      if grep -qEv '^\s*#|^\s*$' "$f" 2>/dev/null; then
+        if grep -qE '(^|\s)\+' "$f" 2>/dev/null; then
+          echo "    [!] Wildcard '+' trust found"
+        fi
+      fi
+    fi
+  done
+
+  echo ""
+  print_3title "Per-user .rhosts files"
+  any_rhosts=false
+  for rfile in /root/.rhosts /home/*/.rhosts; do
+    if [ -f "$rfile" ]; then
+      any_rhosts=true
+      perms=$(stat -c %a "$rfile" 2>/dev/null)
+      owner=$(stat -c %U "$rfile" 2>/dev/null)
+      echo "  $rfile (perm $perms, owner $owner)"
+      awk 'NF && $0 !~ /^\s*#/ {print "    " $0}' "$rfile" 2>/dev/null
+      # Warn on insecure perms (group/other write)
+      g=$(printf "%s" "$perms" | cut -c2)
+      o=$(printf "%s" "$perms" | cut -c3)
+      if [ "${g:-0}" -ge 2 ] || [ "${o:-0}" -ge 2 ]; then
+        echo "    [!] Insecure permissions (group/other write)"
+      fi
+    fi
+  done
+  if ! $any_rhosts; then echo_not_found ".rhosts"; fi
+
+  echo ""
+  print_3title "PAM rhosts authentication"
+  shown=false
+  for p in /etc/pam.d/rlogin /etc/pam.d/rsh; do
+    if [ -f "$p" ]; then
+      shown=true
+      echo "  $p:"
+      (grep -nEi 'pam_rhosts|pam_rhosts_auth' "$p" 2>/dev/null || echo "    no pam_rhosts* lines") | sed 's/^/    /'
+    fi
+  done
+  if ! $shown; then echo_not_found "/etc/pam.d/rlogin|rsh"; fi
+
+  echo ""
+  print_3title "SSH HostbasedAuthentication"
+  if [ -f /etc/ssh/sshd_config ]; then
+    if grep -qiE '^[^#]*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config 2>/dev/null; then
+      echo "  HostbasedAuthentication yes (check /etc/shosts.equiv or ~/.shosts)"
+    else
+      echo "  HostbasedAuthentication no or not set"
+    fi
+  else
+    echo_not_found "/etc/ssh/sshd_config"
+  fi
+
+  echo ""
+  print_3title "Potential DNS control indicators (local)"
+  (ps -eo comm,args 2>/dev/null | grep -Ei '(^|/)(pdns|pdns_server|pdns_recursor|powerdns-admin)( |$)' | grep -Ev 'grep|bash' || echo "  Not detected")
+
+  echo ""
+fi
+

winPEAS/winPEASexe/README.md

@@ -74,10 +74,23 @@ winpeas.exe -lolbas  #Execute also additional LOLBAS search check
 
 The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
 
+New in this version:
+- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
+
+
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
+### New (AD-aware) checks
+
+- Active Directory quick checks now include:
+  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
+  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
+
+These checks are lightweight, read-only, and only run when the host is domain-joined.
+
+
 ## Where are my COLORS?!?!?!
 
 The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):

winPEAS/winPEASexe/Tests/App.config

@@ -39,7 +39,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
+        <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Linq" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

winPEAS/winPEASexe/Tests/packages.config

@@ -39,7 +39,7 @@
   <package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net452" />
   <package id="System.Text.Encoding" version="4.3.0" targetFramework="net452" />
   <package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net452" />
-  <package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
+  <package id="System.Text.RegularExpressions" version="4.3.1" targetFramework="net48" />
   <package id="System.Threading" version="4.3.0" targetFramework="net452" />
   <package id="System.Threading.Tasks" version="4.3.0" targetFramework="net452" />
   <package id="System.Threading.Timer" version="4.3.0" targetFramework="net452" />

winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj

@@ -83,6 +83,10 @@
     <Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
     </Reference>
+    <Reference Include="System.Text.RegularExpressions, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
+      <HintPath>..\packages\System.Text.RegularExpressions.4.3.1\lib\net463\System.Text.RegularExpressions.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="System.Xml.Linq" />
     <Reference Include="System.Data.DataSetExtensions" />
     <Reference Include="Microsoft.CSharp" />

winPEAS/winPEASexe/winPEAS/App.config

@@ -32,7 +32,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Bcl.AsyncInterfaces" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Win32.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
@@ -156,7 +156,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs

@@ -0,0 +1,275 @@
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+
+namespace winPEAS.Checks
+{
+    // Lightweight AD-oriented checks for common escalation paths (gMSA readable password, AD CS template control)
+    internal class ActiveDirectoryInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint("Active Directory Quick Checks");
+
+            new List<Action>
+            {
+                PrintGmsaReadableByCurrentPrincipal,
+                PrintAdcsEsc4LikeTemplates
+            }.ForEach(action => CheckRunner.Run(action, isDebug));
+        }
+
+        private static HashSet<string> GetCurrentSidSet()
+        {
+            var sids = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+            try
+            {
+                var id = WindowsIdentity.GetCurrent();
+                sids.Add(id.User.Value);
+                foreach (var g in id.Groups)
+                {
+                    sids.Add(g.Value);
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("    [!] Error obtaining current SIDs: " + ex.Message);
+            }
+            return sids;
+        }
+
+        private static string GetRootDseProp(string prop)
+        {
+            try
+            {
+                using (var root = new DirectoryEntry("LDAP://RootDSE"))
+                {
+                    return root.Properties[prop]?.Value as string;
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint($"    [!] Error accessing RootDSE ({prop}): {ex.Message}");
+                return null;
+            }
+        }
+
+        private static string GetProp(SearchResult r, string name)
+        {
+            return (r.Properties.Contains(name) && r.Properties[name].Count > 0)
+                ? r.Properties[name][0]?.ToString()
+                : null;
+        }
+
+        // Detect gMSA objects where the current principal (or one of its groups) can retrieve the managed password
+        private void PrintGmsaReadableByCurrentPrincipal()
+        {
+            try
+            {
+                Beaprint.MainPrint("gMSA readable managed passwords");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html",
+                    "Look for Group Managed Service Accounts you can read (msDS-ManagedPassword)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var defaultNC = GetRootDseProp("defaultNamingContext");
+                if (string.IsNullOrEmpty(defaultNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve defaultNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int total = 0, readable = 0;
+
+                using (var baseDe = new DirectoryEntry("LDAP://" + defaultNC))
+                using (var ds = new DirectorySearcher(baseDe))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(&(objectClass=msDS-GroupManagedServiceAccount))";
+                    ds.PropertiesToLoad.Add("sAMAccountName");
+                    ds.PropertiesToLoad.Add("distinguishedName");
+                    // Who can read the managed password
+                    ds.PropertiesToLoad.Add("PrincipalsAllowedToRetrieveManagedPassword");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        total++;
+                        var name = GetProp(r, "sAMAccountName") ?? GetProp(r, "distinguishedName") ?? "<unknown>";
+                        var dn = GetProp(r, "distinguishedName") ?? "";
+
+                        bool canRead = false;
+                        // Attribute may be absent or empty
+                        var allowedDns = r.Properties["principalsallowedtoretrievemanagedpassword"];
+                        if (allowedDns != null)
+                        {
+                            foreach (var val in allowedDns)
+                            {
+                                try
+                                {
+                                    using (var de = new DirectoryEntry("LDAP://" + val.ToString()))
+                                    {
+                                        var sidObj = de.Properties["objectSid"]?.Value as byte[];
+                                        if (sidObj == null) continue;
+                                        var sid = new SecurityIdentifier(sidObj, 0).Value;
+                                        if (currentSidSet.Contains(sid))
+                                        {
+                                            canRead = true;
+                                        }
+                                    }
+                                }
+                                catch { /* ignore DN resolution issues */ }
+                            }
+                        }
+
+                        if (canRead)
+                        {
+                            readable++;
+                            Beaprint.BadPrint($"  You can retrieve managed password for gMSA: {name}  (DN: {dn})");
+                        }
+                    }
+                }
+
+                if (readable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No gMSA with readable managed password found (checked {total}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint($"  [*] Hint: If such gMSA is member of Builtin\\Remote Management Users on a target, WinRM may be allowed.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        // Detect AD CS certificate templates where current principal has dangerous control rights (ESC4-style)
+        private void PrintAdcsEsc4LikeTemplates()
+        {
+            try
+            {
+                Beaprint.MainPrint("AD CS templates with dangerous ACEs (ESC4)");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html#esc4",
+                    "If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var configNC = GetRootDseProp("configurationNamingContext");
+                if (string.IsNullOrEmpty(configNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve configurationNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int checkedTemplates = 0;
+                int vulnerable = 0;
+
+                var templatesDn = $"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,{configNC}";
+
+                using (var deBase = new DirectoryEntry(templatesDn))
+                using (var ds = new DirectorySearcher(deBase))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(objectClass=pKICertificateTemplate)";
+                    ds.PropertiesToLoad.Add("cn");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        checkedTemplates++;
+                        string templateCn = GetProp(r, "cn") ?? "<unknown>";
+
+                        // Fetch security descriptor (DACL)
+                        DirectoryEntry de = null;
+                        try
+                        {
+                            de = r.GetDirectoryEntry();
+                            de.Options.SecurityMasks = SecurityMasks.Dacl;
+                            de.RefreshCache(new[] { "ntSecurityDescriptor" });
+                        }
+                        catch (Exception)
+                        {
+                            de?.Dispose();
+                            continue;
+                        }
+
+                        try
+                        {
+                            var sd = de.ObjectSecurity; // ActiveDirectorySecurity
+                            var rules = sd.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                            bool hit = false;
+                            var hitRights = new HashSet<string>();
+
+                            foreach (ActiveDirectoryAccessRule rule in rules)
+                            {
+                                if (rule.AccessControlType != AccessControlType.Allow) continue;
+                                var sid = (rule.IdentityReference as SecurityIdentifier)?.Value;
+                                if (string.IsNullOrEmpty(sid)) continue;
+                                if (!currentSidSet.Contains(sid)) continue;
+
+                                var rights = rule.ActiveDirectoryRights;
+                                bool dangerous =
+                                    rights.HasFlag(ActiveDirectoryRights.GenericAll) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteDacl) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteOwner) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteProperty) ||
+                                    rights.HasFlag(ActiveDirectoryRights.ExtendedRight);
+
+                                if (dangerous)
+                                {
+                                    hit = true;
+                                    if (rights.HasFlag(ActiveDirectoryRights.GenericAll)) hitRights.Add("GenericAll");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteDacl)) hitRights.Add("WriteDacl");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteOwner)) hitRights.Add("WriteOwner");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteProperty)) hitRights.Add("WriteProperty");
+                                    if (rights.HasFlag(ActiveDirectoryRights.ExtendedRight)) hitRights.Add("ExtendedRight");
+                                }
+                            }
+
+                            if (hit)
+                            {
+                                vulnerable++;
+                                Beaprint.BadPrint($"  Dangerous rights over template: {templateCn}  (Rights: {string.Join(",", hitRights)})");
+                            }
+                        }
+                        catch (Exception)
+                        {
+                            // ignore templates we couldn't read
+                        }
+                        finally
+                        {
+                            de?.Dispose();
+                        }
+                    }
+                }
+
+                if (vulnerable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No templates with dangerous rights found (checked {checkedTemplates}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint("  [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -90,6 +90,7 @@ namespace winPEAS.Checks
                 new SystemCheck("servicesinfo", new ServicesInfo()),
                 new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                 new SystemCheck("networkinfo", new NetworkInfo()),
+                new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                 new SystemCheck("cloudinfo", new CloudInfo()),
                 new SystemCheck("windowscreds", new WindowsCreds()),
                 new SystemCheck("browserinfo", new BrowserInfo()),

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -84,6 +84,7 @@ namespace winPEAS.Checks
                 PrintLSAInfo,
                 PrintNtlmSettings,
                 PrintLocalGroupPolicy,
+                PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
@@ -1131,6 +1132,94 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPotentialGPOAbuse()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.NoColorPrint("    Host is not joined to a domain or domain info is unavailable.");
+                    return;
+                }
+
+                // Build a friendly group list for the current user to quickly spot interesting memberships
+                var currentGroups = winPEAS.Info.UserInfo.User.GetUserGroups(Checks.CurrentUserName, Checks.CurrentUserDomainName) ?? new System.Collections.Generic.List<string>();
+                var hasGPCO = currentGroups.Any(g => string.Equals(g, "Group Policy Creator Owners", System.StringComparison.InvariantCultureIgnoreCase));
+
+                if (hasGPCO)
+                {
+                    Beaprint.BadPrint("    [!] Current user is member of 'Group Policy Creator Owners' — can create/own new GPOs. If you can link a GPO to an OU that applies here, you can execute code as SYSTEM via scheduled task/startup script.");
+                }
+
+                var infos = GroupPolicy.GetLocalGroupPolicyInfos();
+
+                bool anyFinding = false;
+                foreach (var info in infos)
+                {
+                    var fileSysPath = info.FileSysPath?.ToString();
+                    if (string.IsNullOrEmpty(fileSysPath))
+                    {
+                        continue;
+                    }
+
+                    // Only look at domain GPOs stored in SYSVOL
+                    var isSysvolPath = fileSysPath.StartsWith(@"\", System.StringComparison.InvariantCultureIgnoreCase) &&
+                                       fileSysPath.IndexOf(@"\SysVol\", System.StringComparison.InvariantCultureIgnoreCase) >= 0 &&
+                                       fileSysPath.IndexOf(@"\Policies\", System.StringComparison.InvariantCultureIgnoreCase) >= 0;
+
+                    if (!isSysvolPath)
+                    {
+                        continue;
+                    }
+
+                    // Check write/equivalent permissions on common abuse locations inside the GPO
+                    var pathsToCheck = new System.Collections.Generic.List<string>
+                    {
+                        fileSysPath,
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Scripts\Startup"),
+                        System.IO.Path.Combine(fileSysPath, @"User\Scripts\Logon"),
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Preferences\ScheduledTasks")
+                    };
+
+                    foreach (var p in pathsToCheck)
+                    {
+                        var perms = PermissionsHelper.GetPermissionsFolder(p, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                        if (perms != null && perms.Count > 0)
+                        {
+                            if (!anyFinding)
+                            {
+                                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Why it matters");
+                            }
+                            anyFinding = true;
+                            Beaprint.BadPrint($"    [!] Writable applied GPO detected");
+                            Beaprint.NoColorPrint($"        GPO Display Name : {info.DisplayName}");
+                            Beaprint.NoColorPrint($"        GPO Name         : {info.GPOName}");
+                            Beaprint.NoColorPrint($"        GPO Link         : {info.Link}");
+                            Beaprint.NoColorPrint($"        Path             : {p}");
+                            foreach (var entry in perms)
+                            {
+                                Beaprint.NoColorPrint($"          -> {entry}");
+                            }
+                            Beaprint.GrayPrint("        Hint: Abuse by adding an immediate Scheduled Task or Startup script to execute as SYSTEM on gpupdate.");
+                        }
+                    }
+                }
+
+                if (!anyFinding && !hasGPCO)
+                {
+                    Beaprint.NoColorPrint("    No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.");
+                }
+            }
+            catch (Exception ex)
+            {
+                // Avoid noisy stack traces in normal runs
+                Beaprint.GrayPrint($"    [!] Error while checking potential GPO abuse: {ex.Message}");
+            }
+        }
+
+
         private static void PrintPowerShellSessionSettings()
         {
             try

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -129,6 +129,7 @@ namespace winPEAS.Helpers
             Console.WriteLine(LCYAN + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        activedirectoryinfo" + GRAY + "   Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
             Console.WriteLine(LCYAN + "        cloudinfo" + GRAY + "            Enumerate cloud information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
             Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);