aeondave/watson
offensive-tools/windows/watson/SKILL.md
Watson: Windows patch vulnerability analyzer that identifies missing KB patches and maps to known exploitable CVEs. Use when assessing local privilege escalation vectors via kernel exploits, determining patchability before attacking, or prioritizing which unpatched systems are vulnerable to public CVE exploits.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill watsonInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:52 AM156.4s2 files scanned
SKILL.md
- name:
- watson
- description:
- Watson: Windows patch vulnerability analyzer that identifies missing KB patches and maps to known exploitable CVEs. Use when assessing local privilege escalation vectors via kernel exploits, determining patchability before attacking, or prioritizing which unpatched systems are vulnerable to public CVE exploits.
- license:
- BSD-3-Clause
- compatibility:
- Windows x86/x64. Compiled .NET binary. Run as user (user-mode checks) or admin (full system visibility). No admin required for basic checks.
- author:
- AeonDave
- version:
- 1.1
Watson
Windows patch vulnerability scanner — identifies missing KBs and maps to exploitable CVEs.
Quick Start
# Basic patch check
Watson.exe
# Verbose output
Watson.exe -v
# Export to file
Watson.exe > watson_output.txt
Core Functionality
Watson automatically:
- Detects Windows version & build
- Enumerates installed patches (KB numbers)
- Maps missing patches to known CVEs
- Prioritizes by exploitability & severity
- Shows if public exploit/PoC is available
What Watson Checks For
| Category | Examples | |---|---| | Kernel Exploits | DirtyCOW, Dirty Pipe, OverlayFS (CVE variants) | | Privilege Escalation | ElevatedPotato, PrintNightmare, PetitPotam | | Credential Dumping | LSASS dumping CVEs | | Authentication Bypass | Zero-click admin elevation bugs | | Information Disclosure | Kernel pointer leaks, memory disclosure |
Output Interpretation
Watson displays:
- CVE ID — Official CVE identifier
- Affected versions — Which Windows versions are vulnerable
- Severity — Critical / High / Medium / Low
- Exploit availability — "PoC exists", "Public exploit available", "No known PoC"
- Status — "VULNERABLE" if patch missing
Example output:
[!] CVE-2016-3309 — Windows Kernel Elevation of Privilege
Affected: Windows 7 SP1, Windows Server 2008 R2 SP1
Severity: Critical
Status: VULNERABLE (KB missing)
PoC: Available (github.com/abysssol/CVE-2016-3309)
Workflow
1. Initial Assessment
# Run Watson on target
Watson.exe > patching_status.txt
# Review output for CRITICAL + VULNERABLE
# Identify exploits with public PoC
2. Prioritize Exploits
Focus on:
- CRITICAL + PoC available
- HIGH + commonly exploited (PrintNightmare, etc)
- Exploit matches target's running services (e.g., PrintSpooler for PrintNightmare)
3. Determine Mitigation Status
# Check if services are running
sc query spooler # Print Spooler
sc query WinRM # Windows Remote Management
tasklist | findstr service # Check for running services
4. Exploit Selection
# Example: PrintNightmare (CVE-2021-34527)
# 1. Watson shows "VULNERABLE" + PoC available
# 2. Check if Print Spooler is running
# → sc query spooler
# 3. If running + vulnerable, exploit
# Example: ElevatedPotato
# 1. Watson shows kernel CVE exploitable
# 2. Compile/obtain ElevatedPotato
# 3. Run → SYSTEM shell
Comparison with WinPEAS
| Tool | Focus | |---|---| | Watson | Kernel patches + public CVE mapping | | WinPEAS | Configuration misconfigurations (services, SUID, perms) | | Together | Complete privilege escalation surface → patch + misconfig vectors |
Use Watson first (fast, specific), then WinPEAS for broader enumeration.
Common Vulnerable Patterns
Old Windows Versions (7, 2008 R2)
Watson.exe
# Usually many CRITICAL vulnerabilities
# High likelihood of working PoC
Modern Windows (10, 2019+) Unpatched
Watson.exe
# Fewer vulnerabilities, but newer patches often take time to roll out
# Check monthly security updates status
Windows with Disabled Windows Update
Watson.exe
# May show many gaps; check last Windows Update date
# Can be indicator of other misconfigurations
Manual Patch Verification
If Watson output is unclear:
# Get all installed patches
Get-HotFix | Select HotFixID
# Check specific KB
Get-HotFix | Select HotFixID | Select-String "KB2999226"
# Returns nothing → patch NOT installed → VULNERABLE
# Get Windows version
[System.Environment]::OSVersion.Version
# or
Get-WmiObject -Class Win32_OperatingSystem | Select Caption, BuildNumber
Integration with Other Tools
| Tool | Use | |---|---| | WinPEAS | Run first for full enum, Watson confirms kernel vulns | | Exploit frameworks | SearchSploit / Metasploit to find working exploits | | Custom exploit repos | GitHub has PoCs for most Watson-identified CVEs |
Resources
| File | When to load |
|---|---|
| references/ | Kernel exploit compilation, CVE remediation, safe testing practices |
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026