Add winpeas privilege escalation checks from: HTB Sendai: From password spray to gMSA dump, then ADCS ESC4 or SQL+Silver Ticke

winPEAS/winPEASexe/README.md

@@ -78,6 +78,15 @@ It should take only a **few seconds** to execute almost all the checks and **som
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
+### New (AD-aware) checks
+
+- Active Directory quick checks now include:
+  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
+  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
+
+These checks are lightweight, read-only, and only run when the host is domain-joined.
+
+
 ## Where are my COLORS?!?!?!
 
 The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -90,6 +90,7 @@ namespace winPEAS.Checks
                 new SystemCheck("servicesinfo", new ServicesInfo()),
                 new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                 new SystemCheck("networkinfo", new NetworkInfo()),
+                new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                 new SystemCheck("cloudinfo", new CloudInfo()),
                 new SystemCheck("windowscreds", new WindowsCreds()),
                 new SystemCheck("browserinfo", new BrowserInfo()),