Salta ai contenuti
1337skills 1337skills - Cheat Sheet

Watson

Watson is a .NET tool for Windows privilege escalation enumeration. It identifies missing KB patches, detects CVE vulnerabilities on Windows systems, enumerates installed software and drivers, and assists in finding local privilege escalation vectors.

Installation

Download Binary

# Download latest release
wget https://github.com/rasta-mouse/Watson/releases/download/v0.1/watson.exe

# Or clone repository
git clone https://github.com/rasta-mouse/Watson.git
cd Watson

# Build in Visual Studio or with MSBuild
msbuild Watson.sln

PowerShell Download

# Download with PowerShell
(New-Object Net.WebClient).DownloadFile('https://github.com/rasta-mouse/Watson/releases/download/v0.1/watson.exe', 'C:\Users\Public\watson.exe')

# Or via IEX (execution only)
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Watson/master/Watson.ps1')

Basic Usage

# Show help
watson.exe --help
watson.exe -h

# List Windows version
watson.exe -version

# Full enumeration
watson.exe

# Enumerate installed patches (KB)
watson.exe -patched

# Find missing patches
watson.exe -notpatched

Patch Enumeration

Find Missing KBs

# Find missing patches
watson.exe -missing

# Get detailed KB information
watson.exe -kb

# List all installed patches
Get-Hotfix

# Filter by KB number
Get-Hotfix | Where-Object {$_.HotFixID -like "KB*"}

CVE Detection

# Scan for known CVEs
watson.exe -cve

# Enumerate specific CVEs
watson.exe -enumerate-cves

# Find vulnerable patches
watson.exe -vulnerable

# List all detected CVEs
watson.exe -list-cves

Operating System Analysis

OS Detection

# Detect Windows version
watson.exe -osversion

# Get detailed OS information
Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber

# Check architecture (32-bit/64-bit)
[System.Environment]::Is64BitOperatingSystem

# Get Windows installation date
Get-WmiObject -Class Win32_OperatingSystem | Select-Object InstallDate

Build Number Analysis

# Get build number
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion' -Name 'CurrentBuildNumber'

# Get release ID
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion' -Name 'ReleaseId'

# Get service pack level
[System.Environment]::OSVersion.ServicePack

Software and Driver Enumeration

Installed Software

# List all installed programs
watson.exe -software

# Get detailed software list
Get-WmiObject -Class Win32_Product | Select-Object Name, Version, Vendor

# Enumerate from registry (HKLM)
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion

# Enumerate from registry (HKCU)
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion

Driver Analysis

# List all drivers
watson.exe -drivers

# Get driver information
Get-WmiObject -Class Win32_SystemDriver | Select-Object Name, DisplayName, PathName

# Find vulnerable drivers
watson.exe -vulnerable-drivers

# Check driver signing status
Get-WmiObject -Class Win32_SystemDriver | Where-Object {$_.State -eq 'Running'} | Select-Object Name, Signed

Vulnerability Assessment

Quick Assessment

# Full vulnerability scan
watson.exe -scan

# Fast enumeration
watson.exe -quick

# Detailed report
watson.exe -verbose

CVE-Specific Checks

# Check for CVE-2019-0604
watson.exe -cve CVE-2019-0604

# Check for Windows 10 privilege escalation CVEs
watson.exe -win10

# Check for Kernel privilege escalation CVEs
watson.exe -kernel

# Check for .NET Framework vulnerabilities
watson.exe -dotnet

Common CVEs

Notable Privilege Escalation CVEs

# CVE-2019-0604 - RPC Elevation of Privilege
watson.exe -cve CVE-2019-0604

# CVE-2018-8120 - Win32k Elevation of Privilege
watson.exe -cve CVE-2018-8120

# CVE-2018-8440 - Kernel Elevation of Privilege
watson.exe -cve CVE-2018-8440

# CVE-2018-0886 - Credential Guard Bypass
watson.exe -cve CVE-2018-0886

# CVE-2019-1458 - Windows 10 Local Privilege Escalation
watson.exe -cve CVE-2019-1458

Complete Enumeration Workflow

#!/usr/bin/env powershell
# Complete Windows privilege escalation enumeration

Write-Host "[*] Starting Watson Enumeration"
$OutputDir = "watson_results_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -Type Directory -Path $OutputDir -Force | Out-Null

# 1. Get OS information
Write-Host "[*] Enumerating OS Information..."
watson.exe > "$OutputDir/watson_full_scan.txt"
Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber | Out-File -FilePath "$OutputDir/os_info.txt"

# 2. Find missing patches
Write-Host "[*] Finding missing patches..."
watson.exe -missing > "$OutputDir/missing_patches.txt"
Get-Hotfix | Select-Object HotFixID, InstalledOn | Out-File -FilePath "$OutputDir/installed_hotfixes.txt"

# 3. Enumerate installed software
Write-Host "[*] Enumerating installed software..."
Get-WmiObject -Class Win32_Product | Select-Object Name, Version, Vendor | Out-File -FilePath "$OutputDir/installed_software.txt"

# 4. List drivers
Write-Host "[*] Enumerating drivers..."
Get-WmiObject -Class Win32_SystemDriver | Select-Object Name, DisplayName | Out-File -FilePath "$OutputDir/drivers.txt"

# 5. Check for specific CVEs
Write-Host "[*] Checking for known CVEs..."
watson.exe -cve > "$OutputDir/detected_cves.txt"

# 6. Generate summary report
Write-Host "[*] Generating report..."
$Summary = @"
WATSON PRIVILEGE ESCALATION ASSESSMENT
Generated: $(Get-Date)
Computer: $env:COMPUTERNAME
Username: $env:USERNAME

OS Information:
$(Get-Content "$OutputDir/os_info.txt")

Missing Patches: $(Get-Content "$OutputDir/missing_patches.txt" | Measure-Object -Line | Select-Object -ExpandProperty Lines)

Installed Software: $(Get-Content "$OutputDir/installed_software.txt" | Measure-Object -Line | Select-Object -ExpandProperty Lines)

Detected Vulnerabilities:
$(Get-Content "$OutputDir/detected_cves.txt")
"@

$Summary | Out-File -FilePath "$OutputDir/assessment_report.txt"

Write-Host "[+] Enumeration complete!"
Write-Host "[*] Results saved to: $OutputDir"

PowerShell Methods

Native PowerShell (No Watson Binary)

# Get all installed KB patches
Get-HotFix | Select-Object HotFixID, InstalledOn | Sort-Object InstalledOn -Descending

# Enumerate all system drivers
Get-WmiObject -Class Win32_SystemDriver | Where-Object {$_.State -eq 'Running'} | Select-Object Name

# List all installed programs
Get-WmiObject -Class Win32_Product | Select-Object Name, Version

# Get system information
Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object Name, UUID, Vendor

# Check for UAC bypass CVEs
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin

# List scheduled tasks (privilege escalation vectors)
Get-ScheduledTask | Where-Object {$_.Principal.RunLevel -eq 'HighestAvailable'}

Custom PowerShell Scanner

# Detect privilege escalation vectors
function Test-PrivEscVectors {
    param(
        [string]$OutputFile = "privesc_vectors.txt"
    )

    Write-Host "[*] Scanning for privilege escalation vectors..."

    # Check for service binary path traversal
    $Services = Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -NotLike '"*'} | Select-Object Name, PathName
    Write-Host "[*] Services with unquoted paths: $($Services.Count)"

    # Check for weak folder permissions
    $Paths = @("C:\Program Files", "C:\Program Files (x86)", "C:\ProgramData")
    foreach ($Path in $Paths) {
        $ACL = Get-Acl -Path $Path
        $ACL.Access | Where-Object {$_.IdentityReference -like '*Everyone*'} | Select-Object IdentityReference, FileSystemRights
    }

    # Check for DLL hijacking opportunities
    $DLLPaths = Get-ChildItem -Path 'C:\Windows\System32' -Filter '*.dll' | Select-Object -First 20
    Write-Host "[*] Found $($DLLPaths.Count) DLL files"
}

Test-PrivEscVectors

Troubleshooting

Issue: Watson.exe blocked by Windows Defender

# Add exception to Windows Defender
Add-MpPreference -ExclusionPath "C:\Users\Public\watson.exe"

# Or run from PowerShell directly
powershell -ExecutionPolicy Bypass -File watson.ps1

Issue: Missing .NET Framework

# Check installed .NET versions
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version

# Install .NET Framework
# Download from Microsoft official site and install

Issue: Access Denied errors

# Run as Administrator
Start-Process powershell.exe -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File watson.ps1" -Verb RunAs

# Or use UAC bypass (for testing purposes)
# Note: Use only on authorized systems

Integration with Other Tools

Combine with Exploit Suggestions

# Run Watson to enumerate vulnerabilities
watson.exe -cve > cves.txt

# Cross-reference with exploit-db
# Use CVE numbers to find exploits on exploit-db.com

Integrate with Post-Exploitation

# After gaining initial access
watson.exe > initial_assessment.txt

# Find quick wins for privilege escalation
watson.exe -vulnerable > potential_exploits.txt

# Use output to guide exploitation framework choices

Best Practices

  • Run Watson as Administrator for full system access
  • Use output to prioritize patch installation
  • Cross-reference CVEs with exploit availability
  • Document all findings for remediation
  • Run regularly to track new vulnerabilities
  • Combine with manual review for complete assessment
  • Test exploitation in lab environment first
  • Use results to improve system hardening
  • Sherlock - PowerShell privilege escalation vulnerability scanner
  • Privesc - Windows privilege escalation enumeration
  • JAWS - Just Another Windows Enumeration Script
  • WinPEAS - Windows Privilege Escalation Awesome Script
  • BeRoot - Privilege escalation tool

Last updated: 2026-03-30 | Watson v0.1