hacktricks/windows-hardening/checklist-windows-privilege-escalation.md

137 lines
10 KiB
Markdown
Raw Permalink Normal View History

2022-05-01 13:25:53 +00:00
# Checklist - Local Windows Privilege Escalation
2022-04-28 16:01:33 +00:00
<details>
2024-02-10 17:52:19 +00:00
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:38:08 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-12 07:53:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 13:25:53 +00:00
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
### [System Info](windows-local-privilege-escalation/#system-info)
2022-06-15 12:40:20 +00:00
* [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)
2022-03-27 23:48:53 +00:00
* [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
2020-08-18 15:38:51 +00:00
* [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
* [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
* [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
* [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
2022-03-27 23:48:53 +00:00
* [ ] [**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
* [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
2022-05-01 13:25:53 +00:00
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
2021-11-30 16:46:07 +00:00
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
2022-03-27 23:48:53 +00:00
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)
2021-11-30 16:46:07 +00:00
* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
2020-08-18 15:38:51 +00:00
* [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
2022-03-27 23:48:53 +00:00
* [ ] [**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
2020-08-18 15:38:51 +00:00
* [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
2023-01-24 16:20:05 +00:00
* [ ] Check if any [**AV**](windows-av-bypass)
* [ ] [**AppLocker Policy**](authentication-credentials-uac-and-efs#applocker-policy)?
* [ ] [**UAC**](authentication-credentials-uac-and-efs/uac-user-account-control)
2022-08-08 22:59:21 +00:00
* [ ] [**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
2022-03-27 23:48:53 +00:00
* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)
2020-08-18 15:38:51 +00:00
* [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
2022-02-28 09:13:08 +00:00
* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
2020-08-18 15:38:51 +00:00
* [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
* [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?)
2022-03-27 23:48:53 +00:00
* [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)
2020-08-18 15:38:51 +00:00
* [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
2022-05-01 13:25:53 +00:00
### [Network](windows-local-privilege-escalation/#network)
2022-03-27 23:48:53 +00:00
* [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)
2021-11-30 16:46:07 +00:00
* [ ] Check **hidden local services** restricted to the outside
2022-05-01 13:25:53 +00:00
### [Running Processes](windows-local-privilege-escalation/#running-processes)
2022-03-27 23:48:53 +00:00
* [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)
2022-02-28 09:13:08 +00:00
* [ ] [**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)
* [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)
2022-05-01 13:25:53 +00:00
### [Services](windows-local-privilege-escalation/#services)
2023-01-24 16:20:05 +00:00
* [ ] [Can you **modify any service**?](windows-local-privilege-escalation#permissions)
2021-11-30 16:46:07 +00:00
* [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
2022-08-08 22:59:21 +00:00
* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-modify-permissions)
2021-11-30 16:46:07 +00:00
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
2022-05-01 13:25:53 +00:00
### [**Applications**](windows-local-privilege-escalation/#applications)
2020-08-18 15:38:51 +00:00
2022-03-27 23:48:53 +00:00
* [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)
2022-02-28 09:13:08 +00:00
* [ ] [**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)
2022-03-27 23:48:53 +00:00
* [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)
2020-08-18 15:38:51 +00:00
2022-05-01 13:25:53 +00:00
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
* [ ] Can you **write in any folder inside PATH**?
* [ ] Is there any known service binary that **tries to load any non-existant DLL**?
2021-11-30 16:46:07 +00:00
* [ ] Can you **write** in any **binaries folder**?
2022-05-01 13:25:53 +00:00
### [Network](windows-local-privilege-escalation/#network)
2020-08-19 09:14:23 +00:00
2022-08-08 22:59:21 +00:00
* [ ] Enumerate the network (shares, interfaces, routes, neighbours, ...)
* [ ] Take a special look at network services listening on localhost (127.0.0.1)
2020-08-19 09:14:23 +00:00
2022-05-01 13:25:53 +00:00
### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
2022-03-27 23:48:53 +00:00
* [ ] [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
2022-08-08 22:59:21 +00:00
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault) credentials that you could use?
* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
2020-08-19 09:14:23 +00:00
* [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
2022-01-31 14:51:03 +00:00
* [ ] Interesting info in [**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
2020-08-19 09:14:23 +00:00
* [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
2020-08-19 11:51:33 +00:00
* [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/#remote-desktop-credential-manager) passwords?
* [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
* [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)? DLL Side Loading?
2022-05-01 13:25:53 +00:00
### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
2022-03-27 23:48:53 +00:00
* [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)
* [ ] [**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
2020-08-19 09:14:23 +00:00
* [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
* [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
* [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
2022-08-08 22:59:21 +00:00
* [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml) file?
2022-03-27 23:48:53 +00:00
* [ ] [**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)?
2020-08-19 09:14:23 +00:00
* [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)?
* [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)?
* [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user?
* [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
* [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)?
2022-08-08 22:59:21 +00:00
* [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks, ...)?
2022-03-27 23:48:53 +00:00
* [ ] [**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry
* [ ] [**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords
2022-05-01 13:25:53 +00:00
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
2020-08-19 09:14:23 +00:00
* [ ] Have you access to any handler of a process run by administrator?
2022-05-01 13:25:53 +00:00
### [Pipe Client Impersonation](windows-local-privilege-escalation/#named-pipe-client-impersonation)
2020-08-19 09:14:23 +00:00
* [ ] Check if you can abuse it
2022-04-28 16:01:33 +00:00
<details>
2024-01-12 07:53:44 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:38:08 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-12 07:53:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>