killchain-compendium/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md

Windows Privilege Escalation

Links

• Fundamentals
• PowerShellEmpire
• JAWS

Account Types

• Administrator local & domain
• Standard local & domain
• Guest
• System

Enumeration

Users & Groups

whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta

Files

• powershell

System

hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

• Installed software

wmic product get name,version,vendor

• Services

wmic service list brief | findstr  "Running"

Exploit

DLL Hijacking

• DLL hijacking

Unquoted Service Path

• unquoted service path

Token Impersonation

• SeImpersonatePrivilege is necessary, check via whoami priv
• Hot Potato is best before Server 2019 and Windows 10 (version 1809)
• Potatos

Schedules Tasks

• schtasks
• Autoruns64.exe

MSI Elevated Installer

• Always install elevated

Search for Credentials

cmdkey /list

• Use found credentials

runas /savecred /user:<user> reverse_shell.exe

• Keys containing passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s