PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalation.md

# Windows - Privilege Escalation

:warning: Content of this page has been moved to [InternalAllTheThings/redteam/escalation/windows-privilege-escalation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/)

- [Tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#tools)
- [Windows Version and Configuration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#windows-version-and-configuration)
- [User Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#user-enumeration)
- [Network Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#network-enumeration)
- [Antivirus Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#antivirus-enumeration)
- [Default Writeable Folders](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#default-writeable-folders)
- [EoP - Looting for passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---looting-for-passwords)
    - [SAM and SYSTEM files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#sam-and-system-files)
    - [HiveNightmare](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#hivenightmare)
    - [LAPS Settings](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#laps-settings)
    - [Search for file contents](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-for-file-contents)
    - [Search for a file with a certain filename](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-for-a-file-with-a-certain-filename)
    - [Search the registry for key names and passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-the-registry-for-key-names-and-passwords)
    - [Passwords in unattend.xml](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-in-unattendxml)
    - [Wifi passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wifi-passwords)
    - [Sticky Notes passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#sticky-notes-passwords)
    - [Passwords stored in services](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-stored-in-services)
    - [Passwords stored in Key Manager](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-stored-in-key-manager)
    - [Powershell History](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#powershell-history)
    - [Powershell Transcript](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#powershell-transcript)
    - [Password in Alternate Data Stream](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#password-in-alternate-data-stream)
- [EoP - Processes Enumeration and Tasks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---processes-enumeration-and-tasks)
- [EoP - Incorrect permissions in services](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---incorrect-permissions-in-services)
- [EoP - Windows Subsystem for Linux (WSL)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---windows-subsystem-for-linux-wsl)
- [EoP - Unquoted Service Paths](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---unquoted-service-paths)
- [EoP - $PATH Interception](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---path-interception)
- [EoP - Named Pipes](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---named-pipes)
- [EoP - Kernel Exploitation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---kernel-exploitation)
- [EoP - Microsoft Windows Installer](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---microsoft-windows-installer)
    - [AlwaysInstallElevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#alwaysinstallelevated)
    - [CustomActions](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#customactions)
- [EoP - Insecure GUI apps](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---insecure-gui-apps)
- [EoP - Evaluating Vulnerable Drivers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---evaluating-vulnerable-drivers)
- [EoP - Printers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---printers)
    - [Universal Printer](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#universal-printer)
    - [Bring Your Own Vulnerability](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#bring-your-own-vulnerability)
- [EoP - Runas](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---runas)
- [EoP - Abusing Shadow Copies](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---abusing-shadow-copies)
- [EoP - From local administrator to NT SYSTEM](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---from-local-administrator-to-nt-system)
- [EoP - Living Off The Land Binaries and Scripts](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---living-off-the-land-binaries-and-scripts)
- [EoP - Impersonation Privileges](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---impersonation-privileges)
    - [Restore A Service Account's Privileges](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#restore-a-service-accounts-privileges)
    - [Meterpreter getsystem and alternatives](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#meterpreter-getsystem-and-alternatives)
    - [RottenPotato (Token Impersonation)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#rottenpotato-token-impersonation)
    - [Juicy Potato (Abusing the golden privileges)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#juicy-potato-abusing-the-golden-privileges)
    - [Rogue Potato (Fake OXID Resolver)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#rogue-potato-fake-oxid-resolver))
    - [EFSPotato (MS-EFSR EfsRpcOpenFileRaw)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#efspotato-ms-efsr-efsrpcopenfileraw))
    - [PrintSpoofer (Printer Bug)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#PrintSpoofer-Printer-Bug)))
- [EoP - Privileged File Write](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---privileged-file-write)
    - [DiagHub](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#diaghub)
    - [UsoDLLLoader](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#usodllloader)
    - [WerTrigger](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wertrigger)
    - [WerMgr](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wermgr)
- [EoP - Privileged File Delete](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---privileged-file-delete)
- [EoP - Common Vulnerabilities and Exposures](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---common-vulnerabilities-and-exposure)
    - [MS08-067 (NetAPI)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms08-067-netapi)
    - [MS10-015 (KiTrap0D)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
    - [MS11-080 (adf.sys)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms11-080-afd.sys---microsoft-windows-xp-2003)
    - [MS15-051 (Client Copy Image)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms15-051---microsoft-windows-2003--2008--7--8--2012)
    - [MS16-032](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
    - [MS17-010 (Eternal Blue)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms17-010-eternal-blue)
    - [CVE-2019-1388](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#cve-2019-1388)
- [EoP - $PATH Interception](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---path-interception)
- [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#references)
Windows PrivEsc + SQLi second order + AD DiskShadow 2018-05-20 20:10:33 +00:00			`# Windows - Privilege Escalation`

README - Update links to Internal All The Things 2024-01-12 15:18:36 +00:00			`:warning: Content of this page has been moved to [InternalAllTheThings/redteam/escalation/windows-privilege-escalation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/)`

References updated for JWT, RMI, LDAP, LaTeX 2024-11-07 13:50:52 +00:00			`- [Tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#tools)`
			`- [Windows Version and Configuration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#windows-version-and-configuration)`
			`- [User Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#user-enumeration)`
			`- [Network Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#network-enumeration)`
			`- [Antivirus Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#antivirus-enumeration)`
			`- [Default Writeable Folders](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#default-writeable-folders)`
			`- [EoP - Looting for passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---looting-for-passwords)`
			`- [SAM and SYSTEM files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#sam-and-system-files)`
			`- [HiveNightmare](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#hivenightmare)`
			`- [LAPS Settings](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#laps-settings)`
			`- [Search for file contents](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-for-file-contents)`
			`- [Search for a file with a certain filename](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-for-a-file-with-a-certain-filename)`
			`- [Search the registry for key names and passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-the-registry-for-key-names-and-passwords)`
			`- [Passwords in unattend.xml](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-in-unattendxml)`
			`- [Wifi passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wifi-passwords)`
			`- [Sticky Notes passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#sticky-notes-passwords)`
			`- [Passwords stored in services](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-stored-in-services)`
			`- [Passwords stored in Key Manager](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-stored-in-key-manager)`
			`- [Powershell History](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#powershell-history)`
			`- [Powershell Transcript](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#powershell-transcript)`
			`- [Password in Alternate Data Stream](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#password-in-alternate-data-stream)`
			`- [EoP - Processes Enumeration and Tasks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---processes-enumeration-and-tasks)`
			`- [EoP - Incorrect permissions in services](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---incorrect-permissions-in-services)`
			`- [EoP - Windows Subsystem for Linux (WSL)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---windows-subsystem-for-linux-wsl)`
			`- [EoP - Unquoted Service Paths](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---unquoted-service-paths)`
			`- [EoP - $PATH Interception](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---path-interception)`
			`- [EoP - Named Pipes](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---named-pipes)`
			`- [EoP - Kernel Exploitation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---kernel-exploitation)`
			`- [EoP - Microsoft Windows Installer](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---microsoft-windows-installer)`
			`- [AlwaysInstallElevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#alwaysinstallelevated)`
			`- [CustomActions](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#customactions)`
			`- [EoP - Insecure GUI apps](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---insecure-gui-apps)`
			`- [EoP - Evaluating Vulnerable Drivers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---evaluating-vulnerable-drivers)`
			`- [EoP - Printers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---printers)`
			`- [Universal Printer](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#universal-printer)`
			`- [Bring Your Own Vulnerability](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#bring-your-own-vulnerability)`
			`- [EoP - Runas](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---runas)`
			`- [EoP - Abusing Shadow Copies](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---abusing-shadow-copies)`
			`- [EoP - From local administrator to NT SYSTEM](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---from-local-administrator-to-nt-system)`
			`- [EoP - Living Off The Land Binaries and Scripts](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---living-off-the-land-binaries-and-scripts)`
			`- [EoP - Impersonation Privileges](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---impersonation-privileges)`
			`- [Restore A Service Account's Privileges](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#restore-a-service-accounts-privileges)`
			`- [Meterpreter getsystem and alternatives](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#meterpreter-getsystem-and-alternatives)`
			`- [RottenPotato (Token Impersonation)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#rottenpotato-token-impersonation)`
			`- [Juicy Potato (Abusing the golden privileges)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#juicy-potato-abusing-the-golden-privileges)`
			`- [Rogue Potato (Fake OXID Resolver)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#rogue-potato-fake-oxid-resolver))`
			`- [EFSPotato (MS-EFSR EfsRpcOpenFileRaw)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#efspotato-ms-efsr-efsrpcopenfileraw))`
			`- [PrintSpoofer (Printer Bug)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#PrintSpoofer-Printer-Bug)))`
			`- [EoP - Privileged File Write](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---privileged-file-write)`
			`- [DiagHub](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#diaghub)`
			`- [UsoDLLLoader](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#usodllloader)`
			`- [WerTrigger](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wertrigger)`
			`- [WerMgr](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wermgr)`
			`- [EoP - Privileged File Delete](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---privileged-file-delete)`
			`- [EoP - Common Vulnerabilities and Exposures](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---common-vulnerabilities-and-exposure)`
			`- [MS08-067 (NetAPI)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms08-067-netapi)`
			`- [MS10-015 (KiTrap0D)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)`
			`- [MS11-080 (adf.sys)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms11-080-afd.sys---microsoft-windows-xp-2003)`
			`- [MS15-051 (Client Copy Image)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms15-051---microsoft-windows-2003--2008--7--8--2012)`
			`- [MS16-032](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)`
			`- [MS17-010 (Eternal Blue)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms17-010-eternal-blue)`
			`- [CVE-2019-1388](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#cve-2019-1388)`
			`- [EoP - $PATH Interception](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---path-interception)`
			`- [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#references)`