From bf652bcd261c2c74445c2aa1b4e283c4bf167109 Mon Sep 17 00:00:00 2001
From: Dave Hull <dave.hull@tanium.com>
Date: Fri, 8 Sep 2017 16:30:06 -0500
Subject: Adds dlls from knowndll paths to knowndlls

---
 Privesc/PowerUp.ps1 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index 072b03e..651751a 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -2368,6 +2368,8 @@ function Find-ProcessDLLHijack {
         #   http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx
         $Keys = (Get-Item "HKLM:\System\CurrentControlSet\Control\Session Manager\KnownDLLs")
         $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName) }) | Where-Object { $_.EndsWith(".dll") }
+        $KnownDLLPaths = $(ForEach ($name in $Keys.GetValueNames()) { $Keys.GetValue($name).tolower() }) | Where-Object { -not $_.EndsWith(".dll") }
+        $KnownDLLs += ForEach ($path in $KnownDLLPaths) { ls -force $path\*.dll | Select-Object -ExpandProperty Name | ForEach-Object { $_.tolower() }}
         $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
 
         # get the owners for all processes
-- 
cgit v1.2.3