Skip to main content

What is SharpUp?

SharpUp is a C# port of PowerUp functionality for enumerating common Windows privilege escalation vectors. It performs automated checks to identify potential privilege escalation opportunities on Windows systems without requiring weaponization or exploitation.
SharpUp is a port of @mattifestation’s PowerUp from PowerSploit. Only enumeration checks have been ported - no exploitation functions are included.

Key Features

Privilege Escalation Checks

15 different vulnerability checks for common Windows privesc vectors

No Weaponization

Enumeration only - no exploitation or modification of systems

Audit Mode

Run checks regardless of current privilege level

Selective Checks

Run all checks or specify individual checks to execute

Available Checks

SharpUp includes 15 privilege escalation enumeration checks:

Service-Based Checks

Identifies services where the current user can modify the service configuration
Finds service binaries that the current user can modify
Locates service registry keys that can be modified by the current user
Identifies services with unquoted paths containing spaces (DLL hijacking opportunity)

Registry-Based Checks

Searches for plaintext credentials in registry AutoLogon configuration
Finds modifiable registry autoruns (HKLM and HKCU Run keys)
Checks if AlwaysInstallElevated policy is enabled (MSI privilege escalation)

File-Based Checks

Searches for unattended installation files that may contain credentials
Locates McAfee SiteList.xml files containing encrypted passwords
Searches local cache for Group Policy Preference passwords
Searches domain SYSVOL for Group Policy Preference passwords

Scheduled Task Checks

Identifies scheduled tasks with modifiable binaries or scripts

PATH & DLL Checks

Finds modifiable directories in the system %PATH% variable
Identifies running processes with missing DLLs (DLL hijacking opportunity)

Token & Privileges

Enumerates current user token privileges

Basic Usage

# Run all checks (default behavior for non-admin users)
SharpUp.exe

# Run all checks in audit mode (regardless of privilege level)
SharpUp.exe audit

# Run specific check
SharpUp.exe ModifiableServices

# Run multiple specific checks
SharpUp.exe ModifiableServices UnquotedServicePath

# Audit mode with specific checks
SharpUp.exe audit HijackablePaths RegistryAutoLogons

Audit Mode

By default, SharpUp will not run checks if you’re already a local administrator or in high integrity. Use audit mode to force all checks to run anyway.
Default Behavior:
  • High Integrity: SharpUp detects this and skips checks (already privileged)
  • Medium Integrity + Local Admin: SharpUp suggests UAC bypass instead
  • Standard User: All checks run normally
Audit Mode Behavior:
  • Runs all specified checks regardless of current privilege level
  • Useful for security auditing and compliance checking
  • Will produce false positives when run in high integrity
# Force all checks to run
SharpUp.exe audit

# Run specific checks in audit mode
SharpUp.exe audit AlwaysInstallElevated RegistryAutoLogons

Typical Workflow

1

Initial Enumeration

Run all checks to identify potential privilege escalation vectors
SharpUp.exe
2

Review Results

Analyze the output to identify the most promising vulnerabilities
3

Targeted Checks

Re-run specific checks for verification or detailed information
SharpUp.exe ModifiableServices
4

Exploitation

Use the information to manually exploit identified vulnerabilities (SharpUp doesn’t include weaponization)

Example Output

=== SharpUp: Running Privilege Escalation Checks ===

[*] Already in high integrity, no need to privesc!

[*] Quitting now, re-run with "audit" argument to run checks anyway (audit mode).


[*] Completed Privesc Checks in 0 seconds
With Vulnerabilities Found: 
=== ModifiableServices ===
	Service 'VulnService' (C:\Services\service.exe)
	Start Permission: Everyone [AllAccess]

=== UnquotedServicePath ===
	Service 'Unquoted Service' has unquoted path: C:\Program Files\My Service\service.exe
	ModifiablePath: C:\Program Files\My Service

Detection Considerations

SharpUp performs enumeration activities that can be detected by EDR and security monitoring tools.

Host-Based Detection

  • Registry Enumeration: Reading service configurations and Run keys
  • File System Enumeration: Searching for unattended install files and GPP passwords
  • Service Queries: Enumerating service ACLs and configurations
  • Scheduled Task Queries: Enumerating task configurations
  • Token Queries: Reading current process token privileges

Behavioral Indicators

  • Process making numerous registry queries to service keys
  • Rapid enumeration of file system for specific file patterns
  • Querying service security descriptors
  • SYSVOL/netlogon share access (for Domain GPP checks)
  • Sequential execution of multiple privilege checks

Defensive Measures

  • Monitor for rapid service configuration enumeration
  • Alert on SYSVOL access from non-DC systems
  • Track unusual registry key access patterns
  • Monitor for SharpUp.exe execution
  • Detect sequential privilege escalation check patterns
  • Remove unattended install files from systems
  • Disable AlwaysInstallElevated policy
  • Properly configure service ACLs
  • Quote all service paths
  • Remove cached GPP passwords
  • Implement least privilege for service accounts
  • Audit and restrict PATH directory permissions

Prerequisites

  • Visual Studio 2015 Community Edition or later
  • .NET Framework 3.5 (default target)
  • Windows operating system
  • .NET Framework 3.5 or later
  • Standard user privileges (no elevation required)
Standard User:
  • Can run all enumeration checks
  • Identifies privilege escalation opportunities
Administrator:
  • SharpUp will detect and skip checks (use audit mode to force)
  • May produce false positives in high integrity

Comparison with PowerUp

FeaturePowerUpSharpUp
LanguagePowerShellC#
Checks15+ enumeration + exploitation15 enumeration only
WeaponizationIncludedNot included
ExecutionPowerShell.exeNative .exe
AMSI/CLMAffectedBypasses
FootprintScript loaded in memoryBinary execution
SharpUp focuses purely on enumeration. For exploitation, you’ll need to manually leverage the identified vulnerabilities or use other tools.

Use Cases

Penetration Testing

Quickly identify privilege escalation vectors during assessments

Red Team Operations

Enumerate local privilege escalation opportunities post-compromise

Security Auditing

Identify and remediate privilege escalation vulnerabilities

Compliance Checking

Verify proper security configurations are in place

Additional Resources

PowerUp (Original)

Original PowerShell implementation

GitHub Repository

Official SharpUp repository

Windows Privilege Escalation

Comprehensive Windows privesc guide

GhostPack Tools

Other GhostPack security tools

Next Steps

Compilation Guide

Build SharpUp from source

Check Reference

Detailed check documentation

Usage Examples

Practical usage scenarios

Remediation Guide

Fix identified vulnerabilities

License

SharpUp is licensed under the BSD 3-Clause license.
SharpUp is developed by @harmj0y and is a port of PowerUp by @mattifestation.