Skip to main content

Build Requirements

Visual Studio

Visual Studio 2015 Community Edition or later

.NET Framework

.NET Framework 3.5 (required)

Git

For cloning the repository

Windows OS

Windows build environment required

Compilation Steps

1

Clone Repository

git clone https://github.com/GhostPack/SharpUp
cd SharpUp
2

Open Solution

Open SharpUp.sln in Visual Studio 2015 or later
3

Select Build Configuration

  • Choose Release configuration (not Debug)
  • Target platform: Any CPU
4

Build Project

  • Build → Build Solution (or press Ctrl+Shift+B)
  • SharpUp.exe will be compiled
5

Locate Binary

Compiled binary will be in:
SharpUp/SharpUp/bin/Release/SharpUp.exe
SharpUp is built against .NET Framework 3.5 for maximum compatibility with Windows systems.

Binary Distribution

No pre-compiled binaries are provided for SharpUp. You must compile from source.
Why no binaries?
  • Encourages understanding of the code
  • Prevents signature-based detection
  • Allows for customization
  • Avoids potential legal issues

Running SharpUp

  • Direct Execution
  • PowerShell Wrapper
  • Execute-Assembly
# Run all checks
SharpUp.exe

# Run all checks in audit mode (bypasses privilege checks)
SharpUp.exe audit

# Run specific check
SharpUp.exe ModifiableServices

# Run multiple specific checks
SharpUp.exe UnquotedServicePath ModifiableServiceBinaries

# Run specific checks in audit mode
SharpUp.exe audit TokenPrivileges RegistryAutoruns

Command Line Syntax

SharpUp.exe [audit] [check1] [check2]...

Parameters

audit
flag
Enables audit mode, which runs vulnerability checks regardless of process integrity level or local administrator group membership. If no specific checks are provided after audit, all checks will be executed.
check*
string
Individual vulnerability check to run. Can specify multiple checks. Available checks:
  • AlwaysInstallElevated
  • CachedGPPPassword
  • DomainGPPPassword
  • HijackablePaths
  • McAfeeSitelistFiles
  • ModifiableScheduledTask
  • ModifiableServiceBinaries
  • ModifiableServiceRegistryKeys
  • ModifiableServices
  • ProcessDLLHijack
  • RegistryAutoLogons
  • RegistryAutoruns
  • TokenPrivileges
  • UnattendedInstallFiles
  • UnquotedServicePath

Quick Start Examples

# Run all privilege escalation checks
SharpUp.exe
SharpUp will automatically detect if you’re already running in high integrity or are a local administrator, and will exit early unless audit mode is enabled.
# Run all checks regardless of current privileges
SharpUp.exe audit
Useful for comprehensive security auditing, even when running with elevated privileges.
# Check for service-related vulnerabilities only
SharpUp.exe ModifiableServices ModifiableServiceBinaries ModifiableServiceRegistryKeys UnquotedServicePath
Focus on service-related privilege escalation vectors.
# Check for registry-based vulnerabilities
SharpUp.exe audit RegistryAutoLogons RegistryAutoruns AlwaysInstallElevated
Search for credentials and privilege escalation opportunities in the registry.
# Look for stored credentials
SharpUp.exe audit CachedGPPPassword DomainGPPPassword RegistryAutoLogons UnattendedInstallFiles McAfeeSitelistFiles
Find plaintext credentials stored in various locations.

Understanding Audit Mode

Audit mode bypasses the default behavior where SharpUp exits early if you’re already running with elevated privileges.

When to Use Audit Mode

Without audit mode:
  • SharpUp checks if you’re in high integrity or a local administrator
  • If yes, it exits with a message suggesting UAC bypass or noting you’re already elevated
  • Only runs checks if you’re a non-privileged user
With audit mode:
  • Runs all checks regardless of current privilege level
  • Useful for security auditing
  • Helpful for finding additional escalation paths even when already elevated
  • Note: Running in high integrity may yield false positives

Troubleshooting

Problem: Solution won’t buildSolutions:
  • Ensure Visual Studio 2015+ is installed
  • Verify .NET Framework 3.5 is installed
  • Clean solution (Build → Clean Solution)
  • Rebuild solution (Build → Rebuild Solution)
Problem: Target system doesn’t have .NET Framework 3.5Solutions:
  • Install .NET Framework 3.5: 
    # Windows 10/11
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

# Or via PowerShell
Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
Problem: SharpUp reports no vulnerabilitiesSolutions:
  • This may be accurate - the system may be properly hardened
  • Try running with audit flag to force all checks
  • Verify you have the necessary permissions for the checks
  • Some checks require specific configurations to be present
Problem: Access denied when running certain checksSolutions:
  • Some checks require local administrator privileges
  • Domain GPP checks require domain connectivity
  • File enumeration checks may fail in restricted environments
  • This is expected behavior for some checks in limited contexts

Operational Security

Consider these OPSEC factors when using SharpUp in operations:
  • Detection Vectors
  • Mitigation Strategies
  • Alternative Execution
  • Process execution of SharpUp.exe
  • Service enumeration via WMI queries
  • Registry key enumeration
  • File system enumeration
  • Token privilege enumeration
  • Network SMB access for domain GPP checks
  • Reading sensitive file locations

Additional Resources

GitHub Repository

Source code and latest releases

PowerUp (PowerShell)

Original PowerShell version of privilege escalation checks

Visual Studio Community

Download Visual Studio for compilation

Windows Privilege Escalation

Understanding Windows privilege escalation techniques

Next Steps

Usage Guide

Practical usage examples and workflows

Remediation Guide

How to fix identified vulnerabilities

Available Checks

Detailed documentation for each check