search

Windows Privilege Escalation

hashtag
Overview

Privilege escalation in Windows involves techniques to gain higher-level access, typically from a normal user to SYSTEM or Domain Admin privileges.

hashtag
Kernel Exploits

1. System Information

# OS Version
systeminfo
Get-WmiObject -Class Win32_OperatingSystem

# Hotfixes
wmic qfe list
Get-HotFix

# Architecture
wmic os get osarchitecture
[Environment]::Is64BitOperatingSystem

2. Exploit Search

# Manual Search
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"Hotfix(s)"

# Automated Tools
.\windows-exploit-suggester.py --database 2021-03-23-mssb.xls --systeminfo systeminfo.txt
.\Sherlock.ps1 -Command "Find-AllVulns"

3. Exploit Execution

hashtag
Service Exploitation

1. Service Enumeration

2. Service Misconfiguration

3. Service Manipulation

hashtag
DLL Hijacking

1. DLL Search Order

2. DLL Injection

hashtag
Scheduled Tasks

1. Task Enumeration

2. Task Creation

hashtag
Registry Exploitation

1. Registry Enumeration

2. Registry Modification

hashtag
Tools

1. Primary Tools

  • PowerUp

  • WinPEAS

  • Sherlock

  • Windows-Exploit-Suggester

  • Seatbelt

2. Additional Tools

  • PowerSploit

  • Empire

  • Covenant

  • Cobalt Strike

  • Sliver

hashtag
Best Practices

1. Escalation Strategy

  • Start with low-risk techniques

  • Use multiple methods

  • Document findings

  • Test safely

  • Follow engagement scope

2. OPSEC Considerations

  • Use stealth techniques

  • Avoid detection

  • Monitor for alerts

  • Use legitimate tools

  • Follow engagement scope

hashtag
Resources

PreviousActive Directory Certificate Services (ADCS)NextSeBackupPrivilege

Last updated