Merge pull request #543 from peass-ng/update_PEASS-linpeas-CVE-2025-38352___In-the-wild_Android_20251222_130932

[LINPEAS] Add privilege escalation check: CVE-2025-38352 – In-the-wild Android Ker...
Merge pull request #541 from peass-ng/update_PEASS-linpeas-From_Chrome_Renderer_Code_Execution__20251217_020557
2026-01-18 03:59:01 +00:00 · 2026-01-17 15:38:51 +01:00 · 2026-01-17 15:36:28 +01:00 · 2026-01-17 15:35:26 +01:00 · 2026-01-17 15:35:19 +01:00 · 2026-01-17 15:35:02 +01:00
50 changed files with 5886 additions and 1691 deletions
--- a/.github/workflows/CI-master_tests.yml
+++ b/.github/workflows/CI-master_tests.yml
@@ -212,15 +212,14 @@ jobs:

    steps:
      # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.head_ref }}
      
      # Setup go
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v6
        with:
-          go-version: 1.17.0-rc1
-          stable: false
+          go-version: '1.23'
      - run: go version
      
      # Build linpeas
--- a/.github/workflows/PR-tests.yml
+++ b/.github/workflows/PR-tests.yml
@@ -0,0 +1,200 @@
+name: PR-tests
+
+on:
+  pull_request:
+    branches:
+      - master
+      - main
+    paths-ignore:
+      - '.github/**'
+
+jobs:
+  Build_and_test_winpeas_pr:
+    runs-on: windows-latest
+    
+    # environment variables
+    env:
+      Solution_Path: 'winPEAS\winPEASexe\winPEAS.sln'
+      Configuration: 'Release'
+
+    steps:
+      # checkout
+      - name: Checkout
+        uses: actions/checkout@master
+        with:
+          ref: ${{ github.head_ref }}
+      
+      - name: Download regexes
+        run: |
+          powershell.exe -ExecutionPolicy Bypass -File build_lists/download_regexes.ps1
+            
+      # Add MSBuild to the PATH
+      - name: Setup MSBuild.exe
+        uses: microsoft/setup-msbuild@v1.0.2
+       
+      # Setup NuGet
+      - name: Setup NuGet.exe
+        uses: nuget/setup-nuget@v1  
+        
+      # Restore the packages for testing
+      - name: Restore the application       
+        run: nuget restore $env:Solution_Path
+        
+      # build
+      - name: run MSBuild
+        run: msbuild $env:Solution_Path
+        
+      # Build all versions
+      - name: Build all versions
+        run: |
+            echo "build x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            
+            echo "build x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            
+            echo "build Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+      
+      - name: Execute winPEAS -h
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath -h
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+
+      - name: Execute winPEAS cloudinfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath cloudinfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+
+      - name: Execute winPEAS systeminfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath systeminfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+      
+      - name: Execute winPEAS networkinfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath networkinfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+
+  Build_and_test_linpeas_pr:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Download repo
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.head_ref }}
+      
+      # Setup go
+      - uses: actions/setup-go@v6
+        with:
+          go-version: '1.23'
+      - run: go version
+      
+      # Build linpeas
+      - name: Build linpeas
+        run: |
+          python3 -m pip install PyYAML
+          cd linPEAS
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
+          python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
+          python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+      
+      # Run linpeas help as quick test
+      - name: Run linpeas help
+        run: linPEAS/linpeas_fat.sh -h && linPEAS/linpeas.sh -h && linPEAS/linpeas_small.sh -h
+      
+      # Run linpeas as a test
+      - name: Run linpeas system_information
+        run: linPEAS/linpeas_fat.sh -o system_information -a
+      
+      - name: Run linpeas container
+        run: linPEAS/linpeas_fat.sh -o container -a
+      
+      - name: Run linpeas cloud
+        run: linPEAS/linpeas_fat.sh -o cloud -a
+      
+      - name: Run linpeas procs_crons_timers_srvcs_sockets
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
+      
+      - name: Run linpeas network_information
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
+      
+      - name: Run linpeas users_information
+        run: linPEAS/linpeas_fat.sh -o users_information -a
+      
+      - name: Run linpeas software_information
+        run: linPEAS/linpeas_fat.sh -o software_information -a
+      
+      - name: Run linpeas interesting_perms_files
+        run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
+      
+      - name: Run linpeas interesting_files
+        run: linPEAS/linpeas_fat.sh -o interesting_files -a
+
+  Build_and_test_macpeas_pr:
+    runs-on: macos-latest
+
+    steps:
+      # Download repo
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.head_ref }}
+      
+      # Build linpeas (macpeas)
+      - name: Build macpeas
+        run: |
+          python3 -m pip install PyYAML --break-system-packages
+          python3 -m pip install requests --break-system-packages
+          cd linPEAS
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
+      
+      # Run linpeas help as quick test
+      - name: Run macpeas help
+        run: linPEAS/linpeas_fat.sh -h
+      
+      # Run macpeas parts to test it
+      - name: Run macpeas system_information
+        run: linPEAS/linpeas_fat.sh -o system_information -a
+      
+      - name: Run macpeas container
+        run: linPEAS/linpeas_fat.sh -o container -a
+      
+      - name: Run macpeas cloud
+        run: linPEAS/linpeas_fat.sh -o cloud -a
+      
+      - name: Run macpeas procs_crons_timers_srvcs_sockets
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
+      
+      - name: Run macpeas network_information
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
+      
+      - name: Run macpeas users_information
+        run: linPEAS/linpeas_fat.sh -o users_information -a
+      
+      - name: Run macpeas software_information
+        run: linPEAS/linpeas_fat.sh -o software_information -a
--- a/build_lists/sensitive_files.yaml
+++ b/build_lists/sensitive_files.yaml
@@ -895,6 +895,14 @@ search:
                type: f
                search_in: 
                  - common
+          
+          - name: "credentials.tfrc.json"
+            value: 
+                type: f
+                bad_regex: ".*"
+                search_in:
+                  - common
+                  

  - name: Racoon
    value:
@@ -1265,7 +1273,7 @@ search:
                type: f
                bad_regex: ".*"
                search_in:
-                  - common 
+                  - common
  
  - name: Cloud Credentials
    value:
@@ -2059,6 +2067,11 @@ search:
                type: f
                search_in: 
                  - common
+          - name: "private-keys-v1.d/*.key"
+            value: 
+                type: f
+                search_in: 
+                  - common

          - name: "*.gnupg"
            value: 
@@ -3533,7 +3546,7 @@ search:

          - name: "RDCMan.settings"
            value:
-                just_list_file: True
+                bad_regex: "credentialsProfiles|password|encryptedPassword"
                type: f
                search_in:
                  - common
@@ -3941,3 +3954,24 @@ search:
                type: f
                search_in: 
                  - common
+
+  - name: Crontab-UI
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "crontab.db"
+            value:
+                bad_regex: "-P[[:space:]]+\\S+|--password[[:space:]]+\\S+|[Pp]ass(word)?|[Tt]oken|[Ss]ecret"
+                only_bad_lines: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "crontab-ui.service"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
--- a/linPEAS/README.md
+++ b/linPEAS/README.md
@@ -6,6 +6,8 @@

 Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.

+> **Dec 2025 update:** linpeas now inspects Linux kernels for CVE-2025-38352 (POSIX CPU timers race) by combining CONFIG_POSIX_CPU_TIMERS_TASK_WORK state with kernel build information, so you immediately know if publicly available PoCs might succeed.
+
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)

 ## MacPEAS
@@ -98,10 +100,17 @@ The goal of this script is to search for possible **Privilege Escalation Paths**

 This script doesn't have any dependency.

+### Recent updates
+
+- **Dec 2025**: Added detection for sudo configurations that expose restic's `--password-command` helper, a common privilege escalation vector observed in real environments.
+
 It uses **/bin/sh** syntax, so can run in anything supporting `sh` (and the binaries and parameters used).

 By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.

+LinPEAS keeps expanding vendor-specific coverage; as of 29-Nov-2025 it warns when IGEL OS appliances still ship the SUID `setup`/`date` helpers that allow NetworkManager/systemd configuration hijacking (Metasploit module `linux/local/igel_network_priv_esc`).
+
+
 By default linpeas takes around **4 mins** to complete, but It could take from **5 to 10 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
 - From less than 1 min to 2 mins to make almost all the checks
 - Almost 1 min to search for possible passwords inside all the accesible files of the system
@@ -170,7 +179,7 @@ LinPEAS uses colors to indicate where does each section begin. But **it also use

 - The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to privilege escalation.

- The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for known good configurations (based on the name not on the conten!)
+- The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for known good configurations (based on the name not on the content!)

 - The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for: Users without shell & Mounted devices

--- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
@@ -30,7 +30,7 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled
 # Fat linpeas: 0
 # Small linpeas: 0

@@ -80,10 +80,86 @@ print_list "Seccomp enabled? ............... "$NC
 print_list "User namespace? ................ "$NC
 if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi

+#-- SY) Unprivileged user namespaces
+print_list "unpriv_userns_clone? ........... "$NC
+unpriv_userns_clone=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)
+if [ -z "$unpriv_userns_clone" ]; then
+    echo_not_found "/proc/sys/kernel/unprivileged_userns_clone"
+else
+    if [ "$unpriv_userns_clone" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_GREEN},"; else echo "$unpriv_userns_clone" | sed -${E} "s,.*,${SED_RED},g"; fi
+fi
+
+#-- SY) Unprivileged eBPF
+print_list "unpriv_bpf_disabled? ........... "$NC
+unpriv_bpf_disabled=$(cat /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null)
+if [ -z "$unpriv_bpf_disabled" ]; then
+    echo_not_found "/proc/sys/kernel/unprivileged_bpf_disabled"
+else
+    if [ "$unpriv_bpf_disabled" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$unpriv_bpf_disabled" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
 #-- SY) cgroup2
 print_list "Cgroup2 enabled? ............... "$NC
 ([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"

+#-- SY) Kernel hardening sysctls
+print_list "kptr_restrict? ................. "$NC
+kptr_restrict=$(cat /proc/sys/kernel/kptr_restrict 2>/dev/null)
+if [ -z "$kptr_restrict" ]; then
+    echo_not_found "/proc/sys/kernel/kptr_restrict"
+else
+    if [ "$kptr_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$kptr_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "dmesg_restrict? ................ "$NC
+dmesg_restrict=$(cat /proc/sys/kernel/dmesg_restrict 2>/dev/null)
+if [ -z "$dmesg_restrict" ]; then
+    echo_not_found "/proc/sys/kernel/dmesg_restrict"
+else
+    if [ "$dmesg_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$dmesg_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "ptrace_scope? .................. "$NC
+ptrace_scope=$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)
+if [ -z "$ptrace_scope" ]; then
+    echo_not_found "/proc/sys/kernel/yama/ptrace_scope"
+else
+    if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "perf_event_paranoid? ........... "$NC
+perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
+if [ -z "$perf_event_paranoid" ]; then
+    echo_not_found "/proc/sys/kernel/perf_event_paranoid"
+else
+    if [ "$perf_event_paranoid" -le 1 ]; then echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_RED},g"; else echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "mmap_min_addr? ................. "$NC
+mmap_min_addr=$(cat /proc/sys/vm/mmap_min_addr 2>/dev/null)
+if [ -z "$mmap_min_addr" ]; then
+    echo_not_found "/proc/sys/vm/mmap_min_addr"
+else
+    if [ "$mmap_min_addr" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$mmap_min_addr" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "lockdown mode? ................. "$NC
+if [ -f "/sys/kernel/security/lockdown" ]; then
+    cat /sys/kernel/security/lockdown 2>/dev/null | sed -${E} "s,none,${SED_RED},g; s,integrity|confidentiality,${SED_GREEN},g"
+else
+    echo_not_found "/sys/kernel/security/lockdown"
+fi
+
+#-- SY) Kernel hardening config flags
+print_list "Kernel hardening flags? ........ "$NC
+if [ -f "/boot/config-$(uname -r)" ]; then
+    grep -E 'CONFIG_RANDOMIZE_BASE|CONFIG_STACKPROTECTOR|CONFIG_SLAB_FREELIST_|CONFIG_KASAN' /boot/config-$(uname -r) 2>/dev/null
+elif [ -f "/proc/config.gz" ]; then
+    zcat /proc/config.gz 2>/dev/null | grep -E 'CONFIG_RANDOMIZE_BASE|CONFIG_STACKPROTECTOR|CONFIG_SLAB_FREELIST_|CONFIG_KASAN'
+else
+    echo_not_found "kernel config"
+fi
+
 #-- SY) Gatekeeper
 if [ "$MACPEAS" ]; then
    print_list "Gatekeeper enabled? .......... "$NC
@@ -136,4 +212,4 @@ else
    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
 fi

-echo ""
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh
@@ -58,5 +58,23 @@ else
    echo_not_found "/proc/sys/kernel/modules_disabled"
 fi

+# Check for module signature enforcement
+print_3title "Module signature enforcement? "
+if [ -f "/proc/sys/kernel/module_sig_enforce" ]; then
+    if [ "$(cat /proc/sys/kernel/module_sig_enforce)" = "1" ]; then
+        echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g"
+    else
+        echo "Not enforced" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+elif [ -f "/sys/module/module/parameters/sig_enforce" ]; then
+    if [ "$(cat /sys/module/module/parameters/sig_enforce)" = "Y" ]; then
+        echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g"
+    else
+        echo "Not enforced" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+else
+    echo_not_found "module_sig_enforce"
+fi

-echo "" 
+
+echo "" 
--- a/linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38236.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38236.sh
@@ -0,0 +1,126 @@
+# Title: System Information - CVE_2025_38236
+# ID: SY_CVE_2025_38236
+# Author: HT Bot
+# Last Update: 17-12-2025
+# Description: Detect Linux kernels exposed to CVE-2025-38236 (AF_UNIX MSG_OOB UAF) that allow local privilege escalation:
+#   - Vulnerable scope:
+#     * Linux kernels 6.9+ before commit 32ca245464e1479bfea8592b9db227fdc1641705
+#     * AF_UNIX stream sockets with MSG_OOB enabled (CONFIG_AF_UNIX_OOB or implicit support)
+#   - Exploitation summary:
+#     * send/recv MSG_OOB pattern leaves zero-length SKBs in the receive queue
+#     * manage_oob() skips cleanup, freeing the OOB SKB while u->oob_skb still points to it
+#     * Subsequent recv(MSG_OOB) dereferences the dangling pointer → kernel UAF → LPE
+#   - Mitigations:
+#     * Update to a kernel that includes commit 32ca245464e1479bfea8592b9db227fdc1641705 (or newer)
+#     * Disable CONFIG_AF_UNIX_OOB or block MSG_OOB in sandboxed processes
+#     * Backport vendor fixes or follow Chrome's MSG_OOB filtering approach
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SED_RED_YELLOW, $SED_GREEN, $E
+# Initial Functions:
+# Generated Global Variables: $cve38236_kernel_release, $cve38236_kernel_version, $cve38236_oob_line, $cve38236_unix_line, $cve38236_oob_status, $CVE38236_CONFIG_SOURCE, $cve38236_conf_file, $cve38236_config_key, $cve38236_release, $cve38236_cfg, $cve38236_config_line
+# Fat linpeas: 0
+# Small linpeas: 1
+
+_cve38236_version_to_number() {
+    if [ -z "$1" ]; then
+        printf '0\n'
+        return
+    fi
+    echo "$1" | awk -F. '{
+        major=$1+0
+        if (NF>=2) minor=$2+0; else minor=0
+        if (NF>=3) patch=$3+0; else patch=0
+        printf "%d\n", (major*1000000)+(minor*1000)+patch
+    }'
+}
+
+_cve38236_version_ge() {
+    local v1 v2
+    v1=$(_cve38236_version_to_number "$1")
+    v2=$(_cve38236_version_to_number "$2")
+    [ "$v1" -ge "$v2" ]
+}
+
+_cve38236_cat_config_file() {
+    local cve38236_conf_file="$1"
+    if [ -z "$cve38236_conf_file" ] || ! [ -r "$cve38236_conf_file" ]; then
+        return 1
+    fi
+    if printf '%s' "$cve38236_conf_file" | grep -q '\\.gz$'; then
+        if command -v zcat >/dev/null 2>&1; then
+            zcat "$cve38236_conf_file" 2>/dev/null
+        elif command -v gzip >/dev/null 2>&1; then
+            gzip -dc "$cve38236_conf_file" 2>/dev/null
+        else
+            cat "$cve38236_conf_file" 2>/dev/null
+        fi
+    else
+        cat "$cve38236_conf_file" 2>/dev/null
+    fi
+}
+
+_cve38236_read_config_line() {
+    local cve38236_config_key="$1"
+    local cve38236_release cve38236_config_line cve38236_cfg
+    cve38236_release="$(uname -r 2>/dev/null)"
+    for cve38236_cfg in /proc/config.gz \
+        "/boot/config-${cve38236_release}" \
+        "/usr/lib/modules/${cve38236_release}/build/.config" \
+        "/lib/modules/${cve38236_release}/build/.config"; do
+        if [ -r "$cve38236_cfg" ]; then
+            cve38236_config_line=$(_cve38236_cat_config_file "$cve38236_cfg" | grep -E "^(${cve38236_config_key}=|# ${cve38236_config_key} is not set)" | head -n1)
+            if [ -n "$cve38236_config_line" ]; then
+                CVE38236_CONFIG_SOURCE="$cve38236_cfg"
+                printf '%s\n' "$cve38236_config_line"
+                return 0
+            fi
+        fi
+    done
+    return 1
+}
+
+
+if [ ! "$MACPEAS" ]; then
+    cve38236_kernel_release="$(uname -r 2>/dev/null)"
+    cve38236_kernel_version="$(printf '%s' "$cve38236_kernel_release" | sed 's/[^0-9.].*//')"
+
+    if [ -n "$cve38236_kernel_version" ] && _cve38236_version_ge "$cve38236_kernel_version" "6.9.0"; then
+        print_2title "CVE-2025-38236 - AF_UNIX MSG_OOB UAF"
+    
+        cve38236_oob_line=$(_cve38236_read_config_line "CONFIG_AF_UNIX_OOB")
+        cve38236_oob_status="unknown"
+    
+        if printf '%s' "$cve38236_oob_line" | grep -q '=y\|=m'; then
+            cve38236_oob_status="enabled"
+        elif printf '%s' "$cve38236_oob_line" | grep -q 'not set'; then
+            cve38236_oob_status="disabled"
+        fi
+    
+        if [ "$cve38236_oob_status" = "unknown" ]; then
+            cve38236_unix_line=$(_cve38236_read_config_line "CONFIG_UNIX")
+            if printf '%s' "$cve38236_unix_line" | grep -q 'not set'; then
+                cve38236_oob_status="disabled"
+            elif printf '%s' "$cve38236_unix_line" | grep -q '=y\|=m'; then
+                cve38236_oob_status="enabled"
+            fi
+        fi
+    
+        if [ "$cve38236_oob_status" = "disabled" ]; then
+            printf 'Kernel %s >= 6.9 but MSG_OOB support is disabled (%s).\n' "$cve38236_kernel_release" "${cve38236_oob_line:-CONFIG_AF_UNIX disabled}" | sed -${E} "s,.*,${SED_GREEN},"
+            print_info "CVE-2025-38236 requires AF_UNIX MSG_OOB; disabling CONFIG_AF_UNIX_OOB/CONFIG_UNIX mitigates it."
+        else
+            printf 'Kernel %s (parsed %s) may be vulnerable to CVE-2025-38236 - AF_UNIX MSG_OOB UAF.\n' "$cve38236_kernel_release" "$cve38236_kernel_version" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+            [ -n "$cve38236_oob_line" ] && print_info "Config hint: $cve38236_oob_line"
+            if [ "$cve38236_oob_status" = "unknown" ]; then
+                print_info "Could not read CONFIG_AF_UNIX_OOB directly; AF_UNIX appears enabled, so assume MSG_OOB reachable."
+            fi
+            print_info "Exploit chain: crafted MSG_OOB send/recv frees the OOB SKB while u->oob_skb still points to it, enabling kernel UAF → arbitrary read/write primitives (Project Zero 2025/08)."
+            print_info "Mitigations: update to a kernel containing commit 32ca245464e1479bfea8592b9db227fdc1641705, disable CONFIG_AF_UNIX_OOB, or filter MSG_OOB in sandbox policies."
+            print_info "Heuristic detection: based solely on uname -r and kernel config; vendor kernels with backported fixes should be verified manually."
+        fi
+        echo ""
+    fi
+
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh
@@ -0,0 +1,183 @@
+# Title: System Information - CVE_2025_38352
+# ID: SY_CVE_2025_38352
+# Author: HT Bot
+# Last Update: 22-12-2025
+# Description: Detect Linux kernels that may still be vulnerable to CVE-2025-38352 (race-condition UAF in POSIX CPU timers)
+#   - Highlights kernels built without CONFIG_POSIX_CPU_TIMERS_TASK_WORK
+#   - Flags 6.12.x builds older than the fix commit f90fff1e152dedf52b932240ebbd670d83330eca (first shipped in 6.12.34)
+#   - Provides quick risk scoring so operators can decide whether to attempt the publicly available PoC
+#   - Core requirements for exploitation:
+#       * CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled (common on 32-bit Android / custom kernels)
+#       * Lack of the upstream exit_state guard in run_posix_cpu_timers()
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_list
+# Global Variables: $E, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SED_YELLOW
+# Initial Functions:
+# Generated Global Variables: $cve38352_kernel_release, $cve38352_kernel_version_cmp, $cve38352_symbol, $cve38352_task_work_state, $cve38352_config_status, $cve38352_config_source, $cve38352_config_candidates, $cve38352_cfg, $cve38352_line, $cve38352_patch_state, $cve38352_patch_label, $cve38352_fix_tag, $cve38352_last_vuln_tag, $cve38352_risk_msg, $cve38352_risk_color, $cve38352_task_line, $cve38352_patch_line, $cve38352_risk_line
+# Fat linpeas: 0
+# Small linpeas: 1
+
+cve38352_version_lt(){
+    awk -v v1="$1" -v v2="$2" '
+    function cleannum(val) {
+        gsub(/[^0-9].*/, "", val)
+        if (val == "") {
+            val = 0
+        }
+        return val + 0
+    }
+    BEGIN {
+        n = split(v1, a, ".")
+        m = split(v2, b, ".")
+        max = (n > m ? n : m)
+        for (i = 1; i <= max; i++) {
+            av = (i <= n ? cleannum(a[i]) : 0)
+            bv = (i <= m ? cleannum(b[i]) : 0)
+            if (av < bv) {
+                exit 0
+            }
+            if (av > bv) {
+                exit 1
+            }
+        }
+        exit 1
+    }'
+}
+
+cve38352_sanitize_version(){
+    printf "%s" "$1" | tr '-' '.' | sed 's/[^0-9.].*$//' | sed 's/\.\./\./g' | sed 's/^\.//' | sed 's/\.$//'
+}
+
+print_2title "CVE-2025-38352 - POSIX CPU timers race"
+
+cve38352_kernel_release=$(uname -r 2>/dev/null)
+if [ -z "$cve38352_kernel_release" ]; then
+    echo_not_found "uname -r"
+    echo ""
+else
+
+    cve38352_kernel_version_cmp=$(cve38352_sanitize_version "$cve38352_kernel_release")
+    if [ -z "$cve38352_kernel_version_cmp" ]; then
+        cve38352_kernel_version_cmp="unknown"
+    fi
+
+    cve38352_symbol="CONFIG_POSIX_CPU_TIMERS_TASK_WORK"
+    cve38352_task_work_state="unknown"
+    cve38352_config_status="Unknown ($cve38352_symbol not found)"
+    cve38352_config_source=""
+
+    cve38352_config_candidates="/boot/config-$cve38352_kernel_release /proc/config.gz /lib/modules/$cve38352_kernel_release/build/.config /usr/lib/modules/$cve38352_kernel_release/build/.config /usr/src/linux/.config"
+    for cve38352_cfg in $cve38352_config_candidates; do
+        [ -r "$cve38352_cfg" ] || continue
+        if printf "%s" "$cve38352_cfg" | grep -q '\\.gz$'; then
+            cve38352_line=$(gzip -dc "$cve38352_cfg" 2>/dev/null | grep -E "^(# )?$cve38352_symbol" | head -n1)
+        else
+            cve38352_line=$(grep -E "^(# )?$cve38352_symbol" "$cve38352_cfg" 2>/dev/null | head -n1)
+        fi
+        [ -z "$cve38352_line" ] && continue
+        cve38352_config_source="$cve38352_cfg"
+        case "$cve38352_line" in
+            "$cve38352_symbol=y")
+                cve38352_task_work_state="enabled"
+                cve38352_config_status="Enabled (y)"
+                ;;
+            "$cve38352_symbol=m")
+                cve38352_task_work_state="enabled"
+                cve38352_config_status="Built as module (m)"
+                ;;
+            "$cve38352_symbol=n")
+                cve38352_task_work_state="disabled"
+                cve38352_config_status="Disabled (n)"
+                ;;
+            "# $cve38352_symbol is not set")
+                cve38352_task_work_state="disabled"
+                cve38352_config_status="Not set"
+                ;;
+            *)
+                cve38352_config_status="Found: $cve38352_line"
+                ;;
+        esac
+        break
+    done
+
+    cve38352_patch_state="unknown_branch"
+    cve38352_patch_label="Unable to determine kernel train"
+    cve38352_fix_tag="6.12.34"
+    cve38352_last_vuln_tag="6.12.33"
+    case "$cve38352_kernel_version_cmp" in
+        6.12|6.12.*)
+            if cve38352_version_lt "$cve38352_kernel_version_cmp" "$cve38352_fix_tag"; then
+                cve38352_patch_state="pre_fix"
+                cve38352_patch_label="6.12.x build < $cve38352_fix_tag (last known vulnerable LTS: $cve38352_last_vuln_tag)"
+            else
+                cve38352_patch_state="post_fix"
+                cve38352_patch_label="6.12.x build >= $cve38352_fix_tag (should include fix f90fff1e152d)"
+            fi
+            ;;
+        unknown)
+            cve38352_patch_label="Kernel version string could not be parsed"
+            ;;
+        *)
+            cve38352_patch_label="Kernel train $cve38352_kernel_version_cmp (verify commit f90fff1e152dedf52b932240ebbd670d83330eca manually)"
+            ;;
+    esac
+
+    cve38352_risk_msg="Unknown - missing configuration data"
+    cve38352_risk_color=""
+    if [ "$cve38352_task_work_state" = "enabled" ]; then
+        cve38352_risk_msg="Low - CONFIG_POSIX_CPU_TIMERS_TASK_WORK is enabled"
+        cve38352_risk_color="green"
+    elif [ "$cve38352_task_work_state" = "disabled" ]; then
+        if [ "$cve38352_patch_state" = "pre_fix" ]; then
+            cve38352_risk_msg="High - task_work disabled & kernel predates fix f90fff1e152d"
+            cve38352_risk_color="red"
+        else
+            cve38352_risk_msg="Review - task_work disabled, ensure fix f90fff1e152d is backported"
+            cve38352_risk_color="yellow"
+        fi
+    fi
+
+    print_list "Kernel release ............... $cve38352_kernel_release\n"
+    print_list "Comparable version ........... $cve38352_kernel_version_cmp\n"
+
+    cve38352_task_line="Task_work config ............. $cve38352_config_status"
+    if [ -n "$cve38352_config_source" ]; then
+        cve38352_task_line="$cve38352_task_line (from $cve38352_config_source)"
+    fi
+    cve38352_task_line="$cve38352_task_line\n"
+    if [ "$cve38352_task_work_state" = "disabled" ]; then
+        print_list "$cve38352_task_line" | sed -${E} "s,.*,${SED_RED},"
+    elif [ "$cve38352_task_work_state" = "enabled" ]; then
+        print_list "$cve38352_task_line" | sed -${E} "s,.*,${SED_GREEN},"
+    else
+        print_list "$cve38352_task_line"
+    fi
+
+    cve38352_patch_line="Patch status ................. $cve38352_patch_label\n"
+    if [ "$cve38352_patch_state" = "pre_fix" ]; then
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    elif [ "$cve38352_patch_state" = "post_fix" ]; then
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_GREEN},"
+    else
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_YELLOW},"
+    fi
+
+    cve38352_risk_line="CVE-2025-38352 risk .......... $cve38352_risk_msg\n"
+    case "$cve38352_risk_color" in
+        red)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+            ;;
+        green)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_GREEN},"
+            ;;
+        yellow)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_YELLOW},"
+            ;;
+        *)
+            print_list "$cve38352_risk_line"
+            ;;
+    esac
+
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh
@@ -0,0 +1,46 @@
+# Title: Container - Writable bind mounts without nosuid (SUID risk)
+# ID: CT_RW_bind_mounts_nosuid
+# Author: HT Bot
+# Last Update: 17-09-2025
+# Description: Detect writable bind-mounted paths inside containers that are not mounted with nosuid.
+#   If the container user is root and the mount is a host bind mount without nosuid, an attacker may
+#   be able to drop a SUID binary on the shared path and execute it from the host to escalate to root
+#   (classic container-to-host breakout via writable bind mount).
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: containerCheck, print_2title, print_list, print_info
+# Global Variables: $inContainer
+# Initial Functions: containerCheck
+# Generated Global Variables: $CT_RW_bind_mounts_matches
+# Fat linpeas: 0
+# Small linpeas: 1
+
+containerCheck
+
+if [ "$inContainer" ]; then
+  echo ""
+  print_2title "Container - Writable bind mounts w/o nosuid (SUID persistence risk)"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#writable-bind-mounts"
+
+  if [ -r /proc/self/mountinfo ]; then
+    CT_RW_bind_mounts_matches=$(grep -E "(^| )bind( |$)" /proc/self/mountinfo 2>/dev/null | grep -E "(^|,)rw(,|$)" | grep -v "nosuid" || true)
+  else
+    CT_RW_bind_mounts_matches=$(mount -l 2>/dev/null | grep -E "bind" | grep -E "(^|,)rw(,|$)" | grep -v "nosuid" || true)
+  fi
+
+  if [ -z "$CT_RW_bind_mounts_matches" ]; then
+    print_list "Writable bind mounts without nosuid ............ No"
+  else
+    print_list "Writable bind mounts without nosuid ............ Yes" | sed -${E} "s,Yes,${SED_RED},"
+    echo "$CT_RW_bind_mounts_matches" | sed -${E} "s,/proc/self/mountinfo,${SED_GREEN},"
+    echo ""
+    if [ "$(id -u 2>/dev/null)" = "0" ]; then
+      print_list "Note"; echo ": You are root inside a container and there are writable bind mounts without nosuid." | sed -${E} "s,.*,${SED_RED},"
+      echo "  If the path is shared with the host and executable there, you may plant a SUID binary (e.g., copy /bin/bash and chmod 6777)"
+      echo "  and execute it from the host to obtain root. Ensure proper authorization before testing."
+    else
+      print_list "Note"; echo ": Current user is not root; if you obtain container root, these mounts may enable host escalation via SUID planting." | sed -${E} "s,.*,${SED_RED},"
+    fi
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh
@@ -0,0 +1,139 @@
+# Title: Processes & Cron & Services & Timers - Legacy r-commands and host-based trust
+# ID: PR_Rcommands_trust
+# Author: HT Bot
+# Last Update: 27-08-2025
+# Description: Detect legacy r-services (rsh/rlogin/rexec) exposure and dangerous host-based trust (.rhosts/hosts.equiv),
+#              which can allow passwordless root via hostname/DNS manipulation.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, echo_not_found
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $rfile, $perms, $owner, $g, $o, $any_rhosts, $shown, $f, $p
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust"
+
+  echo ""
+  print_3title "Listening r-services (TCP 512-514)"
+  if command -v ss >/dev/null 2>&1; then
+    ss -ltnp 2>/dev/null | awk '$1 ~ /^LISTEN$/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "ss"
+  elif command -v netstat >/dev/null 2>&1; then
+    netstat -ltnp 2>/dev/null | awk '$6 ~ /LISTEN/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "netstat"
+  else
+    echo_not_found "ss|netstat"
+  fi
+
+  echo ""
+  print_3title "systemd units exposing r-services"
+  if command -v systemctl >/dev/null 2>&1; then
+    systemctl list-unit-files 2>/dev/null | grep -E '^(rlogin|rsh|rexec)\.(socket|service)\b' || echo_not_found "rlogin|rsh|rexec units"
+    systemctl list-sockets 2>/dev/null | grep -E '\b(rlogin|rsh|rexec)\.socket\b' || true
+  else
+    echo_not_found "systemctl"
+  fi
+
+  echo ""
+  print_3title "inetd/xinetd configuration for r-services"
+  if [ -f /etc/inetd.conf ]; then
+    grep -vE '^\s*#|^\s*$' /etc/inetd.conf 2>/dev/null | grep -Ei '\b(shell|login|exec|rsh|rlogin|rexec)\b' 2>/dev/null || echo "  No r-services found in /etc/inetd.conf"
+  else
+    echo_not_found "/etc/inetd.conf"
+  fi
+  if [ -d /etc/xinetd.d ]; then
+    # Print enabled r-services in xinetd
+    for f in /etc/xinetd.d/*; do
+      [ -f "$f" ] || continue
+      if grep -qiE '\b(service|disable)\b' "$f" 2>/dev/null; then
+        if grep -qiE 'service\s+(rsh|rlogin|rexec|shell|login|exec)\b' "$f" 2>/dev/null; then
+          # Only warn if not disabled
+          if ! grep -qiE '^\s*disable\s*=\s*yes\b' "$f" 2>/dev/null; then
+            echo "  $(basename "$f") may enable r-services:"; grep -iE '^(\s*service|\s*disable)' "$f" 2>/dev/null | sed 's/^/    /'
+          fi
+        fi
+      fi
+    done
+  else
+    echo_not_found "/etc/xinetd.d"
+  fi
+
+  echo ""
+  print_3title "Installed r-service server packages"
+  if command -v dpkg >/dev/null 2>&1; then
+    dpkg -l 2>/dev/null | grep -E '\b(rsh-server|rsh-redone-server|krb5-rsh-server|inetutils-inetd|openbsd-inetd|xinetd|netkit-rsh)\b' || echo "  No related packages found via dpkg"
+  elif command -v rpm >/dev/null 2>&1; then
+    rpm -qa 2>/dev/null | grep -Ei '\b(rsh|rlogin|rexec|xinetd)\b' || echo "  No related packages found via rpm"
+  else
+    echo_not_found "dpkg|rpm"
+  fi
+
+  echo ""
+  print_3title "/etc/hosts.equiv and /etc/shosts.equiv"
+  for f in /etc/hosts.equiv /etc/shosts.equiv; do
+    if [ -f "$f" ]; then
+      perms=$(stat -c %a "$f" 2>/dev/null)
+      owner=$(stat -c %U "$f" 2>/dev/null)
+      echo "  $f (perm $perms, owner $owner)"
+      # Print non-comment lines
+      awk 'NF && $0 !~ /^\s*#/ {print "    " $0}' "$f" 2>/dev/null
+      if grep -qEv '^\s*#|^\s*$' "$f" 2>/dev/null; then
+        if grep -qE '(^|\s)\+' "$f" 2>/dev/null; then
+          echo "    [!] Wildcard '+' trust found"
+        fi
+      fi
+    fi
+  done
+
+  echo ""
+  print_3title "Per-user .rhosts files"
+  any_rhosts=false
+  for rfile in /root/.rhosts /home/*/.rhosts; do
+    if [ -f "$rfile" ]; then
+      any_rhosts=true
+      perms=$(stat -c %a "$rfile" 2>/dev/null)
+      owner=$(stat -c %U "$rfile" 2>/dev/null)
+      echo "  $rfile (perm $perms, owner $owner)"
+      awk 'NF && $0 !~ /^\s*#/ {print "    " $0}' "$rfile" 2>/dev/null
+      # Warn on insecure perms (group/other write)
+      g=$(printf "%s" "$perms" | cut -c2)
+      o=$(printf "%s" "$perms" | cut -c3)
+      if [ "${g:-0}" -ge 2 ] || [ "${o:-0}" -ge 2 ]; then
+        echo "    [!] Insecure permissions (group/other write)"
+      fi
+    fi
+  done
+  if ! $any_rhosts; then echo_not_found ".rhosts"; fi
+
+  echo ""
+  print_3title "PAM rhosts authentication"
+  shown=false
+  for p in /etc/pam.d/rlogin /etc/pam.d/rsh; do
+    if [ -f "$p" ]; then
+      shown=true
+      echo "  $p:"
+      (grep -nEi 'pam_rhosts|pam_rhosts_auth' "$p" 2>/dev/null || echo "    no pam_rhosts* lines") | sed 's/^/    /'
+    fi
+  done
+  if ! $shown; then echo_not_found "/etc/pam.d/rlogin|rsh"; fi
+
+  echo ""
+  print_3title "SSH HostbasedAuthentication"
+  if [ -f /etc/ssh/sshd_config ]; then
+    if grep -qiE '^[^#]*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config 2>/dev/null; then
+      echo "  HostbasedAuthentication yes (check /etc/shosts.equiv or ~/.shosts)"
+    else
+      echo "  HostbasedAuthentication no or not set"
+    fi
+  else
+    echo_not_found "/etc/ssh/sshd_config"
+  fi
+
+  echo ""
+  print_3title "Potential DNS control indicators (local)"
+  (ps -eo comm,args 2>/dev/null | grep -Ei '(^|/)(pdns|pdns_server|pdns_recursor|powerdns-admin)( |$)' | grep -Ev 'grep|bash' || echo "  Not detected")
+
+  echo ""
+fi
+
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh
@@ -0,0 +1,126 @@
+# Title: Processes & Cron & Services & Timers - Crontab UI (root) Misconfiguration
+# ID: PR_Crontab_UI_misconfig
+# Author: HT Bot
+# Last Update: 2025-09-13
+# Description: Detect Crontab UI service and risky configurations that can lead to privesc:
+#   - Root-run Crontab UI exposed on localhost
+#   - Basic-Auth credentials in systemd Environment= (BASIC_AUTH_USER/PWD)
+#   - Cron DB path (CRON_DB_PATH) and weak permissions / embedded secrets in jobs
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, print_list, echo_not_found
+# Global Variables: $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC
+# Initial Functions:
+# Generated Global Variables: $svc, $state, $user, $envvals, $port, $dbpath, $dbfile, $candidates, $procs, $perms, $basic_user, $basic_pwd, $uprint, $pprint, $dir, $found
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Crontab UI (root) misconfiguration checks"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
+
+  # Collect candidate services referencing crontab-ui
+  candidates=""
+  if command -v systemctl >/dev/null 2>&1; then
+    candidates=$(systemctl list-units --type=service --all 2>/dev/null | awk '{print $1}' | grep -Ei '^crontab-ui\.service$' 2>/dev/null)
+  fi
+
+  # Fallback: grep service files for ExecStart containing crontab-ui
+  if [ -z "$candidates" ]; then
+    for dir in /etc/systemd/system /lib/systemd/system; do
+      [ -d "$dir" ] || continue
+      found=$(grep -RIl "^Exec(Start|StartPre|StartPost)=.*crontab-ui" "$dir" 2>/dev/null | xargs -r -I{} basename {} 2>/dev/null)
+      if [ -n "$found" ]; then
+        candidates=$(printf "%s\n%s" "$candidates" "$found" | sort -u)
+      fi
+    done
+  fi
+
+  # Also flag if the binary exists or a process seems to be running
+  if command -v crontab-ui >/dev/null 2>&1; then
+    print_list "crontab-ui binary found at: $(command -v crontab-ui)"$NC
+  else
+    echo_not_found "crontab-ui"
+  fi
+
+  procs=$(ps aux 2>/dev/null | grep -E "(crontab-ui|node .*crontab-ui)" | grep -v grep)
+  if [ -n "$procs" ]; then
+    print_list "Processes matching crontab-ui? ..................... "$NC
+    printf "%s\n" "$procs"
+    echo ""
+  fi
+
+  # If no candidates detected, exit quietly
+  if [ "$candidates" ]; then
+
+    # Iterate candidates and extract interesting data
+    printf "%s\n" "$candidates" | while read -r svc; do
+      [ -n "$svc" ] || continue
+      # Ensure suffix .service if missing
+      case "$svc" in
+        *.service) : ;;
+        *) svc="$svc.service" ;;
+      esac
+
+      state=""
+      user=""
+      if command -v systemctl >/dev/null 2>&1; then
+        state=$(systemctl is-active "$svc" 2>/dev/null)
+        user=$(systemctl show "$svc" -p User 2>/dev/null | cut -d= -f2)
+      fi
+
+      [ -z "$state" ] && state="unknown"
+      [ -z "$user" ] && user="unknown"
+
+      echo "Service: $svc (state: $state, User: $user)" | sed -${E} "s,root,${SED_RED},g"
+
+      # Read Environment from systemd (works even if file unreadable in many setups)
+      envvals=$(systemctl show "$svc" -p Environment 2>/dev/null | cut -d= -f2-)
+      if [ -n "$envvals" ]; then
+        basic_user=$(printf "%s\n" "$envvals" | tr ' ' '\n' | grep -E '^BASIC_AUTH_USER=' | head -n1 | cut -d= -f2-)
+        basic_pwd=$(printf "%s\n" "$envvals" | tr ' ' '\n' | grep -E '^BASIC_AUTH_PWD=' | head -n1 | cut -d= -f2-)
+        dbpath=$(printf "%s\n" "$envvals" | tr ' ' '\n' | grep -E '^CRON_DB_PATH=' | head -n1 | cut -d= -f2-)
+        port=$(printf "%s\n" "$envvals" | tr ' ' '\n' | grep -E '^PORT=' | head -n1 | cut -d= -f2-)
+
+        if [ -n "$basic_user" ] || [ -n "$basic_pwd" ]; then
+          uprint="$basic_user"
+          pprint="$basic_pwd"
+          [ -n "$basic_pwd" ] && pprint="$basic_pwd"
+          echo "  └─ Basic-Auth credentials in Environment: user='${uprint}' pwd='${pprint}'" | sed -${E} "s,pwd='[^']*',${SED_RED_YELLOW},g"
+        fi
+
+        if [ -n "$dbpath" ]; then
+          echo "  └─ CRON_DB_PATH: $dbpath"
+        fi
+
+        # Check listener bound to localhost
+        [ -z "$port" ] && port=8000
+        if command -v ss >/dev/null 2>&1; then
+          if ss -ltn 2>/dev/null | grep -qE "127\.0\.0\.1:${port}[[:space:]]"; then
+            echo "  └─ Listener detected on 127.0.0.1:${port} (likely Crontab UI)."
+          fi
+        else
+          if netstat -tnl 2>/dev/null | grep -qE "127\.0\.0\.1:${port}[[:space:]]"; then
+            echo "  └─ Listener detected on 127.0.0.1:${port} (likely Crontab UI)."
+          fi
+        fi
+
+        # If we know DB path, try to read crontab.db for obvious secrets and check perms
+        if [ -n "$dbpath" ] && [ -d "$dbpath" ] && [ -r "$dbpath" ]; then
+          dbfile="$dbpath/crontab.db"
+          if [ -f "$dbfile" ]; then
+            perms=$(ls -ld "$dbpath" 2>/dev/null | awk '{print $1, $3, $4}')
+            echo "  └─ DB dir perms: $perms"
+            if [ -w "$dbpath" ] || [ -w "$dbfile" ]; then
+              echo "     └─ Writable by current user -> potential job injection!" | sed -${E} "s,.*,${SED_RED},g"
+            fi
+            echo "  └─ Inspecting $dbfile for embedded secrets in commands (zip -P / --password / pass/token/secret)..."
+            grep -E "-P[[:space:]]+\S+|--password[[:space:]]+\S+|[Pp]ass(word)?|[Tt]oken|[Ss]ecret" "$dbfile" 2>/dev/null | head -n 20 | sed -${E} "s,(${SED_RED_YELLOW}),\1,g"
+          fi
+        fi
+      fi
+      echo ""
+    done
+  fi
+fi
+
--- a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh
@@ -8,7 +8,7 @@
 # Functions Used: print_2title
 # Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $DEBUG, $USER, $STRINGS
 # Initial Functions:
-# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass
+# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass, $mysqluser, $version_output, $major_version, $version, $process_info
 # Fat linpeas: 0
 # Small linpeas: 1

@@ -102,4 +102,42 @@ if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo
  else echo_no
  fi
  echo ""
+fi
+
+### This section checks if MySQL (mysqld) is running as root and if its version is 4.x or 5.x to refer a known local privilege escalation exploit! ###
+
+# Find the mysqld process
+process_info=$(ps aux | grep '[m]ysqld' | head -n1)
+
+if [ -z "$process_info" ]; then
+  echo "MySQL process not found." | sed -${E} "s,.*,${SED_GREEN},"
+else
+
+  # Extract the process user
+  mysqluser=$(echo "$process_info" | awk '{print $1}')
+
+  # Get the MySQL version string
+  version_output=$(mysqld --version 2>&1)
+
+  # Extract the version number (expects format like X.Y.Z)
+  version=$(echo "$version_output" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+
+  if [ -z "$version" ]; then
+    echo "Unable to determine MySQL version." | sed -${E} "s,.*,${SED_GREEN},"
+  else
+
+    # Extract the major version number (X from X.Y.Z)
+    major_version=$(echo "$version" | cut -d. -f1)
+
+    # Check if MySQL is running as root and if the version is either 4.x or 5.x
+    if [ "$mysqluser" = "root" ] && { [ "$major_version" -eq 4 ] || [ "$major_version" -eq 5 ]; }; then
+      echo "MySQL is running as root with version $version. This is a potential local privilege escalation vulnerability!" | sed -${E} "s,.*,${SED_RED},"
+      echo "\tRefer to: https://www.exploit-db.com/exploits/1518" | sed -${E} "s,.*,${SED_YELLOW},"
+      echo "\tRefer to: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf" | sed -${E} "s,.*,${SED_YELLOW},"
+    else
+      echo "MySQL is running as user '$mysqluser' with version $version." | sed -${E} "s,.*,${SED_GREEN},"
+    fi
+    ### ------------------------------------------------------------------------------------------------------------------------------------------------ ###
+  
+  fi
 fi
--- a/linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh
@@ -0,0 +1,72 @@
+# Title: Software Information - PostgreSQL Event Triggers
+# ID: SI_Postgresql_Event_Triggers
+# Author: HT Bot
+# Last Update: 19-11-2025
+# Description: Detect unsafe PostgreSQL event triggers and postgres_fdw custom scripts that grant temporary SUPERUSER
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $DEBUG, $E, $SED_GREEN, $SED_RED, $SED_YELLOW, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables: $psql_bin, $psql_evt_output, $psql_evt_status, $psql_evt_err_line, $postgres_fdw_dirs, $postgres_fdw_hits, $old_ifs, $evtname, $enabled, $owner, $owner_is_super, $func, $func_owner, $func_owner_is_super, $IFS
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$DEBUG" ] || { [ "$TIMEOUT" ] && [ "$(command -v psql 2>/dev/null || echo -n '')" ]; }; then
+  print_2title "PostgreSQL event trigger ownership & postgres_fdw hooks"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#postgresql-event-triggers"
+
+  psql_bin="$(command -v psql 2>/dev/null || echo -n '')"
+  if [ "$TIMEOUT" ] && [ "$psql_bin" ]; then
+    psql_evt_output="$($TIMEOUT 5 "$psql_bin" -w -X -q -A -t -d postgres -c "WITH evt AS ( SELECT e.evtname, e.evtenabled, pg_get_userbyid(e.evtowner) AS trig_owner, tr.rolsuper AS trig_owner_super, n.nspname || '.' || p.proname AS function_name, pg_get_userbyid(p.proowner) AS func_owner, fr.rolsuper AS func_owner_super FROM pg_event_trigger e JOIN pg_proc p ON e.evtfoid = p.oid JOIN pg_namespace n ON p.pronamespace = n.oid LEFT JOIN pg_roles tr ON tr.oid = e.evtowner LEFT JOIN pg_roles fr ON fr.oid = p.proowner ) SELECT evtname || '|' || evtenabled || '|' || COALESCE(trig_owner,'?') || '|' || COALESCE(CASE WHEN trig_owner_super THEN 'yes' ELSE 'no' END,'unknown') || '|' || function_name || '|' || COALESCE(func_owner,'?') || '|' || COALESCE(CASE WHEN func_owner_super THEN 'yes' ELSE 'no' END,'unknown') FROM evt WHERE COALESCE(trig_owner_super,false) = false OR COALESCE(func_owner_super,false) = false;" 2>&1)"
+    psql_evt_status=$?
+    if [ $psql_evt_status -eq 0 ]; then
+      if [ "$psql_evt_output" ]; then
+        echo "Non-superuser-owned event triggers were found (trigger|enabled?|owner|owner_is_super|function|function_owner|fn_owner_is_super):" | sed -${E} "s,.*,${SED_RED},"
+        printf "%s\n" "$psql_evt_output" | while IFS='|' read evtname enabled owner owner_is_super func func_owner func_owner_is_super; do
+          case "$enabled" in
+            O) enabled="enabled" ;;
+            D) enabled="disabled" ;;
+            *) enabled="status_$enabled" ;;
+          esac
+          echo "  - $evtname ($enabled) uses $func owned by $func_owner (superuser:$func_owner_is_super); trigger owner: $owner (superuser:$owner_is_super)" | sed -${E} "s,superuser:no,${SED_RED},g"
+        done
+      else
+        echo "No event triggers owned by non-superusers were returned." | sed -${E} "s,.*,${SED_GREEN},"
+      fi
+    else
+      psql_evt_err_line=$(printf '%s\n' "$psql_evt_output" | head -n1)
+      echo "Could not query pg_event_trigger (psql exit $psql_evt_status): $psql_evt_err_line" | sed -${E} "s,.*,${SED_YELLOW},"
+    fi
+  else
+    if ! [ "$TIMEOUT" ]; then
+      echo_not_found "timeout"
+    fi
+    if ! [ "$psql_bin" ]; then
+      echo_not_found "psql"
+    fi
+  fi
+
+  postgres_fdw_dirs="/etc/postgresql /var/lib/postgresql /var/lib/postgres /usr/lib/postgresql /usr/local/lib/postgresql /opt/supabase /opt/postgres /srv/postgres"
+  postgres_fdw_hits=""
+  for d in $postgres_fdw_dirs; do
+    if [ -d "$d" ]; then
+      old_ifs="$IFS"
+      IFS="\n"
+      for f in $(find "$d" -maxdepth 5 -type f \( -name '*postgres_fdw*.sql' -o -name '*postgres_fdw*.psql' -o -name 'after-create.sql' \) 2>/dev/null); do
+        if [ -f "$f" ] && grep -qiE "alter[[:space:]]+role[[:space:]]+postgres[[:space:]]+superuser" "$f" 2>/dev/null; then
+          postgres_fdw_hits="$postgres_fdw_hits\n$f"
+        fi
+      done
+      IFS="$old_ifs"
+    fi
+  done
+
+  if [ "$postgres_fdw_hits" ]; then
+    echo "Detected postgres_fdw custom scripts granting postgres SUPERUSER (check for SupaPwn-style window):" | sed -${E} "s,.*,${SED_RED},"
+    printf "%s\n" "$postgres_fdw_hits" | sed "s,^,  - ,"
+  fi
+fi
+
+echo ""
--- a/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh
@@ -29,21 +29,21 @@ fi

 peass{SSH}

-grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
+grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFile" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"

 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if [ "$TIMEOUT" ]; then
-    privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
-    privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
-    privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
-    privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
+    privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /etc 2>/dev/null)
+    privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
+    privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /root 2>/dev/null)
+    privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /mnt 2>/dev/null)
  else
-    privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
-    privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
+    privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
+    privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
  fi
 else
  # If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
-  privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
+  privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
 fi

 if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
--- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh
+++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh
@@ -17,7 +17,7 @@ if ! [ "$IAMROOT" ]; then
  print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
  #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
-  obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
+  obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "/dev/*" ! -path "/snap/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
  printf "%s\n" "$obmowbe" | while read l; do
    if echo "$l" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$l\n"$NC;
    elif echo "$l" | grep -qE "$writeVB"; then
--- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh
+++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh
@@ -0,0 +1,80 @@
+# Title: Interesting Permissions Files - IGEL OS SUID setup/date abuse
+# ID: IP_IGEL_OS_SUID
+# Author: HT Bot
+# Last Update: 29-11-2025
+# Description: Detect IGEL OS environments that expose the SUID-root `setup`/`date` binaries and highlight writable NetworkManager/systemd configs that enable the documented privilege escalation chain (Metasploit linux/local/igel_network_priv_esc).
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $ITALIC, $NC, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SUPERFAST
+# Initial Functions:
+# Generated Global Variables: $igel_markers, $igel_marker_sources, $marker, $igel_suid_hits, $candidate, $writable_nm, $writable_systemd, $unitdir, $tmp_units
+# Fat linpeas: 0
+# Small linpeas: 1
+
+igel_markers=""
+igel_marker_sources=""
+if [ -f /etc/os-release ] && grep -qi "igel" /etc/os-release 2>/dev/null; then
+  igel_markers="Yes"
+  igel_marker_sources="/etc/os-release"
+fi
+if [ -f /etc/issue ] && grep -qi "igel" /etc/issue 2>/dev/null; then
+  igel_markers="Yes"
+  igel_marker_sources="${igel_marker_sources} /etc/issue"
+fi
+for marker in /etc/igel /wfs/igel /userhome/.igel /config/sessions/igel; do
+  if [ -e "$marker" ]; then
+    igel_markers="Yes"
+    igel_marker_sources="${igel_marker_sources} $marker"
+  fi
+done
+
+igel_suid_hits=""
+for candidate in /usr/bin/setup /bin/setup /usr/sbin/setup /opt/igel/bin/setup /usr/bin/date /bin/date /usr/lib/igel/date; do
+  if [ -u "$candidate" ]; then
+    igel_suid_hits="${igel_suid_hits}$(ls -lah "$candidate" 2>/dev/null)\n"
+  fi
+done
+
+if [ -n "$igel_markers" ] || [ -n "$igel_suid_hits" ]; then
+  print_2title "IGEL OS SUID setup/date privilege escalation surface"
+  print_info "https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025"
+  if [ -n "$igel_markers" ]; then
+    echo "Potential IGEL OS detected via: $igel_marker_sources" | sed -${E} "s,.*,${SED_GREEN},"
+  else
+    echo "IGEL-specific SUID helpers found but IGEL markers were not detected" | sed -${E} "s,.*,${SED_RED},"
+  fi
+  if [ -n "$igel_suid_hits" ]; then
+    echo "SUID-root helpers exposing configuration primitives:" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    printf "%b" "$igel_suid_hits"
+  else
+    echo "No SUID setup/date binaries were located (system may be patched)."
+  fi
+
+  writable_nm=""
+  writable_systemd=""
+  if ! [ "$SUPERFAST" ]; then
+    if [ -d /etc/NetworkManager ]; then
+      writable_nm=$(find /etc/NetworkManager -maxdepth 3 -type f -writable 2>/dev/null | head -n 25)
+    fi
+    for unitdir in /etc/systemd/system /lib/systemd/system /usr/lib/systemd/system; do
+      if [ -d "$unitdir" ]; then
+        tmp_units=$(find "$unitdir" -maxdepth 2 -type f -writable 2>/dev/null | head -n 15)
+        if [ -n "$tmp_units" ]; then
+          writable_systemd="${writable_systemd}${tmp_units}\n"
+        fi
+      fi
+    done
+  fi
+
+  if [ -n "$writable_nm" ]; then
+    echo "Writable NetworkManager profiles/hooks (swap Exec path to your payload):" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    echo "$writable_nm"
+  fi
+  if [ -n "$writable_systemd" ]; then
+    echo "Writable systemd unit files (edit ExecStart, then restart via setup/date):" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    printf "%b" "$writable_systemd"
+  fi
+  printf "$ITALIC  Known exploitation chain: Use the SUID setup/date binaries to edit NetworkManager or systemd configs so ExecStart points to your payload, then trigger a service restart via the same helper to run as root (Metasploit linux/local/igel_network_priv_esc).$NC\n"
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh
+++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh
@@ -0,0 +1,36 @@
+# Title: Interesting Permissions Files - Writable root-owned executables
+# ID: IP_Writable_root_execs
+# Author: HT Bot
+# Last Update: 29-11-2025
+# Description: Locate root-owned executables outside home folders that the current user can modify
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, echo_not_found
+# Global Variables: $DEBUG, $IAMROOT, $ROOT_FOLDER, $HOME, $writeVB
+# Initial Functions:
+# Generated Global Variables: $writable_root_execs
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$IAMROOT" ]; then
+  print_2title "Writable root-owned executables I can modify (max 200)"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
+
+  writable_root_execs=$(
+    find "$ROOT_FOLDER" -type f -user root -perm -u=x \
+      \( -perm -g=w -o -perm -o=w \) \
+      ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/snap/*" ! -path "$HOME/*" 2>/dev/null \
+      | while IFS= read -r f; do
+          if [ -w "$f" ]; then
+            ls -l "$f" 2>/dev/null
+          fi
+        done | head -n 200
+  )
+
+  if [ "$writable_root_execs" ] || [ "$DEBUG" ]; then
+    printf "%s\n" "$writable_root_execs" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
+  else
+    echo_not_found "Writable root-owned executables"
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/functions/su_try_pwd.sh
+++ b/linPEAS/builder/linpeas_parts/functions/su_try_pwd.sh
@@ -1,7 +1,7 @@
 # Title: LinPeasBase - su_try_pwd
 # ID: su_try_pwd
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 15-12-2025
 # Description: Try to login as user using a password
 # License: GNU GPL
 # Version: 1.0
@@ -17,7 +17,7 @@ su_try_pwd(){
  BFUSER=$1
  PASSWORDTRY=$2
  trysu=$(echo "$PASSWORDTRY" | timeout 1 su $BFUSER -c whoami 2>/dev/null)
-  if [ "$trysu" ]; then
+    if [ $? -eq 0 ]; then
    echo "  You can login as $BFUSER using password: $PASSWORDTRY" | sed -${E} "s,.*,${SED_RED_YELLOW},"
  fi
-}
+}
--- a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh
+++ b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh
@@ -371,7 +371,7 @@ echo ""
 printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html\n"$NC
 echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
 echo "  RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
-echo "  RED: You should take a look to it" | sed "s,RED,${SED_RED},"
+echo "  RED: You should take a look into it" | sed "s,RED,${SED_RED},"
 echo "  LightCyan: Users with console" | sed "s,LightCyan,${SED_LIGHT_CYAN},"
 echo "  Blue: Users without console & mounted devs" | sed "s,Blue,${SED_BLUE},"
 echo "  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) " | sed "s,Green,${SED_GREEN},"
@@ -514,4 +514,4 @@ else
    HOMESEARCH="$HOME $HOMESEARCH"
  fi
 fi
-GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
+GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
--- a/linPEAS/builder/linpeas_parts/variables/sudoB.sh
+++ b/linPEAS/builder/linpeas_parts/variables/sudoB.sh
@@ -12,5 +12,4 @@
 # Fat linpeas: 0
 # Small linpeas: 1

-
-sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount"
+sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications"
--- a/linPEAS/builder/linpeas_parts/variables/sudoVB1.sh
+++ b/linPEAS/builder/linpeas_parts/variables/sudoVB1.sh
@@ -13,5 +13,5 @@
 # Small linpeas: 1


-sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|peass{SUDOVB1_HERE}"
-sudoVB2="peass{SUDOVB2_HERE}"
+sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
+sudoVB2="peass{SUDOVB2_HERE}"
--- a/linPEAS/builder/linpeas_parts/variables/sudovB.sh
+++ b/linPEAS/builder/linpeas_parts/variables/sudovB.sh
@@ -1,7 +1,7 @@
 # Title: Variables - sudovB
 # ID: sudovB
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 04-10-2025
 # Description: Sudo version bad regex
 # License: GNU GPL
 # Version: 1.0
@@ -13,4 +13,4 @@
 # Small linpeas: 1


-sudovB="[01].[012345678].[0-9]+|1.9.[01234][^0-9]|1.9.[01234]$|1.9.5p1"
+sudovB="[01].[012345678].[0-9]+|1.9.[01234][^0-9]|1.9.[01234]$|1.9.5p1|1\.9\.[6-9]|1\.9\.1[0-7]"
--- a/linPEAS/builder/src/linpeasBaseBuilder.py
+++ b/linPEAS/builder/src/linpeasBaseBuilder.py
@@ -292,9 +292,12 @@ class LinpeasBaseBuilder:
        all_module_paths += self.enumerate_directory(LINPEAS_PARTS["variables"])
        
        for module in LINPEAS_PARTS["modules"]:
+            exclude = False
            for ex_module in exclude_modules:
                if ex_module in module["folder_path"] or ex_module in [module["name"], module["name_check"]]:
-                    continue
+                    exclude = True
+                    break
+            if exclude: continue
            all_module_paths += self.enumerate_directory(module["folder_path"])
        
        for module in all_module_paths:
--- a/linPEAS/builder/src/linpeasBuilder.py
+++ b/linPEAS/builder/src/linpeasBuilder.py
@@ -97,7 +97,7 @@ class LinpeasBuilder:
        for orig_url in urls:
            tar_gz_bin_name = ""
            if ",,," in orig_url:
-                tar_gz_bin_name = url.split(",,,")[1]
+                tar_gz_bin_name = orig_url.split(",,,")[1]
                url = orig_url.split(",,,")[0]
            else:
                url = orig_url
@@ -115,7 +115,7 @@ class LinpeasBuilder:
            suidVB, sudoVB, capsVB = self.__get_gtfobins_lists()
            assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}"
            assert len(sudoVB) > 250, f"Len sudo is {len(sudoVB)}"
-            assert len(capsVB) > 10, f"Len suidVB is {len(capsVB)}"
+            assert len(capsVB) > 2, f"Len capsVB is {len(capsVB)}"

            self.__replace_mark(SUIDVB1_MARKUP, suidVB[:int(len(suidVB)/2)], "|")
            self.__replace_mark(SUIDVB2_MARKUP, suidVB[int(len(suidVB)/2):], "|")
@@ -348,8 +348,25 @@ class LinpeasBuilder:
        return bin_b64
    
    def __get_gtfobins_lists(self) -> tuple:
-        r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins")
-        bins = re.findall(r'_gtfobins/([a-zA-Z0-9_ \-]+).md', r.text)
+        bins = []
+        api_url = "https://api.github.com/repos/GTFOBins/GTFOBins.github.io/contents/_gtfobins?per_page=100"
+        while api_url:
+            r = requests.get(api_url, timeout=10)
+            if not r.ok:
+                break
+            data = r.json()
+            for entry in data:
+                if entry.get("type") == "file" and entry.get("name"):
+                    bins.append(entry["name"])
+            api_url = None
+            link = r.headers.get("Link", "")
+            for part in link.split(","):
+                if 'rel="next"' in part:
+                    api_url = part.split(";")[0].strip().strip("<>")
+                    break
+        if not bins:
+            r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins", timeout=10)
+            bins = re.findall(r'_gtfobins/([a-zA-Z0-9_ \-]+)(?:\\.md)?', r.text)

        sudoVB = []
        suidVB = []
@@ -357,12 +374,12 @@ class LinpeasBuilder:

        for b in bins:
            try:
-                rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
+                rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}", timeout=5)
            except:
                try:
-                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
+                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}", timeout=5)
                except:
-                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
+                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}", timeout=5)
            if "sudo:" in rb.text:
                if len(b) <= 3:
                    sudoVB.append("[^a-zA-Z0-9]"+b+"$") # Less false possitives applied to small names
@@ -402,9 +419,9 @@ class LinpeasBuilder:


    def __replace_mark(self, mark: str, find_calls: list, join_char: str):
-        """Substitude the markup with the actual code"""
-        
-        self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed
+        """Substitute the markup with the actual code"""
+
+        self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char isn't needed
    
    def write_linpeas(self, path):
        """Write on disk the final linpeas"""
--- a/metasploit/peass.rb
+++ b/metasploit/peass.rb
@@ -270,7 +270,7 @@ class MetasploitModule < Msf::Post
    if datastore['CUSTOM_URL'] != ""
      url_peass = datastore['CUSTOM_URL']
    else
-      url_peass = datastore['WINPEASS'] ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"
+      url_peass = datastore['WINPEASS'].to_s.strip.downcase == 'true' ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"
    end
    # If URL is set, check if it is a valid URL or local file
    if url_peass.include?("http://") || url_peass.include?("https://")
--- a/parsers/peas2json.py
+++ b/parsers/peas2json.py
@@ -106,8 +106,6 @@ def parse_line(line: str):

    global FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION

-    if "Cron jobs" in line:
-        a=1

    if is_section(line, TITLE1_PATTERN):
        title = parse_title(line)
@@ -145,17 +143,26 @@ def parse_line(line: str):


 def parse_peass(outputpath: str, jsonpath: str = ""):
-    global OUTPUT_PATH, JSON_PATH
+    global OUTPUT_PATH, JSON_PATH, FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION

    OUTPUT_PATH = outputpath
    JSON_PATH = jsonpath

-    for line in open(OUTPUT_PATH, 'r', encoding="utf8").readlines():
-        line = line.strip()
-        if not line or not clean_colors(line): #Remove empty lines or lines just with colors hex
-            continue
+    # Reset globals to avoid data leaking between executions
+    FINAL_JSON = {}
+    C_SECTION = FINAL_JSON
+    C_MAIN_SECTION = FINAL_JSON
+    C_2_SECTION = FINAL_JSON
+    C_3_SECTION = FINAL_JSON

-        parse_line(line)
+    with open(OUTPUT_PATH, 'r', encoding="utf8") as f:
+        for line in f.readlines():
+            line = line.strip()
+            # Remove empty lines or lines containing only color codes
+            if not line or not clean_colors(line):
+                continue
+
+            parse_line(line)

    if JSON_PATH:
        with open(JSON_PATH, "w") as f:
--- a/winPEAS/winPEASbat/winPEAS.bat
+++ b/winPEAS/winPEASbat/winPEAS.bat
@@ -69,57 +69,62 @@ ECHO.
 CALL :T_Progress 2

 :ListHotFixes
-wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+) else (
+    powershell -command "Get-HotFix | Format-Table -AutoSize"
+)
 set expl=no
 for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes)
 IF "%expl%" == "yes" ECHO.   [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2592799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3143141" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2393802" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB982799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB979683" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2305420" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB981957" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB4013081" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB977165" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB941693" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB920958" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB914389" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB908523" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB890859" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB842526" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB835732" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB841872" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2975684" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3136041" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3057191" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2989935" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2778930" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2850851" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2870008" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)
 ECHO.
 CALL :T_Progress 2
@@ -197,7 +202,12 @@ CALL :T_Progress 1

 :AVSettings
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
-WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
+) else (
+    powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
+) 
 ECHO.Checking for defender whitelisted PATHS
 reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul
 CALL :T_Progress 1
@@ -226,7 +236,12 @@ CALL :T_Progress 3
 :MountedDisks
 CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
-(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    wmic logicaldisk get caption | more
+) else (
+    fsutil fsinfo drives
+)
 ECHO.
 CALL :T_Progress 1

@@ -273,15 +288,29 @@ tasklist /SVC
 ECHO.
 CALL :T_Progress 2
 ECHO.   [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
-for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
-	for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
-		icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
+		for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
+			icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+		)
+	)
+) else (
+	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
+		icacls "%%x" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
 )
 ECHO.
 ECHO.   [i] Checking directory permissions of running processes (DLL injection)
-for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
-	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
+		icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	)
+) else (
+	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
+		for /f "delims=" %%d in ("%%~dpx") do icacls "%%d" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	)
 )
 ECHO.
 CALL :T_Progress 3
@@ -376,7 +405,7 @@ CALL :T_Progress 1

 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
-ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
+ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege
 ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
@@ -452,8 +481,19 @@ ECHO.
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
 ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
-for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
-    for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+	for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
+		for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+	)
+) else (
+	for /f "tokens=*" %%a in ('powershell -command "Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -and $_.PathName -notlike '*system32*'} | Select-Object -ExpandProperty PathName"') do (
+		for /f "tokens=1 delims= " %%b in ("%%a") do (
+			set "svcpath=%%b"
+			set "svcpath=!svcpath:~1,-1!"
+			if exist "!svcpath!" icacls "!svcpath!" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+		)
+	)
 )
 ECHO.
 CALL :T_Progress 1
@@ -628,16 +668,29 @@ if "%long%" == "true" (
 	ECHO.
 	ECHO.   [i] Iterating through the drives
 	ECHO.
-	for /f %%x in ('wmic logicaldisk get name^| more') do (
-		set tdrive=%%x
-		if "!tdrive:~1,2!" == ":" (
-			%%x
-            CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
-	        findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
-            ECHO.
-            CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
-            dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"  
-            ECHO.
+	where wmic >nul 2>&1
+	if !errorlevel! equ 0 (
+		for /f %%x in ('wmic logicaldisk get name ^| more') do (
+			set tdrive=%%x
+			if "!tdrive:~1,2!" == ":" (
+				%%x
+				CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
+				findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
+				ECHO.
+				CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+				dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
+				ECHO.
+			)
+		)
+	) else (
+		for /f %%x in ('powershell -command "Get-PSDrive -PSProvider FileSystem | Where-Object {$_.Root -match ':'} | Select-Object -ExpandProperty Name"') do (
+			%%x:
+			CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
+			findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
+			ECHO.
+			CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+			dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
+			ECHO.
 		)
 	)
 	CALL :T_Progress 2
@@ -654,7 +707,8 @@ EXIT /B

 :SetOnce
 REM :: ANSI escape character is set once below - for ColorLine Subroutine
-SET "E=0x1B["
+for /F %%a in ('echo prompt $E ^| cmd') do set "ESC=%%a"
+SET "E=%ESC%["
 SET "PercentageTrack=0"
 EXIT /B

@@ -666,5 +720,5 @@ EXIT /B

 :ColorLine
 SET "CurrentLine=%~1"
-FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A
+ECHO.!CurrentLine!
 EXIT /B
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -22,7 +22,7 @@ $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany
 # One liner to download and execute winPEASany from memory in a PS shell
 $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")

-# The cprevios cmd in 2 lines
+# The previous cmd in 2 lines
 $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content));
 [winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use

@@ -78,6 +78,16 @@ It should take only a **few seconds** to execute almost all the checks and **som

 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.

+### New (AD-aware) checks
+
+- Active Directory quick checks now include:
+  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
+  - AD object control surfaces: parse ACLs for high-value objects plus a sampled set of users/groups/computers and flag when the current security principal already has GenericAll/GenericWrite/WriteDacl/WriteOwner or attribute-specific rights (SPN, UAC, msDS-AllowedToActOnBehalfOfOtherIdentity, sidHistory, member, unicodePwd, replication) that can be abused for password resets, Kerberoasting, delegation/RBCD, DCSync, or stealth persistence.
+  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
+
+These checks are lightweight, read-only, and only run when the host is domain-joined.
+
+
 ## Where are my COLORS?!?!?!

 The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):
@@ -140,6 +150,7 @@ Once you have installed and activated it you need to:
  - [x] Applocker Configuration & bypass suggestions
  - [x] Printers
  - [x] Named Pipes
+  - [x] Named Pipe ACL abuse candidates
  - [x] AMSI Providers
  - [x] SysMon
  - [x] .NET Versions
@@ -204,7 +215,7 @@ Once you have installed and activated it you need to:
  - [x] SCCM
  - [x] Security Package Credentials
  - [x] AlwaysInstallElevated
-  - [x] WSUS
+  - [x] WSUS (HTTP downgrade + CVE-2025-59287 exposure)

 - **Browser Information**
  - [x] Firefox DBs
--- a/winPEAS/winPEASexe/Tests/App.config
+++ b/winPEAS/winPEASexe/Tests/App.config
@@ -39,7 +39,7 @@
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
+        <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Linq" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
--- a/winPEAS/winPEASexe/Tests/packages.config
+++ b/winPEAS/winPEASexe/Tests/packages.config
@@ -39,7 +39,7 @@
  <package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net452" />
  <package id="System.Text.Encoding" version="4.3.0" targetFramework="net452" />
  <package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net452" />
-  <package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
+  <package id="System.Text.RegularExpressions" version="4.3.1" targetFramework="net48" />
  <package id="System.Threading" version="4.3.0" targetFramework="net452" />
  <package id="System.Threading.Tasks" version="4.3.0" targetFramework="net452" />
  <package id="System.Threading.Timer" version="4.3.0" targetFramework="net452" />
--- a/winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj
+++ b/winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj
@@ -83,6 +83,10 @@
    <Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
      <HintPath>..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
    </Reference>
+    <Reference Include="System.Text.RegularExpressions, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
+      <HintPath>..\packages\System.Text.RegularExpressions.4.3.1\lib\net463\System.Text.RegularExpressions.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
    <Reference Include="System.Xml.Linq" />
    <Reference Include="System.Data.DataSetExtensions" />
    <Reference Include="Microsoft.CSharp" />
--- a/winPEAS/winPEASexe/winPEAS/App.config
+++ b/winPEAS/winPEASexe/winPEAS/App.config
@@ -32,7 +32,7 @@
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Bcl.AsyncInterfaces" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Win32.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
@@ -156,7 +156,7 @@
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
--- a/winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs
@@ -0,0 +1,943 @@
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices;
+using System.Linq;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using System.Text;
+using winPEAS.Helpers;
+using winPEAS.Helpers.Registry;
+
+namespace winPEAS.Checks
+{
+    // Lightweight AD-oriented checks for common escalation paths (gMSA readable password, AD CS template control)
+    internal class ActiveDirectoryInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint("Active Directory Quick Checks");
+
+            new List<Action>
+            {
+                PrintGmsaReadableByCurrentPrincipal,
+                PrintAdObjectControlPaths,
+                PrintAdcsMisconfigurations
+            }.ForEach(action => CheckRunner.Run(action, isDebug));
+        }
+
+        private const int SampleObjectLimit = 120;
+        private const int MaxFindingsToPrint = 40;
+        private static readonly Dictionary<Guid, string> GuidNameCache = new Dictionary<Guid, string>();
+        private static readonly object GuidCacheLock = new object();
+
+        private static HashSet<string> GetCurrentSidSet()
+        {
+            var sids = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+            try
+            {
+                var id = WindowsIdentity.GetCurrent();
+                sids.Add(id.User.Value);
+                foreach (var g in id.Groups)
+                {
+                    sids.Add(g.Value);
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("    [!] Error obtaining current SIDs: " + ex.Message);
+            }
+            return sids;
+        }
+
+        private static string GetRootDseProp(string prop)
+        {
+            try
+            {
+                using (var root = new DirectoryEntry("LDAP://RootDSE"))
+                {
+                    return root.Properties[prop]?.Value as string;
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint($"    [!] Error accessing RootDSE ({prop}): {ex.Message}");
+                return null;
+            }
+        }
+
+        private static string GetProp(SearchResult r, string name)
+        {
+            return (r.Properties.Contains(name) && r.Properties[name].Count > 0)
+                ? r.Properties[name][0]?.ToString()
+                : null;
+        }
+
+        // Highlight objects where the current principal already has useful write/control rights
+        private void PrintAdObjectControlPaths()
+        {
+            try
+            {
+                Beaprint.MainPrint("AD object control surfaces");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#acl-abuse",
+                    "Look for objects where you have GenericAll/GenericWrite/attribute rights for ACL abuse (password reset, SPN/UAC/RBCD, sidHistory, delegation, DCSync).");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var defaultNC = GetRootDseProp("defaultNamingContext");
+                var schemaNC = GetRootDseProp("schemaNamingContext");
+                var configNC = GetRootDseProp("configurationNamingContext");
+
+                if (string.IsNullOrEmpty(defaultNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve defaultNamingContext.");
+                    return;
+                }
+
+                var sidSet = GetCurrentSidSet();
+                var processedDns = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+                var findings = new List<AdObjectFinding>();
+
+                foreach (var target in EnumerateHighValueTargets(defaultNC))
+                {
+                    var finding = AnalyzeDirectoryObject(target.DistinguishedName, target.Label, sidSet, schemaNC, configNC);
+                    if (finding == null)
+                    {
+                        continue;
+                    }
+
+                    if (processedDns.Add(finding.DistinguishedName))
+                    {
+                        findings.Add(finding);
+                    }
+                }
+
+                try
+                {
+                    using (var baseDe = new DirectoryEntry("LDAP://" + defaultNC))
+                    using (var ds = new DirectorySearcher(baseDe))
+                    {
+                        ds.PageSize = 200;
+                        ds.SizeLimit = SampleObjectLimit;
+                        ds.SearchScope = SearchScope.Subtree;
+                        ds.SecurityMasks = SecurityMasks.Dacl;
+                        ds.Filter = "(|(objectClass=user)(objectClass=group)(objectClass=computer))";
+                        ds.PropertiesToLoad.Add("distinguishedName");
+                        ds.PropertiesToLoad.Add("sAMAccountName");
+                        ds.PropertiesToLoad.Add("name");
+
+                        using (var results = ds.FindAll())
+                        {
+                            foreach (SearchResult r in results)
+                            {
+                                var dn = GetProp(r, "distinguishedName");
+                                if (string.IsNullOrEmpty(dn) || processedDns.Contains(dn))
+                                {
+                                    continue;
+                                }
+
+                                var label = GetProp(r, "sAMAccountName") ?? GetProp(r, "name") ?? dn;
+                                var finding = AnalyzeDirectoryObject(dn, label, sidSet, schemaNC, configNC);
+                                if (finding != null && processedDns.Add(finding.DistinguishedName))
+                                {
+                                    findings.Add(finding);
+                                }
+                            }
+                        }
+                    }
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.GrayPrint("    [!] LDAP sampling failed: " + ex.Message);
+                }
+
+                if (findings.Count == 0)
+                {
+                    Beaprint.GrayPrint("  [-] No impactful ACLs detected for the current principal (sampled set).");
+                    return;
+                }
+
+                var ordered = findings
+                    .OrderByDescending(f => f.MaxScore)
+                    .ThenBy(f => f.DisplayName, StringComparer.OrdinalIgnoreCase)
+                    .ToList();
+
+                var truncated = ordered.Count > MaxFindingsToPrint;
+                if (truncated)
+                {
+                    ordered = ordered.Take(MaxFindingsToPrint).ToList();
+                }
+
+                Beaprint.GrayPrint($"  [+] Found {findings.Count} object(s) where your principal has abuse-friendly rights:");
+                foreach (var finding in ordered)
+                {
+                    Beaprint.BadPrint($"    -> {finding.DisplayName} ({finding.ClassName})");
+                    Beaprint.GrayPrint("       DN: " + finding.DistinguishedName);
+                    foreach (var impact in finding.Impacts.OrderByDescending(i => i.Score))
+                    {
+                        Beaprint.GrayPrint($"       * {impact.Impact}: {impact.Detail}");
+                    }
+                }
+
+                if (truncated)
+                {
+                    Beaprint.GrayPrint($"  [!] Additional {findings.Count - MaxFindingsToPrint} object(s) not shown (enable domain mode or run winPEAS with more time to enumerate all objects).");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        private static IEnumerable<(string Label, string DistinguishedName)> EnumerateHighValueTargets(string defaultNC)
+        {
+            return new List<(string, string)>
+            {
+                ("Domain Root", defaultNC),
+                ("AdminSDHolder", $"CN=AdminSDHolder,CN=System,{defaultNC}"),
+                ("Domain Controllers OU", $"OU=Domain Controllers,{defaultNC}"),
+                ("Domain Controllers group", $"CN=Domain Controllers,CN=Users,{defaultNC}"),
+                ("Domain Admins", $"CN=Domain Admins,CN=Users,{defaultNC}"),
+                ("Enterprise Admins", $"CN=Enterprise Admins,CN=Users,{defaultNC}"),
+                ("Schema Admins", $"CN=Schema Admins,CN=Users,{defaultNC}"),
+                ("Administrators", $"CN=Administrators,CN=Builtin,{defaultNC}"),
+                ("Account Operators", $"CN=Account Operators,CN=Builtin,{defaultNC}"),
+                ("Backup Operators", $"CN=Backup Operators,CN=Builtin,{defaultNC}"),
+                ("Group Policy Creator Owners", $"CN=Group Policy Creator Owners,CN=Users,{defaultNC}"),
+                ("krbtgt", $"CN=krbtgt,CN=Users,{defaultNC}")
+            };
+        }
+
+        private static AdObjectFinding AnalyzeDirectoryObject(string dn, string label, HashSet<string> sidSet, string schemaNC, string configNC)
+        {
+            if (string.IsNullOrEmpty(dn))
+            {
+                return null;
+            }
+
+            try
+            {
+                using (var entry = new DirectoryEntry("LDAP://" + dn))
+                {
+                    entry.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Dacl;
+                    entry.RefreshCache();
+                    return EvaluateSecurity(entry, label ?? dn, sidSet, schemaNC, configNC);
+                }
+            }
+            catch (Exception)
+            {
+                return null;
+            }
+        }
+
+        private static AdObjectFinding EvaluateSecurity(DirectoryEntry entry, string label, HashSet<string> sidSet, string schemaNC, string configNC)
+        {
+            ActiveDirectorySecurity security;
+            try
+            {
+                security = entry.ObjectSecurity;
+            }
+            catch
+            {
+                return null;
+            }
+
+            if (security == null)
+            {
+                return null;
+            }
+
+            var finding = new AdObjectFinding
+            {
+                DisplayName = label ?? entry.Name,
+                DistinguishedName = entry.Properties?["distinguishedName"]?.Value as string ?? entry.Path,
+                ClassName = entry.SchemaClassName ?? "object"
+            };
+
+            var seenImpacts = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            try
+            {
+                var ownerSid = security.GetOwner(typeof(SecurityIdentifier)) as SecurityIdentifier;
+                if (ownerSid != null && sidSet.Contains(ownerSid.Value))
+                {
+                    var impact = new AdAccessImpact
+                    {
+                        Impact = "Object owner",
+                        Detail = "You own this object and can rewrite its ACL to grant full control.",
+                        Score = 3
+                    };
+                    finding.Impacts.Add(impact);
+                    seenImpacts.Add(impact.Impact);
+                }
+            }
+            catch
+            {
+                // ignore owner lookup issues
+            }
+
+            AuthorizationRuleCollection rules;
+            try
+            {
+                rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
+            }
+            catch
+            {
+                return finding.Impacts.Count > 0 ? finding : null;
+            }
+
+            foreach (ActiveDirectoryAccessRule rule in rules)
+            {
+                if (rule == null || rule.AccessControlType != AccessControlType.Allow)
+                {
+                    continue;
+                }
+
+                if (!(rule.IdentityReference is SecurityIdentifier sid))
+                {
+                    continue;
+                }
+
+                if (!sidSet.Contains(sid.Value))
+                {
+                    continue;
+                }
+
+                foreach (var impact in MapRuleToImpacts(rule, schemaNC, configNC))
+                {
+                    if (impact == null)
+                    {
+                        continue;
+                    }
+
+                    var key = impact.Impact + "|" + impact.Detail;
+                    if (seenImpacts.Add(key))
+                    {
+                        finding.Impacts.Add(impact);
+                    }
+                }
+            }
+
+            return finding.Impacts.Count > 0 ? finding : null;
+        }
+
+        private static IEnumerable<AdAccessImpact> MapRuleToImpacts(ActiveDirectoryAccessRule rule, string schemaNC, string configNC)
+        {
+            var impacts = new List<AdAccessImpact>();
+            var rights = rule.ActiveDirectoryRights;
+
+            if ((rights & ActiveDirectoryRights.GenericAll) != 0)
+            {
+                impacts.Add(new AdAccessImpact
+                {
+                    Impact = "GenericAll",
+                    Detail = "Full control -> reset password, add group members, edit SPNs/UAC, change ACLs.",
+                    Score = 5
+                });
+                return impacts;
+            }
+
+            if ((rights & ActiveDirectoryRights.GenericWrite) != 0)
+            {
+                impacts.Add(new AdAccessImpact
+                {
+                    Impact = "GenericWrite",
+                    Detail = "Can modify most attributes (logon scripts, SPNs, UAC, etc.).",
+                    Score = 4
+                });
+            }
+
+            if ((rights & ActiveDirectoryRights.WriteDacl) != 0)
+            {
+                impacts.Add(new AdAccessImpact
+                {
+                    Impact = "WriteDACL",
+                    Detail = "Can edit the ACL to grant yourself additional rights/persistence.",
+                    Score = 4
+                });
+            }
+
+            if ((rights & ActiveDirectoryRights.WriteOwner) != 0)
+            {
+                impacts.Add(new AdAccessImpact
+                {
+                    Impact = "WriteOwner",
+                    Detail = "Can take ownership and then modify the DACL.",
+                    Score = 3
+                });
+            }
+
+            if ((rights & ActiveDirectoryRights.CreateChild) != 0)
+            {
+                impacts.Add(new AdAccessImpact
+                {
+                    Impact = "CreateChild",
+                    Detail = "Can create new users/computers/groups under this container (great for planting attack principals).",
+                    Score = 3
+                });
+            }
+
+            if ((rights & ActiveDirectoryRights.ExtendedRight) != 0)
+            {
+                var extImpact = MapExtendedRightImpact(rule.ObjectType, schemaNC, configNC);
+                if (extImpact != null)
+                {
+                    impacts.Add(extImpact);
+                }
+            }
+
+            if ((rights & ActiveDirectoryRights.WriteProperty) != 0)
+            {
+                var attrImpact = MapAttributeWriteImpact(rule.ObjectType, schemaNC, configNC, false);
+                if (attrImpact != null)
+                {
+                    impacts.Add(attrImpact);
+                }
+            }
+
+            if ((rights & ActiveDirectoryRights.Self) != 0)
+            {
+                var validatedImpact = MapAttributeWriteImpact(rule.ObjectType, schemaNC, configNC, true);
+                if (validatedImpact != null)
+                {
+                    impacts.Add(validatedImpact);
+                }
+            }
+
+            return impacts;
+        }
+
+        private static AdAccessImpact MapExtendedRightImpact(Guid objectType, string schemaNC, string configNC)
+        {
+            if (objectType == Guid.Empty)
+            {
+                return null;
+            }
+
+            var name = GetGuidFriendlyName(objectType, schemaNC, configNC)?.ToLowerInvariant();
+            if (string.IsNullOrEmpty(name))
+            {
+                return null;
+            }
+
+            if (name.Contains("reset password") || name.Contains("user-force-change-password"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "ResetPassword right",
+                    Detail = "Can reset the target account password without knowing the current value.",
+                    Score = 5
+                };
+            }
+
+            if (name.Contains("replicating directory changes"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "Replication (DCSync)",
+                    Detail = "Has replication rights (part of DCSync privilege to dump NTDS hashes).",
+                    Score = name.Contains("filtered") ? 5 : 4
+                };
+            }
+
+            return null;
+        }
+
+        private static AdAccessImpact MapAttributeWriteImpact(Guid objectType, string schemaNC, string configNC, bool validatedWrite)
+        {
+            if (objectType == Guid.Empty)
+            {
+                return new AdAccessImpact
+                {
+                    Impact = validatedWrite ? "Validated write (broad)" : "WriteProperty (broad)",
+                    Detail = "ACE applies to most attributes. Consider SPN/UAC/sidHistory abuse paths.",
+                    Score = 3
+                };
+            }
+
+            var attributeName = GetGuidFriendlyName(objectType, schemaNC, configNC);
+            if (string.IsNullOrEmpty(attributeName))
+            {
+                return null;
+            }
+
+            var lower = attributeName.ToLowerInvariant();
+
+            if (lower.Contains("member"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "Group membership control",
+                    Detail = "Can edit the 'member' attribute -> add principals to this group.",
+                    Score = 5
+                };
+            }
+
+            if (lower.Contains("serviceprincipalname") || lower.Contains("validated-spn"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "SPN control",
+                    Detail = "Can set servicePrincipalName -> Kerberoast or constrained delegation abuse.",
+                    Score = 4
+                };
+            }
+
+            if (lower.Contains("useraccountcontrol"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "UAC control",
+                    Detail = "Can toggle UserAccountControl bits (AS-REP roastable, delegation, unconstrained).",
+                    Score = 4
+                };
+            }
+
+            if (lower.Contains("msds-allowedtoactonbehalfofotheridentity"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "RBCD control",
+                    Detail = "Can edit msDS-AllowedToActOnBehalfOfOtherIdentity -> configure Resource-Based Constrained Delegation.",
+                    Score = 5
+                };
+            }
+
+            if (lower.Contains("msds-allowedtodelegateto"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "Delegation target control",
+                    Detail = "Can edit msDS-AllowedToDelegateTo -> establish constrained delegation paths.",
+                    Score = 4
+                };
+            }
+
+            if (lower.Contains("sidhistory"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "sidHistory control",
+                    Detail = "Can add privileged SIDs into sidHistory for stealth escalation/persistence.",
+                    Score = 4
+                };
+            }
+
+            if (lower.Contains("unicodepwd") || lower.Contains("userpassword"))
+            {
+                return new AdAccessImpact
+                {
+                    Impact = "Password write",
+                    Detail = "Can directly set unicodePwd/userPassword -> immediate account takeover.",
+                    Score = 5
+                };
+            }
+
+            return null;
+        }
+
+        private static string GetGuidFriendlyName(Guid guid, string schemaNC, string configNC)
+        {
+            if (guid == Guid.Empty)
+            {
+                return null;
+            }
+
+            lock (GuidCacheLock)
+            {
+                if (GuidNameCache.TryGetValue(guid, out var cached))
+                {
+                    return cached;
+                }
+            }
+
+            string resolved = null;
+
+            if (!string.IsNullOrEmpty(schemaNC))
+            {
+                resolved = LookupGuidInSchema(guid, schemaNC);
+            }
+
+            if (resolved == null && !string.IsNullOrEmpty(configNC))
+            {
+                resolved = LookupGuidInExtendedRights(guid, configNC);
+            }
+
+            if (string.IsNullOrEmpty(resolved))
+            {
+                resolved = guid.ToString();
+            }
+
+            lock (GuidCacheLock)
+            {
+                if (!GuidNameCache.ContainsKey(guid))
+                {
+                    GuidNameCache[guid] = resolved;
+                }
+                return GuidNameCache[guid];
+            }
+        }
+
+        private static string LookupGuidInSchema(Guid guid, string schemaNC)
+        {
+            try
+            {
+                using (var schema = new DirectoryEntry("LDAP://" + schemaNC))
+                using (var searcher = new DirectorySearcher(schema))
+                {
+                    searcher.Filter = $"(schemaIDGUID={GuidToLdapFilter(guid)})";
+                    searcher.PropertiesToLoad.Add("lDAPDisplayName");
+                    searcher.PropertiesToLoad.Add("name");
+                    var result = searcher.FindOne();
+                    if (result != null)
+                    {
+                        return GetProp(result, "lDAPDisplayName") ?? GetProp(result, "name");
+                    }
+                }
+            }
+            catch
+            {
+                // ignore schema lookup errors
+            }
+
+            return null;
+        }
+
+        private static string LookupGuidInExtendedRights(Guid guid, string configNC)
+        {
+            try
+            {
+                var extendedRightsDn = $"CN=Extended-Rights,{configNC}";
+                using (var rights = new DirectoryEntry("LDAP://" + extendedRightsDn))
+                using (var searcher = new DirectorySearcher(rights))
+                {
+                    searcher.Filter = $"(rightsGuid={guid})";
+                    searcher.PropertiesToLoad.Add("displayName");
+                    searcher.PropertiesToLoad.Add("name");
+                    var result = searcher.FindOne();
+                    if (result != null)
+                    {
+                        return GetProp(result, "displayName") ?? GetProp(result, "name");
+                    }
+                }
+            }
+            catch
+            {
+                // ignore extended rights lookup issues
+            }
+
+            return null;
+        }
+
+        private static string GuidToLdapFilter(Guid guid)
+        {
+            var bytes = guid.ToByteArray();
+            var sb = new StringBuilder();
+            foreach (var b in bytes)
+            {
+                sb.Append($"\\{b:X2}");
+            }
+
+            return sb.ToString();
+        }
+
+        private class AdObjectFinding
+        {
+            public string DisplayName { get; set; }
+            public string DistinguishedName { get; set; }
+            public string ClassName { get; set; }
+            public List<AdAccessImpact> Impacts { get; } = new List<AdAccessImpact>();
+            public int MaxScore => Impacts.Count == 0 ? 0 : Impacts.Max(i => i.Score);
+        }
+
+        private class AdAccessImpact
+        {
+            public string Impact { get; set; }
+            public string Detail { get; set; }
+            public int Score { get; set; }
+        }
+
+        // Detect gMSA objects where the current principal (or one of its groups) can retrieve the managed password
+        private void PrintGmsaReadableByCurrentPrincipal()
+        {
+            try
+            {
+                Beaprint.MainPrint("gMSA readable managed passwords");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html",
+                    "Look for Group Managed Service Accounts you can read (msDS-ManagedPassword)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var defaultNC = GetRootDseProp("defaultNamingContext");
+                if (string.IsNullOrEmpty(defaultNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve defaultNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int total = 0, readable = 0;
+
+                using (var baseDe = new DirectoryEntry("LDAP://" + defaultNC))
+                using (var ds = new DirectorySearcher(baseDe))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(&(objectClass=msDS-GroupManagedServiceAccount))";
+                    ds.PropertiesToLoad.Add("sAMAccountName");
+                    ds.PropertiesToLoad.Add("distinguishedName");
+                    // Who can read the managed password
+                    ds.PropertiesToLoad.Add("PrincipalsAllowedToRetrieveManagedPassword");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        total++;
+                        var name = GetProp(r, "sAMAccountName") ?? GetProp(r, "distinguishedName") ?? "<unknown>";
+                        var dn = GetProp(r, "distinguishedName") ?? "";
+
+                        bool canRead = false;
+                        // Attribute may be absent or empty
+                        var allowedDns = r.Properties["principalsallowedtoretrievemanagedpassword"];
+                        if (allowedDns != null)
+                        {
+                            foreach (var val in allowedDns)
+                            {
+                                try
+                                {
+                                    using (var de = new DirectoryEntry("LDAP://" + val.ToString()))
+                                    {
+                                        var sidObj = de.Properties["objectSid"]?.Value as byte[];
+                                        if (sidObj == null) continue;
+                                        var sid = new SecurityIdentifier(sidObj, 0).Value;
+                                        if (currentSidSet.Contains(sid))
+                                        {
+                                            canRead = true;
+                                        }
+                                    }
+                                }
+                                catch { /* ignore DN resolution issues */ }
+                            }
+                        }
+
+                        if (canRead)
+                        {
+                            readable++;
+                            Beaprint.BadPrint($"  You can retrieve managed password for gMSA: {name}  (DN: {dn})");
+                        }
+                    }
+                }
+
+                if (readable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No gMSA with readable managed password found (checked {total}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint($"  [*] Hint: If such gMSA is member of Builtin\\Remote Management Users on a target, WinRM may be allowed.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        // Detect AD CS misconfigurations
+        private void PrintAdcsMisconfigurations()
+        {
+            try
+            {
+                Beaprint.MainPrint("AD CS misconfigurations for ESC");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html");
+    
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                Beaprint.InfoPrint("Check for ADCS misconfigurations in the local DC registry");
+                bool IsDomainController = RegistryHelper.GetReg("HKLM", @"SYSTEM\CurrentControlSet\Services\NTDS")?.ValueCount > 0;
+                if (IsDomainController)
+                {
+                    // For StrongBinding and CertificateMapping, More details in KB014754 - Registry key information:
+                    // https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
+                    uint? strongBinding = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Services\Kdc", "StrongCertificateBindingEnforcement");
+                    switch (strongBinding)
+                    {
+                        case 0: 
+                            Beaprint.BadPrint("  StrongCertificateBindingEnforcement: 0 — Weak mapping allowed, vulnerable to ESC9.");
+                            break;
+                        case 2: 
+                            Beaprint.GoodPrint("  StrongCertificateBindingEnforcement: 2 — Prevents weak UPN/DNS mappings even if SID extension missing, not vulnerable to ESC9.");
+                            break;
+                        // 1 is default behavior now I think?
+                        case 1:
+                        default: 
+                            Beaprint.NoColorPrint($"  StrongCertificateBindingEnforcement: {strongBinding} — Allow weak mapping if SID extension missing, may be vulnerable to ESC9.");
+                            break;
+
+                    }  
+
+                    uint? certMapping = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", "CertificateMappingMethods");
+                    if (certMapping.HasValue && (certMapping & 0x4) != 0)
+                        Beaprint.BadPrint($"  CertificateMappingMethods: {certMapping} — Allow UPN-based mapping, vulnerable to ESC10.");
+                    else if(certMapping.HasValue && ((certMapping & 0x1) != 0 || (certMapping & 0x2) != 0))
+                        Beaprint.NoColorPrint($"  CertificateMappingMethods: {certMapping} — Allow weak Subject/Issuer certificate mapping.");
+                    // 0x18 (strong mapping) is default behavior if not the flags above I think?
+                    else
+                        Beaprint.GoodPrint($"  CertificateMappingMethods: {certMapping} — Strong Certificate mapping enabled.");
+
+                    // We take the Active CA, can they be several?
+                    string caName = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration", "Active");
+                    if (!string.IsNullOrWhiteSpace(caName))
+                    {
+                        // Obscure Source for InterfaceFlag Enum:
+                        // https://www.sysadmins.lv/apidocs/pki/html/T_PKI_CertificateServices_Flags_InterfaceFlagEnum.htm
+                        uint? interfaceFlags = RegistryHelper.GetDwordValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}", "InterfaceFlags");
+                        if (!interfaceFlags.HasValue || (interfaceFlags & 512) == 0)
+                            Beaprint.BadPrint("  IF_ENFORCEENCRYPTICERTREQUEST not set in InterfaceFlags — vulnerable to ESC11.");
+                        else
+                            Beaprint.GoodPrint("  IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlags — not vulnerable to ESC11.");
+
+                        string policyModule = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}\PolicyModules", "Active");
+                        if (!string.IsNullOrWhiteSpace(policyModule))
+                        {
+                            string disableExtensionList = RegistryHelper.GetRegValue("HKLM", $@"SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{caName}\PolicyModules\{policyModule}", "DisableExtensionList");
+                            // zOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2) 
+                            if (disableExtensionList?.Contains("1.3.6.1.4.1.311.25.2") == true)
+                                Beaprint.BadPrint("  szOID_NTDS_CA_SECURITY_EXT disabled for the entire CA — vulnerable to ESC16.");
+                            else
+                                Beaprint.GoodPrint("  szOID_NTDS_CA_SECURITY_EXT not disabled for the CA — not vulnerable to ESC16.");
+                        }
+                        else
+                        {
+                            Beaprint.GrayPrint("  [-] Policy Module not found. Skipping.");
+                        }
+                    }
+                    else
+                    {
+                        Beaprint.GrayPrint("  [-] Certificate Authority not found. Skipping.");
+                    }
+                }
+                else
+                {
+                    Beaprint.GrayPrint("  [-] Host is not a domain controller. Skipping ADCS Registry check");
+                }
+
+                // Detect AD CS certificate templates where current principal has dangerous control rights(ESC4 - style)
+                Beaprint.InfoPrint("\nIf you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4");
+                var configNC = GetRootDseProp("configurationNamingContext");
+                if (string.IsNullOrEmpty(configNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve configurationNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int checkedTemplates = 0;
+                int vulnerable = 0;
+
+                var templatesDn = $"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,{configNC}";
+
+                using (var deBase = new DirectoryEntry(templatesDn))
+                using (var ds = new DirectorySearcher(deBase))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(objectClass=pKICertificateTemplate)";
+                    ds.PropertiesToLoad.Add("cn");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        checkedTemplates++;
+                        string templateCn = GetProp(r, "cn") ?? "<unknown>";
+
+                        // Fetch security descriptor (DACL)
+                        DirectoryEntry de = null;
+                        try
+                        {
+                            de = r.GetDirectoryEntry();
+                            de.Options.SecurityMasks = SecurityMasks.Dacl;
+                            de.RefreshCache(new[] { "ntSecurityDescriptor" });
+                        }
+                        catch (Exception)
+                        {
+                            de?.Dispose();
+                            continue;
+                        }
+
+                        try
+                        {
+                            var sd = de.ObjectSecurity; // ActiveDirectorySecurity
+                            var rules = sd.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                            bool hit = false;
+                            var hitRights = new HashSet<string>();
+
+                            foreach (ActiveDirectoryAccessRule rule in rules)
+                            {
+                                if (rule.AccessControlType != AccessControlType.Allow) continue;
+                                var sid = (rule.IdentityReference as SecurityIdentifier)?.Value;
+                                if (string.IsNullOrEmpty(sid)) continue;
+                                if (!currentSidSet.Contains(sid)) continue;
+
+                                var rights = rule.ActiveDirectoryRights;
+                                bool dangerous =
+                                    rights.HasFlag(ActiveDirectoryRights.GenericAll) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteDacl) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteOwner) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteProperty) ||
+                                    rights.HasFlag(ActiveDirectoryRights.ExtendedRight);
+
+                                if (dangerous)
+                                {
+                                    hit = true;
+                                    if (rights.HasFlag(ActiveDirectoryRights.GenericAll)) hitRights.Add("GenericAll");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteDacl)) hitRights.Add("WriteDacl");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteOwner)) hitRights.Add("WriteOwner");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteProperty)) hitRights.Add("WriteProperty");
+                                    if (rights.HasFlag(ActiveDirectoryRights.ExtendedRight)) hitRights.Add("ExtendedRight");
+                                }
+                            }
+
+                            if (hit)
+                            {
+                                vulnerable++;
+                                Beaprint.BadPrint($"  Dangerous rights over template: {templateCn}  (Rights: {string.Join(",", hitRights)})");
+                            }
+                        }
+                        catch (Exception)
+                        {
+                            // ignore templates we couldn't read
+                        }
+                        finally
+                        {
+                            de?.Dispose();
+                        }
+                    }
+                }
+
+                if (vulnerable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No templates with dangerous rights found (checked {checkedTemplates}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint("  [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
@@ -88,8 +88,10 @@ namespace winPEAS.Checks
                new SystemCheck("userinfo", new UserInfo()),
                new SystemCheck("processinfo", new ProcessInfo()),
                new SystemCheck("servicesinfo", new ServicesInfo()),
+                new SystemCheck("soapclientinfo", new SoapClientInfo()),
                new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                new SystemCheck("networkinfo", new NetworkInfo()),
+                new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                new SystemCheck("cloudinfo", new CloudInfo()),
                new SystemCheck("windowscreds", new WindowsCreds()),
                new SystemCheck("browserinfo", new BrowserInfo()),
--- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
@@ -102,17 +102,15 @@ namespace winPEAS.Checks
                {
                    vulnHandlers = ProcessesInfo.GetVulnHandlers(progress);
                }
+                Dictionary<string, string> colors = new Dictionary<string, string>();
+                colors[Checks.CurrentUserName] = Beaprint.ansi_color_bad;
+                colors[HandlesHelper.elevatedProcess] = Beaprint.ansi_color_bad;

                foreach (Dictionary<string, string> handler in vulnHandlers)
                {
-                    Dictionary<string, string> colors = new Dictionary<string, string>()
-                    {
-                        { Checks.CurrentUserName, Beaprint.ansi_color_bad },
-                        { handler["Reason"], Beaprint.ansi_color_bad },
-                    };
-
-                    Beaprint.DictPrint(vulnHandlers, colors, true);
+                    colors[handler["Reason"]] = Beaprint.ansi_color_bad;
                }
+                Beaprint.DictPrint(vulnHandlers, colors, true);
            }
            catch (Exception ex)
            {
--- a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
@@ -1,7 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using winPEAS.Helpers;
+using winPEAS.Helpers.Registry;
 using winPEAS.Info.ServicesInfo;

 namespace winPEAS.Checks
@@ -34,6 +36,8 @@ namespace winPEAS.Checks
                PrintModifiableServices,
                PrintWritableRegServices,
                PrintPathDllHijacking,
+                PrintLegacySignedKernelDrivers,
+                PrintKernelQuickIndicators,
            }.ForEach(action => CheckRunner.Run(action, isDebug));
        }

@@ -206,5 +210,146 @@ namespace winPEAS.Checks
            }
        }

+
+        void PrintLegacySignedKernelDrivers()
+        {
+            try
+            {
+                Beaprint.MainPrint("Kernel drivers with weak/legacy signatures");
+                Beaprint.LinkPrint("https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/",
+                    "Legacy cross-signed drivers (pre-July-2015) can still grant kernel execution on modern Windows");
+
+                List<ServicesInfoHelper.KernelDriverInfo> drivers = ServicesInfoHelper.GetKernelDriverInfos();
+                if (drivers.Count == 0)
+                {
+                    Beaprint.InfoPrint("  Unable to enumerate kernel services");
+                    return;
+                }
+
+                var suspiciousDrivers = drivers.Where(d => d.Signature != null && (!d.Signature.IsSigned || d.Signature.IsLegacyExpired))
+                                               .OrderBy(d => d.Name)
+                                               .ToList();
+
+                if (suspiciousDrivers.Count == 0)
+                {
+                    Beaprint.InfoPrint("  No unsigned or legacy-signed kernel drivers detected");
+                    return;
+                }
+
+                foreach (var driver in suspiciousDrivers)
+                {
+                    var signature = driver.Signature ?? new ServicesInfoHelper.KernelDriverSignatureInfo();
+                    List<string> reasons = new List<string>();
+
+                    if (!signature.IsSigned)
+                    {
+                        reasons.Add("unsigned or signature missing");
+                    }
+                    else if (signature.IsLegacyExpired)
+                    {
+                        reasons.Add("signed with certificate that expired before 29-Jul-2015 (legacy exception)");
+                    }
+
+                    if (!string.IsNullOrEmpty(driver.StartMode) &&
+                        (driver.StartMode.Equals("System", StringComparison.OrdinalIgnoreCase) ||
+                         driver.StartMode.Equals("Boot", StringComparison.OrdinalIgnoreCase)))
+                    {
+                        reasons.Add($"loads at early boot (Start={driver.StartMode})");
+                    }
+
+                    if (string.Equals(driver.Name, "kernelquick", StringComparison.OrdinalIgnoreCase))
+                    {
+                        reasons.Add("service name matches ValleyRAT rootkit loader");
+                    }
+
+                    string reason = reasons.Count > 0 ? string.Join("; ", reasons) : "Potentially risky driver";
+                    string signatureLine = signature.IsSigned
+                        ? $"Subject: {signature.Subject}; Issuer: {signature.Issuer}; Valid: {FormatDate(signature.NotBefore)} - {FormatDate(signature.NotAfter)}"
+                        : $"Signature issue: {signature.Error ?? "Unsigned"}";
+
+                    Beaprint.BadPrint($"  {driver.Name} ({driver.DisplayName})");
+                    Beaprint.NoColorPrint($"      Path       : {driver.PathName}");
+                    Beaprint.NoColorPrint($"      Start/State: {driver.StartMode}/{driver.State}");
+                    Beaprint.NoColorPrint($"      Reason     : {reason}");
+                    Beaprint.NoColorPrint($"      Signature  : {signatureLine}");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        void PrintKernelQuickIndicators()
+        {
+            try
+            {
+                Beaprint.MainPrint("KernelQuick / ValleyRAT rootkit indicators");
+
+                bool found = false;
+
+                Dictionary<string, object> serviceValues = RegistryHelper.GetRegValues("HKLM", @"SYSTEM\\CurrentControlSet\\Services\\kernelquick");
+                if (serviceValues != null)
+                {
+                    found = true;
+                    string imagePath = serviceValues.ContainsKey("ImagePath") ? serviceValues["ImagePath"].ToString() : "Unknown";
+                    string start = serviceValues.ContainsKey("Start") ? serviceValues["Start"].ToString() : "Unknown";
+                    Beaprint.BadPrint("  Service HKLM\\SYSTEM\\CurrentControlSet\\Services\\kernelquick present");
+                    Beaprint.NoColorPrint($"      ImagePath : {imagePath}");
+                    Beaprint.NoColorPrint($"      Start     : {start}");
+                }
+
+                foreach (var path in new[] { @"SOFTWARE\\KernelQuick", @"SOFTWARE\\WOW6432Node\\KernelQuick", @"SYSTEM\\CurrentControlSet\\Services\\kernelquick" })
+                {
+                    Dictionary<string, object> values = RegistryHelper.GetRegValues("HKLM", path);
+                    if (values == null)
+                        continue;
+
+                    var kernelQuickValues = values.Where(k => k.Key.StartsWith("KernelQuick_", StringComparison.OrdinalIgnoreCase)).ToList();
+                    if (kernelQuickValues.Count == 0)
+                        continue;
+
+                    found = true;
+                    Beaprint.BadPrint($"  Registry values under HKLM\\{path}");
+                    foreach (var kv in kernelQuickValues)
+                    {
+                        string displayValue = kv.Value is byte[] bytes ? $"(binary) {bytes.Length} bytes" : string.Format("{0}", kv.Value);
+                        Beaprint.NoColorPrint($"      {kv.Key} = {displayValue}");
+                    }
+                }
+
+                Dictionary<string, object> ipdatesValues = RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\\IpDates");
+                if (ipdatesValues != null)
+                {
+                    found = true;
+                    Beaprint.BadPrint("  Possible kernel shellcode staging key HKLM\\SOFTWARE\\IpDates");
+                    foreach (var kv in ipdatesValues)
+                    {
+                        string displayValue = kv.Value is byte[] bytes ? $"(binary) {bytes.Length} bytes" : string.Format("{0}", kv.Value);
+                        Beaprint.NoColorPrint($"      {kv.Key} = {displayValue}");
+                    }
+                }
+
+                if (!found)
+                {
+                    Beaprint.InfoPrint("  No KernelQuick-specific registry indicators were found");
+                }
+                else
+                {
+                    Beaprint.LinkPrint("https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/",
+                        "KernelQuick_* values and HKLM\\SOFTWARE\\IpDates are used by the ValleyRAT rootkit to hide files and stage APC payloads");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        private string FormatDate(DateTime? dateTime)
+        {
+            return dateTime.HasValue ? dateTime.Value.ToString("yyyy-MM-dd HH:mm") : "n/a";
+        }
    }
 }
+
--- a/winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs
@@ -0,0 +1,88 @@
+using System;
+using System.Collections.Generic;
+using winPEAS.Helpers;
+using winPEAS.Info.ApplicationInfo;
+
+namespace winPEAS.Checks
+{
+    internal class SoapClientInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint(".NET SOAP Client Proxies (SOAPwn)");
+
+            CheckRunner.Run(PrintSoapClientFindings, isDebug);
+        }
+
+        private static void PrintSoapClientFindings()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential SOAPwn / HttpWebClientProtocol abuse surfaces");
+                Beaprint.LinkPrint(
+                    "https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/",
+                    "Look for .NET services that let attackers control SoapHttpClientProtocol URLs or WSDL imports to coerce NTLM or drop files.");
+
+                List<SoapClientProxyFinding> findings = SoapClientProxyAnalyzer.CollectFindings();
+                if (findings.Count == 0)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                foreach (SoapClientProxyFinding finding in findings)
+                {
+                    string severity = finding.BinaryIndicators.Contains("ServiceDescriptionImporter")
+                        ? "Dynamic WSDL import"
+                        : "SOAP proxy usage";
+
+                    Beaprint.BadPrint($"    [{severity}] {finding.BinaryPath}");
+
+                    foreach (SoapClientProxyInstance instance in finding.Instances)
+                    {
+                        string instanceInfo = $"        -> {instance.SourceType}: {instance.Name}";
+                        if (!string.IsNullOrEmpty(instance.Account))
+                        {
+                            instanceInfo += $" ({instance.Account})";
+                        }
+                        if (!string.IsNullOrEmpty(instance.Extra))
+                        {
+                            instanceInfo += $" | {instance.Extra}";
+                        }
+
+                        Beaprint.GrayPrint(instanceInfo);
+                    }
+
+                    if (finding.BinaryIndicators.Count > 0)
+                    {
+                        Beaprint.BadPrint("        Binary indicators: " + string.Join(", ", finding.BinaryIndicators));
+                    }
+
+                    if (finding.ConfigIndicators.Count > 0)
+                    {
+                        string configLabel = string.IsNullOrEmpty(finding.ConfigPath)
+                            ? "Config indicators"
+                            : $"Config indicators ({finding.ConfigPath})";
+                        Beaprint.BadPrint("        " + configLabel + ": " + string.Join(", ", finding.ConfigIndicators));
+                    }
+
+                    if (finding.BinaryScanFailed)
+                    {
+                        Beaprint.GrayPrint("        (Binary scan skipped due to access/size limits)");
+                    }
+
+                    if (finding.ConfigScanFailed)
+                    {
+                        Beaprint.GrayPrint("        (Unable to read config file)");
+                    }
+
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Management;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text.RegularExpressions;
@@ -81,12 +82,15 @@ namespace winPEAS.Checks
                PrintKrbRelayUp,
                PrintInsideContainer,
                PrintAlwaysInstallElevated,
+                PrintObjectManagerRaceAmplification,
                PrintLSAInfo,
                PrintNtlmSettings,
                PrintLocalGroupPolicy,
+                PrintPotentialGPOAbuse,
                AppLockerHelper.PrintAppLockerPolicy,
                PrintPrintersWMIInfo,
                PrintNamedPipes,
+                PrintNamedPipeAbuseCandidates,
                PrintAMSIProviders,
                PrintSysmon,
                PrintDotNetVersions
@@ -560,27 +564,66 @@ namespace winPEAS.Checks
            {
                Beaprint.MainPrint("Checking WSUS");
                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus");
-                string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
-                string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
-                string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
-                string using_HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path2, "UseWUServer");
-                if (HKLM_WSUS.Contains("http://"))
+                string policyPath = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
+                string policyAUPath = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
+                string wsusPolicyValue = RegistryHelper.GetRegValue("HKLM", policyPath, "WUServer");
+                string useWUServerValue = RegistryHelper.GetRegValue("HKLM", policyAUPath, "UseWUServer");
+
+                if (!string.IsNullOrEmpty(wsusPolicyValue) && wsusPolicyValue.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
                {
-                    Beaprint.BadPrint("    WSUS is using http: " + HKLM_WSUS);
+                    Beaprint.BadPrint("    WSUS is using http: " + wsusPolicyValue);
                    Beaprint.InfoPrint("You can test https://github.com/pimps/wsuxploit to escalate privileges");
-                    if (using_HKLM_WSUS == "1")
+                    if (useWUServerValue == "1")
                        Beaprint.BadPrint("    And UseWUServer is equals to 1, so it is vulnerable!");
-                    else if (using_HKLM_WSUS == "0")
+                    else if (useWUServerValue == "0")
                        Beaprint.GoodPrint("    But UseWUServer is equals to 0, so it is not vulnerable!");
                    else
-                        Console.WriteLine("    But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
+                        Console.WriteLine("    But UseWUServer is equals to " + useWUServerValue + ", so it may work or not");
                }
                else
                {
-                    if (string.IsNullOrEmpty(HKLM_WSUS))
+                    if (string.IsNullOrEmpty(wsusPolicyValue))
                        Beaprint.NotFoundPrint();
                    else
-                        Beaprint.GoodPrint("    WSUS value: " + HKLM_WSUS);
+                        Beaprint.GoodPrint("    WSUS value: " + wsusPolicyValue);
+                }
+
+                if (!string.IsNullOrEmpty(wsusPolicyValue))
+                {
+                    bool clientsForced = useWUServerValue == "1";
+                    if (clientsForced)
+                    {
+                        Beaprint.BadPrint("    CVE-2025-59287: Clients talk to WSUS at " + wsusPolicyValue + " (UseWUServer=1). Unpatched WSUS allows unauthenticated deserialization to SYSTEM.");
+                    }
+                    else
+                    {
+                        Beaprint.InfoPrint("    CVE-2025-59287: WSUS endpoint discovered at " + wsusPolicyValue + ". Confirm patch level before attempting exploitation.");
+                        if (!string.IsNullOrEmpty(useWUServerValue))
+                            Beaprint.InfoPrint("    UseWUServer is set to " + useWUServerValue + ", clients may still reach Microsoft Update.");
+                    }
+                }
+
+                string wsusSetupPath = @"SOFTWARE\Microsoft\Update Services\Server\Setup";
+                string wsusVersion = RegistryHelper.GetRegValue("HKLM", wsusSetupPath, "VersionString");
+                string wsusInstallPath = RegistryHelper.GetRegValue("HKLM", wsusSetupPath, "InstallPath");
+                bool wsusRoleDetected = !string.IsNullOrEmpty(wsusVersion) || !string.IsNullOrEmpty(wsusInstallPath);
+
+                if (TryGetServiceStateAndAccount("WSUSService", out string wsusServiceState, out string wsusServiceAccount))
+                {
+                    wsusRoleDetected = true;
+                    string serviceMsg = "    WSUSService status: " + wsusServiceState;
+                    if (!string.IsNullOrEmpty(wsusServiceAccount))
+                        serviceMsg += " (runs as " + wsusServiceAccount + ")";
+                    Beaprint.BadPrint(serviceMsg);
+                }
+
+                if (wsusRoleDetected)
+                {
+                    if (!string.IsNullOrEmpty(wsusVersion))
+                        Beaprint.BadPrint("    WSUS Server version: " + wsusVersion + " (verify patch level for CVE-2025-59287).");
+                    if (!string.IsNullOrEmpty(wsusInstallPath))
+                        Beaprint.InfoPrint("    WSUS install path: " + wsusInstallPath);
+                    Beaprint.BadPrint("    CVE-2025-59287: Local WSUS server exposes an unauthenticated deserialization surface reachable over HTTP(S). Patch or restrict access.");
                }
            }
            catch (Exception ex)
@@ -589,6 +632,32 @@ namespace winPEAS.Checks
            }
        }

+        private static bool TryGetServiceStateAndAccount(string serviceName, out string state, out string account)
+        {
+            state = string.Empty;
+            account = string.Empty;
+
+            try
+            {
+                string query = $"SELECT Name, State, StartName FROM Win32_Service WHERE Name='{serviceName.Replace("'", "''")}'";
+                using (var searcher = new ManagementObjectSearcher(@"root\cimv2", query))
+                {
+                    foreach (ManagementObject service in searcher.Get())
+                    {
+                        state = service["State"]?.ToString() ?? string.Empty;
+                        account = service["StartName"]?.ToString() ?? string.Empty;
+                        return true;
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+
+            return false;
+        }
+
        static void PrintKrbRelayUp()
        {
            try
@@ -666,6 +735,31 @@ namespace winPEAS.Checks
            }
        }

+        static void PrintObjectManagerRaceAmplification()
+        {
+            try
+            {
+                Beaprint.MainPrint("Object Manager race-window amplification primitives");
+                Beaprint.LinkPrint("https://projectzero.google/2025/12/windows-exploitation-techniques.html", "Project Zero write-up:");
+
+                if (ObjectManagerHelper.TryCreateSessionEvent(out var objectName, out var error))
+                {
+                    Beaprint.BadPrint($"    Created a test named event ({objectName}) under \\BaseNamedObjects.");
+                    Beaprint.InfoPrint("    -> Low-privileged users can slow NtOpen*/NtCreate* lookups using ~32k-character names or ~16k-level directory chains.");
+                    Beaprint.InfoPrint("    -> Point attacker-controlled symbolic links to the slow path to stretch kernel race windows.");
+                    Beaprint.InfoPrint("    -> Use this whenever a bug follows check -> NtOpenX -> privileged action patterns.");
+                }
+                else
+                {
+                    Beaprint.InfoPrint($"    Could not create a test event under \\BaseNamedObjects ({error}). The namespace might be locked down.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
        private static void PrintNtlmSettings()
        {
            Beaprint.MainPrint($"Enumerating NTLM Settings");
@@ -790,6 +884,48 @@ namespace winPEAS.Checks
            }
        }

+
+        private static void PrintNamedPipeAbuseCandidates()
+        {
+            Beaprint.MainPrint("Named Pipes with Low-Priv Write Access to Privileged Servers");
+
+            try
+            {
+                var candidates = NamedPipeSecurityAnalyzer.GetNamedPipeAbuseCandidates().ToList();
+
+                if (!candidates.Any())
+                {
+                    Beaprint.NoColorPrint("      No risky named pipe ACLs were found.\n");
+                    return;
+                }
+
+                foreach (var candidate in candidates)
+                {
+                    var aclSummary = candidate.LowPrivilegeAces.Any()
+                        ? string.Join("; ", candidate.LowPrivilegeAces.Select(ace =>
+                            $"{ace.Principal} [{ace.RightsDescription}]").Where(s => !string.IsNullOrEmpty(s)))
+                        : "Unknown";
+
+                    var serverSummary = candidate.Processes.Any()
+                        ? string.Join("; ", candidate.Processes.Select(proc =>
+                            $"{proc.ProcessName} (PID {proc.Pid}, {proc.UserName ?? proc.UserSid})"))
+                        : "No privileged handles observed (service idle or access denied)";
+
+                    var color = candidate.HasPrivilegedServer ? Beaprint.ansi_color_bad : Beaprint.ansi_color_yellow;
+
+                    Beaprint.ColorPrint($"    \\\\.\\pipe\\{candidate.Name}", color);
+                    Beaprint.NoColorPrint($"      Low-priv ACLs  : {aclSummary}");
+                    Beaprint.NoColorPrint($"      Observed owners: {serverSummary}");
+                    Beaprint.NoColorPrint($"      SDDL           : {candidate.Sddl}");
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
        private void PrintAMSIProviders()
        {
            Beaprint.MainPrint("Enumerating AMSI registered providers");
@@ -1131,6 +1267,94 @@ namespace winPEAS.Checks
            }
        }

+        private static void PrintPotentialGPOAbuse()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.NoColorPrint("    Host is not joined to a domain or domain info is unavailable.");
+                    return;
+                }
+
+                // Build a friendly group list for the current user to quickly spot interesting memberships
+                var currentGroups = winPEAS.Info.UserInfo.User.GetUserGroups(Checks.CurrentUserName, Checks.CurrentUserDomainName) ?? new System.Collections.Generic.List<string>();
+                var hasGPCO = currentGroups.Any(g => string.Equals(g, "Group Policy Creator Owners", System.StringComparison.InvariantCultureIgnoreCase));
+
+                if (hasGPCO)
+                {
+                    Beaprint.BadPrint("    [!] Current user is member of 'Group Policy Creator Owners' — can create/own new GPOs. If you can link a GPO to an OU that applies here, you can execute code as SYSTEM via scheduled task/startup script.");
+                }
+
+                var infos = GroupPolicy.GetLocalGroupPolicyInfos();
+
+                bool anyFinding = false;
+                foreach (var info in infos)
+                {
+                    var fileSysPath = info.FileSysPath?.ToString();
+                    if (string.IsNullOrEmpty(fileSysPath))
+                    {
+                        continue;
+                    }
+
+                    // Only look at domain GPOs stored in SYSVOL
+                    var isSysvolPath = fileSysPath.StartsWith(@"\", System.StringComparison.InvariantCultureIgnoreCase) &&
+                                       fileSysPath.IndexOf(@"\SysVol\", System.StringComparison.InvariantCultureIgnoreCase) >= 0 &&
+                                       fileSysPath.IndexOf(@"\Policies\", System.StringComparison.InvariantCultureIgnoreCase) >= 0;
+
+                    if (!isSysvolPath)
+                    {
+                        continue;
+                    }
+
+                    // Check write/equivalent permissions on common abuse locations inside the GPO
+                    var pathsToCheck = new System.Collections.Generic.List<string>
+                    {
+                        fileSysPath,
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Scripts\Startup"),
+                        System.IO.Path.Combine(fileSysPath, @"User\Scripts\Logon"),
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Preferences\ScheduledTasks")
+                    };
+
+                    foreach (var p in pathsToCheck)
+                    {
+                        var perms = PermissionsHelper.GetPermissionsFolder(p, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                        if (perms != null && perms.Count > 0)
+                        {
+                            if (!anyFinding)
+                            {
+                                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Why it matters");
+                            }
+                            anyFinding = true;
+                            Beaprint.BadPrint($"    [!] Writable applied GPO detected");
+                            Beaprint.NoColorPrint($"        GPO Display Name : {info.DisplayName}");
+                            Beaprint.NoColorPrint($"        GPO Name         : {info.GPOName}");
+                            Beaprint.NoColorPrint($"        GPO Link         : {info.Link}");
+                            Beaprint.NoColorPrint($"        Path             : {p}");
+                            foreach (var entry in perms)
+                            {
+                                Beaprint.NoColorPrint($"          -> {entry}");
+                            }
+                            Beaprint.GrayPrint("        Hint: Abuse by adding an immediate Scheduled Task or Startup script to execute as SYSTEM on gpupdate.");
+                        }
+                    }
+                }
+
+                if (!anyFinding && !hasGPCO)
+                {
+                    Beaprint.NoColorPrint("    No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.");
+                }
+            }
+            catch (Exception ex)
+            {
+                // Avoid noisy stack traces in normal runs
+                Beaprint.GrayPrint($"    [!] Error while checking potential GPO abuse: {ex.Message}");
+            }
+        }
+
+
        private static void PrintPowerShellSessionSettings()
        {
            try
--- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
@@ -156,15 +156,63 @@ namespace winPEAS.Checks
            try
            {
                Beaprint.MainPrint("RDP Sessions");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/credentials-mgmt/rdp-sessions", "Disconnected high-privilege RDP sessions keep reusable tokens inside LSASS.");
                List<Dictionary<string, string>> rdp_sessions = UserInfoHelper.GetRDPSessions();
                if (rdp_sessions.Count > 0)
                {
-                    string format = "    {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
-                    string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
+                    string format = "    {0,-8}{1,-15}{2,-20}{3,-22}{4,-15}{5,-18}{6,-10}";
+                    string header = string.Format(format, "SessID", "Session", "User", "Domain", "State", "SourceIP", "HighPriv");
                    Beaprint.GrayPrint(header);
+                    var colors = ColorsU();
+                    List<Dictionary<string, string>> flaggedSessions = new List<Dictionary<string, string>>();
                    foreach (Dictionary<string, string> rdpSes in rdp_sessions)
                    {
-                        Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU());
+                        rdpSes.TryGetValue("SessionID", out string sessionId);
+                        rdpSes.TryGetValue("pSessionName", out string sessionName);
+                        rdpSes.TryGetValue("pUserName", out string userName);
+                        rdpSes.TryGetValue("pDomainName", out string domainName);
+                        rdpSes.TryGetValue("State", out string state);
+                        rdpSes.TryGetValue("SourceIP", out string sourceIp);
+
+                        sessionId = sessionId ?? string.Empty;
+                        sessionName = sessionName ?? string.Empty;
+                        userName = userName ?? string.Empty;
+                        domainName = domainName ?? string.Empty;
+                        state = state ?? string.Empty;
+                        sourceIp = sourceIp ?? string.Empty;
+
+                        bool isHighPriv = UserInfoHelper.IsHighPrivilegeAccount(userName, domainName);
+                        string highPrivLabel = isHighPriv ? "Yes" : "No";
+                        rdpSes["HighPriv"] = highPrivLabel;
+
+                        if (isHighPriv && string.Equals(state, "Disconnected", StringComparison.OrdinalIgnoreCase))
+                        {
+                            flaggedSessions.Add(rdpSes);
+                        }
+
+                        Beaprint.AnsiPrint(string.Format(format, sessionId, sessionName, userName, domainName, state, sourceIp, highPrivLabel), colors);
+                    }
+
+                    if (flaggedSessions.Count > 0)
+                    {
+                        Beaprint.BadPrint("    [!] Disconnected high-privilege RDP sessions detected. Their credentials/tokens stay in LSASS until the user signs out.");
+                        foreach (Dictionary<string, string> session in flaggedSessions)
+                        {
+                            session.TryGetValue("pDomainName", out string flaggedDomain);
+                            session.TryGetValue("pUserName", out string flaggedUser);
+                            session.TryGetValue("SessionID", out string flaggedSessionId);
+                            session.TryGetValue("SourceIP", out string flaggedIp);
+
+                            flaggedDomain = flaggedDomain ?? string.Empty;
+                            flaggedUser = flaggedUser ?? string.Empty;
+                            flaggedSessionId = flaggedSessionId ?? string.Empty;
+                            flaggedIp = flaggedIp ?? string.Empty;
+
+                            string userDisplay = string.Format("{0}\\{1}", flaggedDomain, flaggedUser).Trim('\\');
+                            string source = string.IsNullOrEmpty(flaggedIp) ? "local" : flaggedIp;
+                            Beaprint.BadPrint(string.Format("        -> Session {0} ({1}) from {2}", flaggedSessionId, userDisplay, source));
+                        }
+                        Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/credentials-mgmt/rdp-sessions", "Dump LSASS / steal tokens (e.g., comsvcs.dll, LsaLogonSessions, custom SSPs) to reuse those privileges.");
                    }
                }
                else
--- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
@@ -31,7 +31,7 @@ namespace winPEAS.Helpers
        public static string ansi_current_user = MAGENTA;

        private static string Advisory =
-            "winpeas should be used for authorized penetration testing and/or educational purposes only." +
+            "winpeas should be used for authorized penetration testing and/or educational purposes only. " +
            "Any misuse of this software will not be the responsibility of the author or of any other collaborator. " +
            "Use it at your own devices and/or with the device owner's permission.";

@@ -129,6 +129,7 @@ namespace winPEAS.Helpers
            Console.WriteLine(LCYAN + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
            Console.WriteLine(LCYAN + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
            Console.WriteLine(LCYAN + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        activedirectoryinfo" + GRAY + "   Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
            Console.WriteLine(LCYAN + "        cloudinfo" + GRAY + "            Enumerate cloud information" + NOCOLOR);
            Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
            Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
--- a/winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs
@@ -12,6 +12,7 @@ namespace winPEAS.Helpers
        private const int CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION = 64;
        public const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004;
        public const int DUPLICATE_SAME_ACCESS = 0x2;
+        public const string elevatedProcess = "Access denied, process is probably elevated";

        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct FILE_NAME_INFO
@@ -171,7 +172,7 @@ namespace winPEAS.Helpers
                // Hex perms from https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://github.com/buffer/maltracer/blob/master/defines.py

                //PROCESS_ALL_ACCESS
-                if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess)
+                if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess || (h.GrantedAccess & 0x1FFFFF) == h.GrantedAccess)
                {
                    vulnHandler.isVuln = true;
                    vulnHandler.reason = "PROCESS_ALL_ACCESS";
@@ -454,6 +455,8 @@ namespace winPEAS.Helpers
            }
            catch
            {
+                data["name"] = elevatedProcess;
+                data["sid"] = elevatedProcess;
                return data;
            }
            finally
@@ -469,12 +472,32 @@ namespace winPEAS.Helpers
        public static PT_RELEVANT_INFO getProcInfoById(int pid)
        {
            PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
+            Process proc;

-            Process proc = Process.GetProcessById(pid);
+            try
+            {
+                proc = Process.GetProcessById(pid);
+            }
+            catch
+            {
+                pri.pid = pid;
+                pri.name = "Error, process may not exist";
+                pri.userName = "Error, process may not exist";
+                pri.userSid = "Error, process may not exist";
+                pri.imagePath = "Error, process may not exist";
+                return pri;
+            }
            Dictionary<string, string> user = GetProcU(proc);
-
            StringBuilder fileName = new StringBuilder(2000);
-            Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
+
+            try
+            {
+                Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
+            }
+            catch
+            {
+                fileName = new StringBuilder(elevatedProcess);
+            }

            pri.pid = pid;
            pri.name = proc.ProcessName;
--- a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
@@ -24,36 +24,51 @@ namespace winPEAS.Helpers
        ////////////////////////////////////
        /////// MISC - Files & Paths ///////
        ////////////////////////////////////
-        public static bool CheckIfDotNet(string path)
+        public static bool CheckIfDotNet(string path, bool ignoreCompanyName = false)
        {
            bool isDotNet = false;
-            FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
-            string companyName = myFileVersionInfo.CompanyName;
-            if ((string.IsNullOrEmpty(companyName)) ||
-                (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
+            string companyName = string.Empty;
+
+            try
            {
-                try
+                FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
+                companyName = myFileVersionInfo.CompanyName;
+            }
+            catch
+            {
+                // Unable to read version information, continue with assembly inspection
+            }
+
+            bool shouldInspectAssembly = ignoreCompanyName ||
+                (string.IsNullOrEmpty(companyName)) ||
+                (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase));
+
+            if (!shouldInspectAssembly)
+            {
+                return false;
+            }
+
+            try
+            {
+                AssemblyName.GetAssemblyName(path);
+                isDotNet = true;
+            }
+            catch (System.IO.FileNotFoundException)
+            {
+                // System.Console.WriteLine("The file cannot be found.");
+            }
+            catch (System.BadImageFormatException exception)
+            {
+                if (Regex.IsMatch(exception.Message,
+                    ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
+                    RegexOptions.IgnoreCase))
                {
-                    AssemblyName myAssemblyName = AssemblyName.GetAssemblyName(path);
                    isDotNet = true;
                }
-                catch (System.IO.FileNotFoundException)
-                {
-                    // System.Console.WriteLine("The file cannot be found.");
-                }
-                catch (System.BadImageFormatException exception)
-                {
-                    if (Regex.IsMatch(exception.Message,
-                        ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
-                        RegexOptions.IgnoreCase))
-                    {
-                        isDotNet = true;
-                    }
-                }
-                catch
-                {
-                    // System.Console.WriteLine("The assembly has already been loaded.");
-                }
+            }
+            catch
+            {
+                // System.Console.WriteLine("The assembly has already been loaded.");
            }

            return isDotNet;
--- a/winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace winPEAS.Helpers
+{
+    internal static class ObjectManagerHelper
+    {
+        public static bool TryCreateSessionEvent(out string objectName, out string error)
+        {
+            objectName = $"PEAS_OMNS_{Process.GetCurrentProcess().Id}_{Guid.NewGuid():N}";
+            error = string.Empty;
+
+            try
+            {
+                using (var handle = new EventWaitHandle(initialState: false, EventResetMode.ManualReset, objectName, out var createdNew))
+                {
+                    if (!createdNew)
+                    {
+                        error = "A test event with the generated name already existed.";
+                        return false;
+                    }
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                error = ex.Message;
+                return false;
+            }
+        }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/SoapClientProxyAnalyzer.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/SoapClientProxyAnalyzer.cs
@@ -0,0 +1,369 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Management;
+using System.Text;
+using winPEAS.Helpers;
+using winPEAS.Info.ProcessInfo;
+
+namespace winPEAS.Info.ApplicationInfo
+{
+    internal class SoapClientProxyInstance
+    {
+        public string SourceType { get; set; }
+        public string Name { get; set; }
+        public string Account { get; set; }
+        public string Extra { get; set; }
+    }
+
+    internal class SoapClientProxyFinding
+    {
+        public string BinaryPath { get; set; }
+        public List<SoapClientProxyInstance> Instances { get; } = new List<SoapClientProxyInstance>();
+        public HashSet<string> BinaryIndicators { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        public HashSet<string> ConfigIndicators { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        public string ConfigPath { get; set; }
+        public bool BinaryScanFailed { get; set; }
+        public bool ConfigScanFailed { get; set; }
+    }
+
+    internal static class SoapClientProxyAnalyzer
+    {
+        private class SoapClientProxyCandidate
+        {
+            public string BinaryPath { get; set; }
+            public string SourceType { get; set; }
+            public string Name { get; set; }
+            public string Account { get; set; }
+            public string Extra { get; set; }
+        }
+
+        private static readonly string[] BinaryIndicatorStrings = new[]
+        {
+            "SoapHttpClientProtocol",
+            "HttpWebClientProtocol",
+            "DiscoveryClientProtocol",
+            "HttpSimpleClientProtocol",
+            "HttpGetClientProtocol",
+            "HttpPostClientProtocol",
+            "ServiceDescriptionImporter",
+            "System.Web.Services.Description.ServiceDescriptionImporter",
+        };
+
+        private static readonly Dictionary<string, string> ConfigIndicatorMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            { "soap:address", "soap:address element present" },
+            { "soap12:address", "soap12:address element present" },
+            { "?wsdl", "?wsdl reference" },
+            { "<wsdl:", "WSDL schema embedded in config" },
+            { "servicedescriptionimporter", "ServiceDescriptionImporter referenced in config" },
+            { "system.web.services.description", "System.Web.Services.Description namespace referenced" },
+            { "new-webserviceproxy", "PowerShell New-WebServiceProxy referenced" },
+            { "file://", "file:// scheme referenced" },
+        };
+
+        private const long MaxBinaryScanSize = 200 * 1024 * 1024; // 200MB
+        private static readonly object DotNetCacheLock = new object();
+        private static readonly Dictionary<string, bool> DotNetCache = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
+
+        public static List<SoapClientProxyFinding> CollectFindings()
+        {
+            var findings = new Dictionary<string, SoapClientProxyFinding>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var candidate in EnumerateServiceCandidates().Concat(EnumerateProcessCandidates()))
+            {
+                if (string.IsNullOrEmpty(candidate.BinaryPath) || !File.Exists(candidate.BinaryPath))
+                {
+                    continue;
+                }
+
+                if (!findings.TryGetValue(candidate.BinaryPath, out var finding))
+                {
+                    finding = new SoapClientProxyFinding
+                    {
+                        BinaryPath = candidate.BinaryPath,
+                    };
+
+                    findings.Add(candidate.BinaryPath, finding);
+                }
+
+                finding.Instances.Add(new SoapClientProxyInstance
+                {
+                    SourceType = candidate.SourceType,
+                    Name = candidate.Name,
+                    Account = string.IsNullOrEmpty(candidate.Account) ? "Unknown" : candidate.Account,
+                    Extra = candidate.Extra ?? string.Empty,
+                });
+            }
+
+            foreach (var finding in findings.Values)
+            {
+                ScanBinaryIndicators(finding);
+                ScanConfigIndicators(finding);
+            }
+
+            return findings.Values
+                .Where(f => f.BinaryIndicators.Count > 0 || f.ConfigIndicators.Count > 0)
+                .OrderByDescending(f => f.BinaryIndicators.Contains("ServiceDescriptionImporter"))
+                .ThenBy(f => f.BinaryPath, StringComparer.OrdinalIgnoreCase)
+                .ToList();
+        }
+
+        private static IEnumerable<SoapClientProxyCandidate> EnumerateServiceCandidates()
+        {
+            var results = new List<SoapClientProxyCandidate>();
+            try
+            {
+                using (var searcher = new ManagementObjectSearcher(@"root\\cimv2", "SELECT Name, DisplayName, PathName, StartName FROM Win32_Service"))
+                using (var services = searcher.Get())
+                {
+                    foreach (ManagementObject service in services)
+                    {
+                        string pathName = service["PathName"]?.ToString();
+                        string binaryPath = MyUtils.GetExecutableFromPath(pathName ?? string.Empty);
+                        if (string.IsNullOrEmpty(binaryPath) || !File.Exists(binaryPath))
+                            continue;
+
+                        if (!IsDotNetBinary(binaryPath))
+                            continue;
+
+                        results.Add(new SoapClientProxyCandidate
+                        {
+                            BinaryPath = binaryPath,
+                            SourceType = "Service",
+                            Name = service["Name"]?.ToString() ?? string.Empty,
+                            Account = service["StartName"]?.ToString() ?? string.Empty,
+                            Extra = service["DisplayName"]?.ToString() ?? string.Empty,
+                        });
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while enumerating services for SOAP client analysis: " + ex.Message);
+            }
+
+            return results;
+        }
+
+        private static IEnumerable<SoapClientProxyCandidate> EnumerateProcessCandidates()
+        {
+            var results = new List<SoapClientProxyCandidate>();
+            try
+            {
+                List<Dictionary<string, string>> processes = ProcessesInfo.GetProcInfo();
+                foreach (var proc in processes)
+                {
+                    string path = proc.ContainsKey("ExecutablePath") ? proc["ExecutablePath"] : string.Empty;
+                    if (string.IsNullOrEmpty(path) || !File.Exists(path))
+                        continue;
+
+                    if (!IsDotNetBinary(path))
+                        continue;
+
+                    string owner = proc.ContainsKey("Owner") ? proc["Owner"] : string.Empty;
+                    if (!IsInterestingProcessOwner(owner))
+                        continue;
+
+                    results.Add(new SoapClientProxyCandidate
+                    {
+                        BinaryPath = path,
+                        SourceType = "Process",
+                        Name = proc.ContainsKey("Name") ? proc["Name"] : string.Empty,
+                        Account = owner,
+                        Extra = proc.ContainsKey("ProcessID") ? $"PID {proc["ProcessID"]}" : string.Empty,
+                    });
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while enumerating processes for SOAP client analysis: " + ex.Message);
+            }
+
+            return results;
+        }
+
+        private static bool IsInterestingProcessOwner(string owner)
+        {
+            if (string.IsNullOrEmpty(owner))
+                return true;
+
+            string normalizedOwner = owner;
+            if (owner.Contains("\\"))
+            {
+                normalizedOwner = owner.Split('\\').Last();
+            }
+
+            return !normalizedOwner.Equals(Environment.UserName, StringComparison.OrdinalIgnoreCase);
+        }
+
+        private static bool IsDotNetBinary(string path)
+        {
+            lock (DotNetCacheLock)
+            {
+                if (DotNetCache.TryGetValue(path, out bool cached))
+                {
+                    return cached;
+                }
+
+                bool result = false;
+                try
+                {
+                    result = MyUtils.CheckIfDotNet(path, true);
+                }
+                catch
+                {
+                }
+
+                DotNetCache[path] = result;
+                return result;
+            }
+        }
+
+        private static void ScanBinaryIndicators(SoapClientProxyFinding finding)
+        {
+            try
+            {
+                FileInfo fi = new FileInfo(finding.BinaryPath);
+                if (!fi.Exists || fi.Length == 0)
+                    return;
+
+                if (fi.Length > MaxBinaryScanSize)
+                {
+                    finding.BinaryScanFailed = true;
+                    return;
+                }
+
+                foreach (var indicator in BinaryIndicatorStrings)
+                {
+                    if (FileContainsString(finding.BinaryPath, indicator))
+                    {
+                        finding.BinaryIndicators.Add(indicator);
+                    }
+                }
+            }
+            catch
+            {
+                finding.BinaryScanFailed = true;
+            }
+        }
+
+        private static void ScanConfigIndicators(SoapClientProxyFinding finding)
+        {
+            string configPath = GetConfigPath(finding.BinaryPath);
+            if (!string.IsNullOrEmpty(configPath) && File.Exists(configPath))
+            {
+                finding.ConfigPath = configPath;
+                try
+                {
+                    string content = File.ReadAllText(configPath);
+                    foreach (var kvp in ConfigIndicatorMap)
+                    {
+                        if (content.IndexOf(kvp.Key, StringComparison.OrdinalIgnoreCase) >= 0)
+                        {
+                            finding.ConfigIndicators.Add(kvp.Value);
+                        }
+                    }
+                }
+                catch
+                {
+                    finding.ConfigScanFailed = true;
+                }
+            }
+
+            string directory = Path.GetDirectoryName(finding.BinaryPath);
+            if (!string.IsNullOrEmpty(directory))
+            {
+                try
+                {
+                    var wsdlFiles = Directory.GetFiles(directory, "*.wsdl", SearchOption.TopDirectoryOnly);
+                    if (wsdlFiles.Length > 0)
+                    {
+                        finding.ConfigIndicators.Add($"Found {wsdlFiles.Length} WSDL file(s) next to binary");
+                    }
+                }
+                catch
+                {
+                    // ignore
+                }
+            }
+        }
+
+        private static string GetConfigPath(string binaryPath)
+        {
+            if (string.IsNullOrEmpty(binaryPath))
+                return string.Empty;
+
+            string candidate = binaryPath + ".config";
+            return File.Exists(candidate) ? candidate : string.Empty;
+        }
+
+        private static bool FileContainsString(string path, string value)
+        {
+            const int bufferSize = 64 * 1024;
+            byte[] pattern = Encoding.UTF8.GetBytes(value);
+            if (pattern.Length == 0)
+                return false;
+
+            try
+            {
+                using (var fs = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete))
+                {
+                    byte[] buffer = new byte[bufferSize + pattern.Length];
+                    int bufferLen = 0;
+                    int bytesRead;
+                    while ((bytesRead = fs.Read(buffer, bufferLen, bufferSize)) > 0)
+                    {
+                        int total = bufferLen + bytesRead;
+                        if (IndexOf(buffer, total, pattern) >= 0)
+                        {
+                            return true;
+                        }
+
+                        if (pattern.Length > 1)
+                        {
+                            bufferLen = Math.Min(pattern.Length - 1, total);
+                            Buffer.BlockCopy(buffer, total - bufferLen, buffer, 0, bufferLen);
+                        }
+                        else
+                        {
+                            bufferLen = 0;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                return false;
+            }
+
+            return false;
+        }
+
+        private static int IndexOf(byte[] buffer, int bufferLength, byte[] pattern)
+        {
+            int limit = bufferLength - pattern.Length;
+            if (limit < 0)
+                return -1;
+
+            for (int i = 0; i <= limit; i++)
+            {
+                bool match = true;
+                for (int j = 0; j < pattern.Length; j++)
+                {
+                    if (buffer[i + j] != pattern[j])
+                    {
+                        match = false;
+                        break;
+                    }
+                }
+
+                if (match)
+                    return i;
+            }
+
+            return -1;
+        }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs
@@ -2,11 +2,14 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.IO;
 using System.Linq;
 using System.Management;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security.AccessControl;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.ServiceProcess;
 using System.Text.RegularExpressions;
 using winPEAS.Helpers;
@@ -276,6 +279,109 @@ namespace winPEAS.Info.ServicesInfo
        }


+        private static readonly DateTime LegacyDriverCutoff = new DateTime(2015, 7, 29);
+
+        public static List<KernelDriverInfo> GetKernelDriverInfos()
+        {
+            List<KernelDriverInfo> drivers = new List<KernelDriverInfo>();
+
+            try
+            {
+                using (ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name,DisplayName,PathName,StartMode,State,ServiceType FROM win32_service"))
+                {
+                    using (ManagementObjectCollection data = wmiData.Get())
+                    {
+                        foreach (ManagementObject result in data)
+                        {
+                            string serviceType = GetStringOrEmpty(result["ServiceType"]);
+                            if (string.IsNullOrEmpty(serviceType) || !serviceType.ToLowerInvariant().Contains("kernel driver"))
+                                continue;
+
+                            string binaryPath = MyUtils.ReconstructExecPath(GetStringOrEmpty(result["PathName"]));
+
+                            drivers.Add(new KernelDriverInfo
+                            {
+                                Name = GetStringOrEmpty(result["Name"]),
+                                DisplayName = GetStringOrEmpty(result["DisplayName"]),
+                                StartMode = GetStringOrEmpty(result["StartMode"]),
+                                State = GetStringOrEmpty(result["State"]),
+                                PathName = binaryPath,
+                                Signature = GetDriverSignatureInfo(binaryPath)
+                            });
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+
+            return drivers;
+        }
+
+        private static KernelDriverSignatureInfo GetDriverSignatureInfo(string binaryPath)
+        {
+            KernelDriverSignatureInfo info = new KernelDriverSignatureInfo
+            {
+                FilePath = binaryPath,
+                IsSigned = false
+            };
+
+            if (string.IsNullOrEmpty(binaryPath) || !File.Exists(binaryPath))
+            {
+                info.Error = "Binary not found";
+                return info;
+            }
+
+            try
+            {
+                using (var baseCertificate = X509Certificate.CreateFromSignedFile(binaryPath))
+                using (var certificate = new X509Certificate2(baseCertificate))
+                {
+                    info.IsSigned = true;
+                    info.Subject = certificate.Subject;
+                    info.Issuer = certificate.Issuer;
+                    info.NotBefore = certificate.NotBefore;
+                    info.NotAfter = certificate.NotAfter;
+                    info.IsLegacyExpired = certificate.NotAfter < LegacyDriverCutoff;
+                }
+            }
+            catch (CryptographicException cryptoEx)
+            {
+                info.Error = cryptoEx.Message;
+            }
+            catch (Exception ex)
+            {
+                info.Error = ex.Message;
+            }
+
+            return info;
+        }
+
+        internal class KernelDriverInfo
+        {
+            public string Name { get; set; }
+            public string DisplayName { get; set; }
+            public string PathName { get; set; }
+            public string StartMode { get; set; }
+            public string State { get; set; }
+            public KernelDriverSignatureInfo Signature { get; set; }
+        }
+
+        internal class KernelDriverSignatureInfo
+        {
+            public string FilePath { get; set; }
+            public bool IsSigned { get; set; }
+            public string Subject { get; set; }
+            public string Issuer { get; set; }
+            public DateTime? NotBefore { get; set; }
+            public DateTime? NotAfter { get; set; }
+            public bool IsLegacyExpired { get; set; }
+            public string Error { get; set; }
+        }
+
+
        //////////////////////////////////////
        ////////  PATH DLL Hijacking /////////
        //////////////////////////////////////
--- a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipeSecurityAnalyzer.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipeSecurityAnalyzer.cs
@@ -0,0 +1,508 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+using winPEAS.Native;
+
+namespace winPEAS.Info.SystemInfo.NamedPipes
+{
+    internal static class NamedPipeSecurityAnalyzer
+    {
+        private const string DeviceNamedPipePrefix = @"\Device\NamedPipe\";
+        private static readonly char[] CandidateSeparators = { '\\', '/', '-', ':', '(' };
+
+        private static readonly HashSet<string> LowPrivSidSet = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "S-1-1-0",      // Everyone
+            "S-1-5-11",     // Authenticated Users
+            "S-1-5-32-545", // Users
+            "S-1-5-32-546", // Guests
+            "S-1-5-32-547", // Power Users
+            "S-1-5-32-554", // Pre-Windows 2000 Compatible Access
+            "S-1-5-32-555", // Remote Desktop Users
+            "S-1-5-32-558", // Performance Log Users
+            "S-1-5-32-559", // Performance Monitor Users
+            "S-1-5-32-562", // Distributed COM Users
+            "S-1-5-32-569", // Remote Management Users
+            "S-1-5-4",      // Interactive
+            "S-1-5-2",      // Network
+            "S-1-5-1",      // Dialup
+            "S-1-5-7"       // Anonymous Logon
+        };
+
+        private static readonly HashSet<string> LowPrivPrincipalKeywords = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "everyone",
+            "authenticated users",
+            "users",
+            "guests",
+            "power users",
+            "remote desktop users",
+            "remote management users",
+            "distributed com users",
+            "anonymous logon",
+            "interactive",
+            "network",
+            "local",
+            "batch",
+            "iis_iusrs"
+        };
+
+        private static readonly HashSet<string> PrivilegedSidSet = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "S-1-5-18",      // SYSTEM
+            "S-1-5-19",      // LOCAL SERVICE
+            "S-1-5-20",      // NETWORK SERVICE
+            "S-1-5-32-544"   // Administrators
+        };
+
+        private static readonly (string Label, FileSystemRights Right)[] DangerousRightsMap = new[]
+        {
+            ("FullControl", FileSystemRights.FullControl),
+            ("Modify", FileSystemRights.Modify),
+            ("Write", FileSystemRights.Write),
+            ("WriteData", FileSystemRights.WriteData),
+            ("AppendData", FileSystemRights.AppendData),
+            ("CreateFiles", FileSystemRights.CreateFiles),
+            ("CreateDirectories", FileSystemRights.CreateDirectories),
+            ("WriteAttributes", FileSystemRights.WriteAttributes),
+            ("WriteExtendedAttributes", FileSystemRights.WriteExtendedAttributes),
+            ("Delete", FileSystemRights.Delete),
+            ("ChangePermissions", FileSystemRights.ChangePermissions),
+            ("TakeOwnership", FileSystemRights.TakeOwnership)
+        };
+
+        public static IEnumerable<NamedPipeSecurityIssue> GetNamedPipeAbuseCandidates()
+        {
+            var insecurePipes = DiscoverInsecurePipes();
+            if (!insecurePipes.Any())
+            {
+                return Enumerable.Empty<NamedPipeSecurityIssue>();
+            }
+
+            AttachProcesses(insecurePipes);
+
+            return insecurePipes.Values
+                                .Where(issue => issue.LowPrivilegeAces.Any())
+                                .OrderByDescending(issue => issue.HasPrivilegedServer)
+                                .ThenBy(issue => issue.Name)
+                                .ToList();
+        }
+
+        private static Dictionary<string, NamedPipeSecurityIssue> DiscoverInsecurePipes()
+        {
+            var result = new Dictionary<string, NamedPipeSecurityIssue>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var pipe in NamedPipes.GetNamedPipeInfos())
+            {
+                if (string.IsNullOrWhiteSpace(pipe.Sddl) || pipe.Sddl.Equals("ERROR", StringComparison.OrdinalIgnoreCase))
+                    continue;
+
+                try
+                {
+                    var descriptor = new RawSecurityDescriptor(pipe.Sddl);
+                    if (descriptor.DiscretionaryAcl == null)
+                        continue;
+
+                    foreach (GenericAce ace in descriptor.DiscretionaryAcl)
+                    {
+                        if (!(ace is CommonAce commonAce))
+                            continue;
+
+                        var sid = commonAce.SecurityIdentifier;
+                        if (sid == null || !IsLowPrivilegePrincipal(sid))
+                            continue;
+
+                        if (!HasDangerousWriteRights(commonAce.AccessMask))
+                            continue;
+
+                        var rights = DescribeRights(commonAce.AccessMask).ToList();
+                        if (!rights.Any())
+                            continue;
+
+                        if (!result.TryGetValue(pipe.Name, out var issue))
+                        {
+                            issue = new NamedPipeSecurityIssue(pipe.Name, pipe.Sddl, NormalizePipeName(pipe.Name));
+                            result[pipe.Name] = issue;
+                        }
+
+                        var account = ResolveSidToName(sid);
+                        issue.AddLowPrivPrincipal(account, sid.Value, rights);
+                    }
+                }
+                catch
+                {
+                    // Ignore malformed SDDL strings
+                }
+            }
+
+            return result;
+        }
+
+        private static void AttachProcesses(Dictionary<string, NamedPipeSecurityIssue> insecurePipes)
+        {
+            if (!insecurePipes.Any())
+                return;
+
+            var lookup = BuildLookup(insecurePipes.Values);
+            if (!lookup.Any())
+                return;
+
+            List<HandlesHelper.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles;
+            try
+            {
+                handles = HandlesHelper.GetAllHandlers();
+            }
+            catch
+            {
+                return;
+            }
+
+            var currentProcess = Kernel32.GetCurrentProcess();
+            var processCache = new Dictionary<int, NamedPipeProcessInfo>();
+
+            foreach (var handle in handles)
+            {
+                IntPtr processHandle = IntPtr.Zero;
+                IntPtr duplicatedHandle = IntPtr.Zero;
+
+                try
+                {
+                    int pid = GetPid(handle);
+                    if (pid <= 0)
+                        continue;
+
+                    processHandle = Kernel32.OpenProcess(
+                        HandlesHelper.ProcessAccessFlags.DupHandle | HandlesHelper.ProcessAccessFlags.QueryLimitedInformation,
+                        false,
+                        pid);
+
+                    if (processHandle == IntPtr.Zero)
+                        continue;
+
+                    if (!Kernel32.DuplicateHandle(processHandle, handle.HandleValue, currentProcess, out duplicatedHandle, 0, false, HandlesHelper.DUPLICATE_SAME_ACCESS))
+                        continue;
+
+                    var typeName = HandlesHelper.GetObjectType(duplicatedHandle);
+                    if (!string.Equals(typeName, "File", StringComparison.OrdinalIgnoreCase))
+                        continue;
+
+                    var objectName = HandlesHelper.GetObjectName(duplicatedHandle);
+                    if (string.IsNullOrEmpty(objectName) || !objectName.StartsWith(DeviceNamedPipePrefix, StringComparison.OrdinalIgnoreCase))
+                        continue;
+
+                    var normalizedHandleName = NormalizePipeName(objectName.Substring(DeviceNamedPipePrefix.Length));
+                    var candidates = GetCandidateKeys(normalizedHandleName);
+
+                    bool matched = false;
+
+                    foreach (var candidate in candidates)
+                    {
+                        if (!lookup.TryGetValue(candidate, out var matchedIssues))
+                            continue;
+
+                        if (!processCache.TryGetValue(pid, out var processInfo))
+                        {
+                            var raw = HandlesHelper.getProcInfoById(pid);
+                            processInfo = new NamedPipeProcessInfo(raw.pid, raw.name, raw.userName, raw.userSid, IsHighPrivilegeAccount(raw.userSid, raw.userName));
+                            processCache[pid] = processInfo;
+                        }
+
+                        foreach (var issue in matchedIssues)
+                        {
+                            issue.AddProcess(processInfo);
+                        }
+
+                        matched = true;
+                        break;
+                    }
+
+                    if (!matched)
+                        continue;
+                }
+                catch
+                {
+                    // Ignore per-handle failures
+                }
+                finally
+                {
+                    if (duplicatedHandle != IntPtr.Zero)
+                    {
+                        Kernel32.CloseHandle(duplicatedHandle);
+                    }
+                    if (processHandle != IntPtr.Zero)
+                    {
+                        Kernel32.CloseHandle(processHandle);
+                    }
+                }
+            }
+        }
+
+        private static Dictionary<string, List<NamedPipeSecurityIssue>> BuildLookup(IEnumerable<NamedPipeSecurityIssue> issues)
+        {
+            var lookup = new Dictionary<string, List<NamedPipeSecurityIssue>>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var issue in issues)
+            {
+                foreach (var key in GetCandidateKeys(issue.NormalizedName))
+                {
+                    if (!lookup.TryGetValue(key, out var list))
+                    {
+                        list = new List<NamedPipeSecurityIssue>();
+                        lookup[key] = list;
+                    }
+
+                    if (!list.Contains(issue))
+                    {
+                        list.Add(issue);
+                    }
+                }
+            }
+
+            return lookup;
+        }
+
+        private static IEnumerable<string> GetCandidateKeys(string normalizedName)
+        {
+            if (string.IsNullOrEmpty(normalizedName))
+                return Array.Empty<string>();
+
+            var candidates = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+            {
+                normalizedName
+            };
+
+            foreach (var separator in CandidateSeparators)
+            {
+                var idx = normalizedName.IndexOf(separator);
+                if (idx > 0)
+                {
+                    candidates.Add(normalizedName.Substring(0, idx));
+                }
+            }
+
+            return candidates;
+        }
+
+        private static string NormalizePipeName(string rawName)
+        {
+            if (string.IsNullOrWhiteSpace(rawName))
+                return string.Empty;
+
+            var normalized = rawName.Replace('/', '\\').Trim();
+            while (normalized.StartsWith("\\", StringComparison.Ordinal))
+            {
+                normalized = normalized.Substring(1);
+            }
+
+            return normalized.ToLowerInvariant();
+        }
+
+        private static bool HasDangerousWriteRights(int accessMask)
+        {
+            var rights = (FileSystemRights)accessMask;
+            foreach (var entry in DangerousRightsMap)
+            {
+                if ((rights & entry.Right) == entry.Right)
+                    return true;
+            }
+
+            return false;
+        }
+
+        private static IEnumerable<string> DescribeRights(int accessMask)
+        {
+            var rights = (FileSystemRights)accessMask;
+            var descriptions = new List<string>();
+
+            foreach (var entry in DangerousRightsMap)
+            {
+                if ((rights & entry.Right) == entry.Right)
+                {
+                    descriptions.Add(entry.Label);
+                    if (entry.Right == FileSystemRights.FullControl)
+                        break;
+                }
+            }
+
+            if (!descriptions.Any())
+            {
+                descriptions.Add($"0x{accessMask:x}");
+            }
+
+            return descriptions;
+        }
+
+        private static bool IsLowPrivilegePrincipal(SecurityIdentifier sid)
+        {
+            if (sid == null)
+                return false;
+
+            if (LowPrivSidSet.Contains(sid.Value))
+                return true;
+
+            var accountName = ResolveSidToName(sid);
+            if (string.IsNullOrEmpty(accountName))
+                return false;
+
+            return LowPrivPrincipalKeywords.Any(keyword => accountName.IndexOf(keyword, StringComparison.OrdinalIgnoreCase) >= 0);
+        }
+
+        private static string ResolveSidToName(SecurityIdentifier sid)
+        {
+            if (sid == null)
+                return string.Empty;
+
+            try
+            {
+                return sid.Translate(typeof(NTAccount)).Value;
+            }
+            catch
+            {
+                return sid.Value;
+            }
+        }
+
+        private static bool IsHighPrivilegeAccount(string sid, string userName)
+        {
+            if (!string.IsNullOrEmpty(sid))
+            {
+                if (PrivilegedSidSet.Contains(sid))
+                    return true;
+
+                if (sid.StartsWith("S-1-5-80-", StringComparison.OrdinalIgnoreCase)) // Service SID
+                    return true;
+
+                if (sid.StartsWith("S-1-5-82-", StringComparison.OrdinalIgnoreCase)) // AppPool / service-like SIDs
+                    return true;
+            }
+
+            if (!string.IsNullOrEmpty(userName))
+            {
+                if (string.Equals(userName, HandlesHelper.elevatedProcess, StringComparison.OrdinalIgnoreCase))
+                    return true;
+
+                var normalized = userName.ToUpperInvariant();
+                if (normalized.Contains("SYSTEM") || normalized.Contains("LOCAL SERVICE") || normalized.Contains("NETWORK SERVICE"))
+                    return true;
+
+                if (normalized.StartsWith("NT SERVICE\\", StringComparison.Ordinal))
+                    return true;
+
+                if (normalized.EndsWith("$", StringComparison.Ordinal) && normalized.Contains("\\"))
+                    return true;
+            }
+
+            return false;
+        }
+
+        private static int GetPid(HandlesHelper.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
+        {
+            unchecked
+            {
+                if (IntPtr.Size == 4)
+                {
+                    return (int)handle.UniqueProcessId.ToUInt32();
+                }
+
+                return (int)handle.UniqueProcessId.ToUInt64();
+            }
+        }
+    }
+
+    internal class NamedPipeSecurityIssue
+    {
+        private readonly Dictionary<string, NamedPipePrincipalAccess> _principalAccess = new Dictionary<string, NamedPipePrincipalAccess>(StringComparer.OrdinalIgnoreCase);
+        private readonly Dictionary<int, NamedPipeProcessInfo> _processes = new Dictionary<int, NamedPipeProcessInfo>();
+
+        public NamedPipeSecurityIssue(string name, string sddl, string normalizedName)
+        {
+            Name = name;
+            Sddl = sddl;
+            NormalizedName = normalizedName;
+        }
+
+        public string Name { get; }
+        public string Sddl { get; }
+        public string NormalizedName { get; }
+
+        public IReadOnlyCollection<NamedPipePrincipalAccess> LowPrivilegeAces => _principalAccess.Values;
+        public IReadOnlyCollection<NamedPipeProcessInfo> Processes => _processes.Values;
+        public bool HasPrivilegedServer => _processes.Values.Any(process => process.IsHighPrivilege);
+
+        public void AddLowPrivPrincipal(string principal, string sid, IEnumerable<string> rights)
+        {
+            if (string.IsNullOrEmpty(sid))
+                return;
+
+            if (!_principalAccess.TryGetValue(sid, out var access))
+            {
+                access = new NamedPipePrincipalAccess(principal, sid);
+                _principalAccess[sid] = access;
+            }
+
+            access.AddRights(rights);
+        }
+
+        public void AddProcess(NamedPipeProcessInfo process)
+        {
+            if (process == null)
+                return;
+
+            if (!_processes.ContainsKey(process.Pid))
+            {
+                _processes[process.Pid] = process;
+            }
+        }
+    }
+
+    internal class NamedPipePrincipalAccess
+    {
+        private readonly HashSet<string> _rights = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+        public NamedPipePrincipalAccess(string principal, string sid)
+        {
+            Principal = principal;
+            Sid = sid;
+        }
+
+        public string Principal { get; }
+        public string Sid { get; }
+        public string RightsDescription => _rights.Count == 0 ? string.Empty : string.Join("|", _rights.OrderBy(r => r));
+        public IEnumerable<string> Rights => _rights;
+
+        public void AddRights(IEnumerable<string> rights)
+        {
+            if (rights == null)
+                return;
+
+            foreach (var right in rights)
+            {
+                if (!string.IsNullOrWhiteSpace(right))
+                {
+                    _rights.Add(right.Trim());
+                }
+            }
+        }
+    }
+
+    internal class NamedPipeProcessInfo
+    {
+        public NamedPipeProcessInfo(int pid, string processName, string userName, string userSid, bool isHighPrivilege)
+        {
+            Pid = pid;
+            ProcessName = processName;
+            UserName = userName;
+            UserSid = userSid;
+            IsHighPrivilege = isHighPrivilege;
+        }
+
+        public int Pid { get; }
+        public string ProcessName { get; }
+        public string UserName { get; }
+        public string UserSid { get; }
+        public bool IsHighPrivilege { get; }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs
@@ -16,6 +16,20 @@ namespace winPEAS.Info.UserInfo
 {
    class UserInfoHelper
    {
+        private static readonly Dictionary<string, bool> _highPrivAccountCache = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
+        private static readonly string[] _highPrivGroupIndicators = new string[]
+        {
+            "administrators",
+            "domain admins",
+            "enterprise admins",
+            "schema admins",
+            "server operators",
+            "account operators",
+            "backup operators",
+            "dnsadmins",
+            "hyper-v administrators"
+        };
+
        // https://stackoverflow.com/questions/5247798/get-list-of-local-computer-usernames-in-windows


@@ -91,6 +105,65 @@ namespace winPEAS.Info.UserInfo
            return oPrincipalContext;
        }

+        public static bool IsHighPrivilegeAccount(string userName, string domain)
+        {
+            if (string.IsNullOrWhiteSpace(userName))
+            {
+                return false;
+            }
+
+            string cacheKey = ($"{domain}\\{userName}").Trim('\\');
+            if (_highPrivAccountCache.TryGetValue(cacheKey, out bool cached))
+            {
+                return cached;
+            }
+
+            bool isHighPriv = false;
+            try
+            {
+                string resolvedDomain = string.IsNullOrWhiteSpace(domain) ? Checks.Checks.CurrentUserDomainName : domain;
+                List<string> groups = User.GetUserGroups(userName, resolvedDomain);
+                foreach (string group in groups)
+                {
+                    if (IsHighPrivilegeGroup(group))
+                    {
+                        isHighPriv = true;
+                        break;
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint(string.Format("  [-] Unable to resolve groups for {0}\\{1}: {2}", domain, userName, ex.Message));
+            }
+
+            if (!isHighPriv)
+            {
+                isHighPriv = string.Equals(userName, "administrator", StringComparison.OrdinalIgnoreCase) || userName.StartsWith("admin", StringComparison.OrdinalIgnoreCase);
+            }
+
+            _highPrivAccountCache[cacheKey] = isHighPriv;
+            return isHighPriv;
+        }
+
+        private static bool IsHighPrivilegeGroup(string groupName)
+        {
+            if (string.IsNullOrWhiteSpace(groupName))
+            {
+                return false;
+            }
+
+            foreach (string indicator in _highPrivGroupIndicators)
+            {
+                if (groupName.IndexOf(indicator, StringComparison.OrdinalIgnoreCase) >= 0)
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
        //From Seatbelt
        public enum WTS_CONNECTSTATE_CLASS
        {
--- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
+++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
--- a/winPEAS/winPEASps1/README.md
+++ b/winPEAS/winPEASps1/README.md
@@ -19,6 +19,14 @@ Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/re
 powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
 ```

+
+## Recent Updates
+
+- Added Active Directory awareness checks to highlight Kerberos-only environments (NTLM restrictions) and time skew issues before attempting ticket-based attacks.
+- winPEAS.ps1 now reviews AD-integrated DNS ACLs to flag zones where low-privileged users can register/modify records (dynamic DNS hijack risk).
+- Enumerates high-value SPN accounts and weak gMSA password readers so you can immediately target Kerberoastable admins or abused service accounts.
+- Surfaces Schannel certificate mapping settings to warn about ESC10-style certificate abuse opportunities when UPN mapping is enabled.
+
 ## Advisory

 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
--- a/winPEAS/winPEASps1/winPEAS.ps1
+++ b/winPEAS/winPEASps1/winPEAS.ps1
@@ -148,6 +148,244 @@ function Get-ClipBoardText {
  }
 }

+function Get-DomainContext {
+  try {
+    return [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
+  }
+  catch {
+    return $null
+  }
+}
+
+function Convert-SidToName {
+  param(
+    $SidInput
+  )
+  if ($null -eq $SidInput) { return $null }
+  try {
+    if ($SidInput -is [System.Security.Principal.SecurityIdentifier]) {
+      $sidObject = $SidInput
+    }
+    else {
+      $sidObject = New-Object System.Security.Principal.SecurityIdentifier($SidInput)
+    }
+    return $sidObject.Translate([System.Security.Principal.NTAccount]).Value
+  }
+  catch {
+    try { return $sidObject.Value }
+    catch { return [string]$SidInput }
+  }
+}
+
+function Get-WeakDnsUpdateFindings {
+  param(
+    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
+  )
+  if (-not $DomainContext) { return @() }
+  $domainDN = $DomainContext.GetDirectoryEntry().distinguishedName
+  $forestDN = $DomainContext.Forest.RootDomain.GetDirectoryEntry().distinguishedName
+  $paths = @(
+    "LDAP://CN=MicrosoftDNS,DC=DomainDnsZones,$domainDN",
+    "LDAP://CN=MicrosoftDNS,DC=ForestDnsZones,$forestDN",
+    "LDAP://CN=MicrosoftDNS,$domainDN"
+  )
+  $weakPatterns = @(
+    "authenticated users",
+    "everyone",
+    "domain users"
+  )
+  $dangerousRights = @("GenericAll", "GenericWrite", "CreateChild", "WriteProperty", "WriteDacl", "WriteOwner")
+  $findings = @()
+  foreach ($path in $paths) {
+    try {
+      $container = New-Object System.DirectoryServices.DirectoryEntry($path)
+      $null = $container.NativeGuid
+    }
+    catch { continue }
+    $searcher = New-Object System.DirectoryServices.DirectorySearcher($container)
+    $searcher.Filter = "(objectClass=dnsZone)"
+    $searcher.PageSize = 500
+    $results = $searcher.FindAll()
+    foreach ($result in $results) {
+      try {
+        $zoneEntry = $result.GetDirectoryEntry()
+        $zoneEntry.Options.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
+        $sd = $zoneEntry.ObjectSecurity
+        foreach ($ace in $sd.Access) {
+          if ($ace.AccessControlType -ne 'Allow') { continue }
+          $principal = Convert-SidToName $ace.IdentityReference
+          if (-not $principal) { continue }
+          $principalLower = $principal.ToLower()
+          if (-not ($weakPatterns | Where-Object { $principalLower -like "*${_}*" })) { continue }
+          $rights = $ace.ActiveDirectoryRights.ToString()
+          if (-not ($dangerousRights | Where-Object { $rights -like "*${_}*" })) { continue }
+          $findings += [pscustomobject]@{
+            Zone      = $zoneEntry.Properties["name"].Value
+            Partition = $path.Split(',')[1]
+            Principal = $principal
+            Rights    = $rights
+          }
+        }
+      }
+      catch { continue }
+    }
+  }
+  return ($findings | Sort-Object Zone, Principal -Unique)
+}
+
+function Get-GmsaReadersReport {
+  param(
+    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
+  )
+  if (-not $DomainContext) { return @() }
+  $domainDN = $DomainContext.GetDirectoryEntry().distinguishedName
+  try {
+    $searcher = New-Object System.DirectoryServices.DirectorySearcher
+    $searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$domainDN")
+    $searcher.Filter = "(&(objectClass=msDS-GroupManagedServiceAccount))"
+    $searcher.PageSize = 500
+    [void]$searcher.PropertiesToLoad.Add("sAMAccountName")
+    [void]$searcher.PropertiesToLoad.Add("msDS-GroupMSAMembership")
+    $results = $searcher.FindAll()
+  }
+  catch { return @() }
+  $report = @()
+  foreach ($result in $results) {
+    $name = $result.Properties["samaccountname"]
+    $blobs = $result.Properties["msds-groupmsamembership"]
+    if (-not $blobs) { continue }
+    $principals = @()
+    foreach ($blob in $blobs) {
+      try {
+        $raw = New-Object System.Security.AccessControl.RawSecurityDescriptor (, $blob)
+        foreach ($ace in $raw.DiscretionaryAcl) {
+          $sid = Convert-SidToName $ace.SecurityIdentifier
+          if ($sid) { $principals += $sid }
+        }
+      }
+      catch { continue }
+    }
+    if ($principals.Count -eq 0) { continue }
+    $principals = $principals | Sort-Object -Unique
+    $weak = $principals | Where-Object { $_ -match 'Domain Users|Authenticated Users|Everyone' }
+    $report += [pscustomobject]@{
+      Account        = ($name | Select-Object -First 1)
+      Allowed        = ($principals -join ", ")
+      WeakPrincipals = if ($weak) { $weak -join ", " } else { "" }
+    }
+  }
+  return $report
+}
+
+function Get-PrivilegedSpnTargets {
+  param(
+    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
+  )
+  if (-not $DomainContext) { return @() }
+  $domainDN = $DomainContext.GetDirectoryEntry().distinguishedName
+  $keywords = @(
+    "Domain Admin",
+    "Enterprise Admin",
+    "Administrators",
+    "Exchange",
+    "IT_",
+    "Schema Admin",
+    "Account Operator",
+    "Server Operator",
+    "Backup Operator",
+    "DnsAdmin"
+  )
+  try {
+    $searcher = New-Object System.DirectoryServices.DirectorySearcher
+    $searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$domainDN")
+    $searcher.Filter = "(&(objectClass=user)(servicePrincipalName=*))"
+    $searcher.PageSize = 500
+    [void]$searcher.PropertiesToLoad.Add("sAMAccountName")
+    [void]$searcher.PropertiesToLoad.Add("memberOf")
+    $results = $searcher.FindAll()
+  }
+  catch { return @() }
+  $findings = @()
+  foreach ($res in $results) {
+    $groups = $res.Properties["memberof"]
+    if (-not $groups) { continue }
+    $matchedGroups = @()
+    foreach ($group in $groups) {
+      $cn = ($group -split ',')[0] -replace '^CN=',''
+      if ($keywords | Where-Object { $cn -like "*${_}*" }) {
+        $matchedGroups += $cn
+      }
+    }
+    if ($matchedGroups.Count -gt 0) {
+      $findings += [pscustomobject]@{
+        User   = ($res.Properties["samaccountname"] | Select-Object -First 1)
+        Groups = ($matchedGroups | Sort-Object -Unique) -join ', '
+      }
+    }
+  }
+  return ($findings | Sort-Object User | Select-Object -First 12)
+}
+
+function Get-NtlmPolicySummary {
+  try {
+    $msv = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -ErrorAction Stop
+  }
+  catch { return $null }
+  $lsa = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -ErrorAction SilentlyContinue
+  return [pscustomobject]@{
+    RestrictReceiving = $msv.RestrictReceivingNTLMTraffic
+    RestrictSending   = $msv.RestrictSendingNTLMTraffic
+    LmCompatibility   = if ($lsa) { $lsa.LmCompatibilityLevel } else { $null }
+  }
+}
+
+function Get-TimeSkewInfo {
+  param(
+    [System.DirectoryServices.ActiveDirectory.Domain]$DomainContext
+  )
+  if (-not $DomainContext) { return $null }
+  try {
+    $pdc = $DomainContext.PdcRoleOwner.Name
+  }
+  catch { return $null }
+  try {
+    $stripchart = w32tm /stripchart /computer:$pdc /dataonly /samples:3 2>$null
+    $sample = $stripchart | Where-Object { $_ -match ',' } | Select-Object -Last 1
+    if (-not $sample) { return $null }
+    $parts = $sample.Split(',')
+    if ($parts.Count -lt 2) { return $null }
+    $offsetString = $parts[1].Trim().TrimEnd('s')
+    [double]$offsetSeconds = 0
+    if (-not [double]::TryParse($offsetString, [ref]$offsetSeconds)) { return $null }
+    return [pscustomobject]@{
+      Source        = $pdc
+      OffsetSeconds = $offsetSeconds
+      RawSample     = $sample
+    }
+  }
+  catch {
+    return $null
+  }
+}
+
+function Get-AdcsSchannelInfo {
+  $info = [ordered]@{
+    MappingValue = $null
+    UpnMapping   = $false
+    ServiceState = $null
+  }
+  try {
+    $schannel = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -Name 'CertificateMappingMethods' -ErrorAction Stop
+    $info.MappingValue = $schannel.CertificateMappingMethods
+    if (($schannel.CertificateMappingMethods -band 0x4) -eq 0x4) { $info.UpnMapping = $true }
+  }
+  catch { }
+  $svc = Get-Service -Name certsrv -ErrorAction SilentlyContinue
+  if ($svc) { $info.ServiceState = $svc.Status }
+  return [pscustomobject]$info
+}
+
+
 function Search-Excel {
  [cmdletbinding()]
  Param (
@@ -1226,6 +1464,95 @@ Write-Host -ForegroundColor Blue "=========|| LISTENING PORTS"
 Start-Process NETSTAT.EXE -ArgumentList "-ano" -Wait -NoNewWindow


+######################## ACTIVE DIRECTORY / IDENTITY MISCONFIG CHECKS ########################
+Write-Host ""
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========|| ACTIVE DIRECTORY / IDENTITY MISCONFIG CHECKS"
+
+$domainContext = Get-DomainContext
+if (-not $domainContext) {
+  Write-Host "Host appears to be in a workgroup or the AD context could not be resolved. Skipping domain-specific checks." -ForegroundColor DarkGray
+}
+else {
+  $ntlmStatus = Get-NtlmPolicySummary
+  if ($ntlmStatus) {
+    $recvValue = if ($ntlmStatus.RestrictReceiving -ne $null) { [int]$ntlmStatus.RestrictReceiving } else { -1 }
+    $sendValue = if ($ntlmStatus.RestrictSending -ne $null) { [int]$ntlmStatus.RestrictSending } else { -1 }
+    $lmValue = if ($ntlmStatus.LmCompatibility -ne $null) { [int]$ntlmStatus.LmCompatibility } else { -1 }
+    $ntlmMsg = "Receiving:{0} Sending:{1} LMCompat:{2}" -f $recvValue, $sendValue, $lmValue
+    if ($recvValue -ge 1 -or $sendValue -ge 1 -or $lmValue -ge 5) {
+      Write-Host "[!] NTLM is restricted/disabled ($ntlmMsg). Expect Kerberos-only auth paths (sync time before Kerberoasting)." -ForegroundColor Yellow
+    }
+    else {
+      Write-Host "[i] NTLM restrictions appear relaxed ($ntlmMsg)."
+    }
+  }
+
+  $timeSkew = Get-TimeSkewInfo -DomainContext $domainContext
+  if ($timeSkew) {
+    $offsetAbs = [math]::Abs($timeSkew.OffsetSeconds)
+    $timeMsg = "Offset vs {0}: {1:N3}s (sample: {2})" -f $timeSkew.Source, $timeSkew.OffsetSeconds, $timeSkew.RawSample.Trim()
+    if ($offsetAbs -gt 5) {
+      Write-Host "[!] Significant Kerberos time skew detected - $timeMsg" -ForegroundColor Yellow
+    }
+    else {
+      Write-Host "[i] Kerberos time offset looks OK - $timeMsg"
+    }
+  }
+
+  $dnsFindings = @(Get-WeakDnsUpdateFindings -DomainContext $domainContext)
+  if ($dnsFindings.Count -gt 0) {
+    Write-Host "[!] AD-integrated DNS zones allow low-priv principals to write records (dynamic DNS hijack / service MITM risk)." -ForegroundColor Yellow
+    $dnsFindings | Format-Table Zone,Partition,Principal,Rights -AutoSize | Out-String | Write-Host
+  }
+  else {
+    Write-Host "[i] No obvious insecure dynamic DNS ACLs found with current privileges."
+  }
+
+  $spnFindings = @(Get-PrivilegedSpnTargets -DomainContext $domainContext)
+  if ($spnFindings.Count -gt 0) {
+    Write-Host "[!] High-value SPN accounts identified (prime Kerberoast targets):" -ForegroundColor Yellow
+    $spnFindings | Format-Table User,Groups -AutoSize | Out-String | Write-Host
+  }
+  else {
+    Write-Host "[i] No privileged SPN users detected via quick LDAP search."
+  }
+
+  $gmsaReport = @(Get-GmsaReadersReport -DomainContext $domainContext)
+  if ($gmsaReport.Count -gt 0) {
+    $weakGmsa = $gmsaReport | Where-Object { $_.WeakPrincipals -ne "" }
+    if ($weakGmsa) {
+      Write-Host "[!] gMSA passwords readable by low-priv groups/principals: " -ForegroundColor Yellow
+      $weakGmsa | Select-Object Account, WeakPrincipals | Format-Table -AutoSize | Out-String | Write-Host
+    }
+    else {
+      Write-Host "[i] gMSA accounts discovered (review allowed readers below)."
+      $gmsaReport | Select-Object Account, Allowed | Sort-Object Account | Select-Object -First 5 | Format-Table -Wrap | Out-String | Write-Host
+    }
+  }
+  else {
+    Write-Host "[i] No gMSA objects found via LDAP."
+  }
+
+  $adcsInfo = Get-AdcsSchannelInfo
+  if ($adcsInfo.MappingValue -ne $null) {
+    $hex = ('0x{0:X}' -f [int]$adcsInfo.MappingValue)
+    if ($adcsInfo.UpnMapping) {
+      Write-Host ("[!] Schannel CertificateMappingMethods={0} (UPN mapping allowed) - ESC10 certificate abuse possible if you can edit another user's UPN." -f $hex) -ForegroundColor Yellow
+    }
+    else {
+      Write-Host ("[i] Schannel CertificateMappingMethods={0} (UPN mapping flag not set)." -f $hex)
+    }
+    if ($adcsInfo.ServiceState) {
+      Write-Host ("[i] AD CS service state: {0}" -f $adcsInfo.ServiceState)
+    }
+  }
+  else {
+    Write-Host "[i] Could not read Schannel certificate mapping configuration." -ForegroundColor DarkGray
+  }
+}
+
+
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| ARP Table"
@@ -1323,7 +1650,7 @@ Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow
-Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege"
+Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege"
 Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow
 Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow