Convert user privilege check to vulnerability check

CHANGELOG.md

@@ -17,6 +17,7 @@
 - The Driver Co-installer check now returns something only if the configuration is vulnerable.
 - The LSA protection check now returns something only if the configuration is vulnerable.
 - The BIOS mode check now returns something only if the configuration is vulnerable.
+- The user privilege check now returns only exploitable privileges.
 
 ## 2023-08-14
 

src/001_Main.ps1

@@ -64,7 +64,7 @@ function Invoke-PrivescCheck {
 "USER_USER",                      "Invoke-UserCheck",                           "TA0043 - Reconnaissance",       "User identity",                       "Info",     "List",     "False",    "True",         "False",        "Get the full name of the current user (domain + username) along with the associated Security Identifier (SID)."
 "USER_GROUPS",                    "Invoke-UserGroupsCheck",                     "TA0043 - Reconnaissance",       "User groups",                         "Info",     "Table",    "False",    "True",         "False",        "List all the groups that are associated to the current user's token."
 "USER_RESTRICTED_SIDS",           "Invoke-UserRestrictedSidsCheck",             "TA0043 - Reconnaissance",       "User restricted SIDs",                "Info",     "Table",    "True",     "True",         "False",        "List the restricted SIDs that are associated to the current user's token, if it is WRITE RESTRICTED."
-"USER_PRIVILEGES",                "Invoke-UserPrivilegesCheck",                 "TA0004 - Privilege Escalation", "User privileges",                     "Info",     "Table",    "False",    "False",        "False",        "List the current user's privileges and identify the ones that can be leveraged for local privilege escalation."
+"USER_PRIVILEGES",                "Invoke-UserPrivilegesCheck",                 "TA0004 - Privilege Escalation", "User privileges",                     "High",     "List",     "False",    "False",        "False",        "List the current user's privileges and identify the ones that can be leveraged for local privilege escalation."
 "USER_ENV",                       "Invoke-UserEnvCheck",                        "TA0006 - Credential Access",    "User environment variables",          "Info",     "Table",    "False",    "True",         "False",        "List the environment variables of the current process and try to identify any potentially sensitive information such as passwords or API secrets. This check is simply based on keyword matching and might not be entirely reliable."
 "SERVICE_INSTALLED",              "Invoke-InstalledServicesCheck",              "TA0004 - Privilege Escalation", "Non-default services",                "Info",     "List",     "False",    "True",         "False",        "List all registered services and filter out the ones that are built into Windows. It does so by parsing the target executable's metadata."
 "SERVICE_THIRD_PARTY",            "Invoke-ThirdPartyDriversCheck",              "TA0004 - Privilege Escalation", "Third-party Kernel drivers",          "Info",     "List",     "True",     "True",         "False",        "List third-party drivers (i.e. drivers that do not originate from Microsoft)."

src/300_User.ps1

@@ -135,9 +135,7 @@ function Invoke-UserPrivilegesCheck {
 
     $HighPotentialPrivileges = "SeAssignPrimaryTokenPrivilege", "SeImpersonatePrivilege", "SeCreateTokenPrivilege", "SeDebugPrivilege", "SeLoadDriverPrivilege", "SeRestorePrivilege", "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeBackupPrivilege", "SeManageVolumePrivilege", "SeRelabelPrivilege"
 
-    Get-TokenInformationPrivileges | ForEach-Object {
-        $_ | Add-Member -MemberType "NoteProperty" -Name "Exploitable" -Value ($HighPotentialPrivileges -contains $_.Name) -PassThru
-    }
+    Get-TokenInformationPrivileges | Where-Object { $HighPotentialPrivileges -contains $_.Name }
 }
 
 function Invoke-UserEnvCheck {