2022-05-01 13:25:53 +00:00
# Checklist - Local Windows Privilege Escalation
2022-04-28 16:01:33 +00:00
< details >
2024-01-12 07:53:44 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-04-06 16:25:58 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-01-12 07:53:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-03-14 23:01:13 +00:00
**Try Hard Security Group**
2024-04-06 16:25:58 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:01:13 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2022-05-01 13:25:53 +00:00
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
### [System Info](windows-local-privilege-escalation/#system-info)
2020-07-15 15:43:14 +00:00
2022-06-15 12:40:20 +00:00
* [ ] Obtain [**System information** ](windows-local-privilege-escalation/#system-info )
2022-03-27 23:48:53 +00:00
* [ ] Search for **kernel** [**exploits using scripts** ](windows-local-privilege-escalation/#version-exploits )
2020-07-15 15:43:14 +00:00
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
2020-08-18 15:38:51 +00:00
* [ ] Interesting info in [**env vars** ](windows-local-privilege-escalation/#environment )?
* [ ] Passwords in [**PowerShell history** ](windows-local-privilege-escalation/#powershell-history )?
* [ ] Interesting info in [**Internet settings** ](windows-local-privilege-escalation/#internet-settings )?
* [ ] [**Drives** ](windows-local-privilege-escalation/#drives )?
2022-03-27 23:48:53 +00:00
* [ ] [**WSUS exploit** ](windows-local-privilege-escalation/#wsus )?
* [ ] [**AlwaysInstallElevated** ](windows-local-privilege-escalation/#alwaysinstallelevated )?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings )and [**WEF** ](windows-local-privilege-escalation/#wef )settings
2022-03-27 23:48:53 +00:00
* [ ] Check [**LAPS** ](windows-local-privilege-escalation/#laps )
2021-11-30 16:46:07 +00:00
* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest )is active
2020-08-18 15:38:51 +00:00
* [ ] [**LSA Protection** ](windows-local-privilege-escalation/#lsa-protection )?
2022-03-27 23:48:53 +00:00
* [ ] [**Credentials Guard** ](windows-local-privilege-escalation/#credentials-guard )[? ](windows-local-privilege-escalation/#cached-credentials )
2020-08-18 15:38:51 +00:00
* [ ] [**Cached Credentials** ](windows-local-privilege-escalation/#cached-credentials )?
2024-04-06 16:25:58 +00:00
* [ ] Check if any [**AV** ](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md )
* [ ] [**AppLocker Policy** ](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy )?
* [ ] [**UAC** ](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md )
2022-08-08 22:59:21 +00:00
* [ ] [**User Privileges** ](windows-local-privilege-escalation/#users-and-groups )
2022-03-27 23:48:53 +00:00
* [ ] Check [**current** user **privileges** ](windows-local-privilege-escalation/#users-and-groups )
2020-08-18 15:38:51 +00:00
* [ ] Are you [**member of any privileged group** ](windows-local-privilege-escalation/#privileged-groups )?
2022-02-28 09:13:08 +00:00
* [ ] Check if you have [any of these tokens enabled ](windows-local-privilege-escalation/#token-manipulation ): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
2020-08-18 15:38:51 +00:00
* [ ] [**Users Sessions** ](windows-local-privilege-escalation/#logged-users-sessions )?
2021-10-18 11:21:18 +00:00
* [ ] Check[ **users homes** ](windows-local-privilege-escalation/#home-folders) (access?)
2022-03-27 23:48:53 +00:00
* [ ] Check [**Password Policy** ](windows-local-privilege-escalation/#password-policy )
2020-08-18 15:38:51 +00:00
* [ ] What is[ **inside the Clipboard** ](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Network](windows-local-privilege-escalation/#network)
2020-07-15 15:43:14 +00:00
2022-03-27 23:48:53 +00:00
* [ ] Check **current** [**network** **information** ](windows-local-privilege-escalation/#network )
2021-11-30 16:46:07 +00:00
* [ ] Check **hidden local services** restricted to the outside
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Running Processes](windows-local-privilege-escalation/#running-processes)
2020-07-15 15:43:14 +00:00
2022-03-27 23:48:53 +00:00
* [ ] Processes binaries [**file and folders permissions** ](windows-local-privilege-escalation/#file-and-folder-permissions )
2022-02-28 09:13:08 +00:00
* [ ] [**Memory Password mining** ](windows-local-privilege-escalation/#memory-password-mining )
* [ ] [**Insecure GUI apps** ](windows-local-privilege-escalation/#insecure-gui-apps )
2024-02-15 11:15:28 +00:00
* [ ] Steal credentials with **interesting processes** via `ProcDump.exe` ? (firefox, chrome, etc ...)
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Services](windows-local-privilege-escalation/#services)
2020-07-15 15:43:14 +00:00
2024-04-06 16:25:58 +00:00
* [ ] [Can you **modify any service**? ](windows-local-privilege-escalation/#permissions )
2021-11-30 16:46:07 +00:00
* [ ] [Can you **modify** the **binary** that is **executed** by any **service**? ](windows-local-privilege-escalation/#modify-service-binary-path )
2022-08-08 22:59:21 +00:00
* [ ] [Can you **modify** the **registry** of any **service**? ](windows-local-privilege-escalation/#services-registry-modify-permissions )
2021-11-30 16:46:07 +00:00
* [ ] [Can you take advantage of any **unquoted service** binary **path**? ](windows-local-privilege-escalation/#unquoted-service-paths )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [**Applications**](windows-local-privilege-escalation/#applications)
2020-08-18 15:38:51 +00:00
2022-03-27 23:48:53 +00:00
* [ ] **Write** [**permissions on installed applications** ](windows-local-privilege-escalation/#write-permissions )
2022-02-28 09:13:08 +00:00
* [ ] [**Startup Applications** ](windows-local-privilege-escalation/#run-at-startup )
2022-03-27 23:48:53 +00:00
* [ ] **Vulnerable** [**Drivers** ](windows-local-privilege-escalation/#drivers )
2020-08-18 15:38:51 +00:00
2022-05-01 13:25:53 +00:00
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
2020-07-15 15:43:14 +00:00
* [ ] Can you **write in any folder inside PATH** ?
* [ ] Is there any known service binary that **tries to load any non-existant DLL** ?
2021-11-30 16:46:07 +00:00
* [ ] Can you **write** in any **binaries folder** ?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Network](windows-local-privilege-escalation/#network)
2020-08-19 09:14:23 +00:00
2022-08-08 22:59:21 +00:00
* [ ] Enumerate the network (shares, interfaces, routes, neighbours, ...)
* [ ] Take a special look at network services listening on localhost (127.0.0.1)
2020-08-19 09:14:23 +00:00
2022-05-01 13:25:53 +00:00
### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
2020-07-15 15:43:14 +00:00
2022-03-27 23:48:53 +00:00
* [ ] [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials )credentials
2022-08-08 22:59:21 +00:00
* [ ] [**Windows Vault** ](windows-local-privilege-escalation/#credentials-manager-windows-vault ) credentials that you could use?
2020-07-15 15:43:14 +00:00
* [ ] Interesting [**DPAPI credentials** ](windows-local-privilege-escalation/#dpapi )?
2020-08-19 09:14:23 +00:00
* [ ] Passwords of saved [**Wifi networks** ](windows-local-privilege-escalation/#wifi )?
2022-01-31 14:51:03 +00:00
* [ ] Interesting info in [**saved RDP Connections** ](windows-local-privilege-escalation/#saved-rdp-connections )?
2020-08-19 09:14:23 +00:00
* [ ] Passwords in [**recently run commands** ](windows-local-privilege-escalation/#recently-run-commands )?
2020-08-19 11:51:33 +00:00
* [ ] [**Remote Desktop Credentials Manager** ](windows-local-privilege-escalation/#remote-desktop-credential-manager ) passwords?
2020-07-15 15:43:14 +00:00
* [ ] [**AppCmd.exe** exists ](windows-local-privilege-escalation/#appcmd-exe )? Credentials?
* [ ] [**SCClient.exe** ](windows-local-privilege-escalation/#scclient-sccm )? DLL Side Loading?
2022-05-01 13:25:53 +00:00
### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
2020-07-15 15:43:14 +00:00
2022-03-27 23:48:53 +00:00
* [ ] **Putty:** [**Creds** ](windows-local-privilege-escalation/#putty-creds ) **and** [**SSH host keys** ](windows-local-privilege-escalation/#putty-ssh-host-keys )
* [ ] [**SSH keys in registry** ](windows-local-privilege-escalation/#ssh-keys-in-registry )?
2020-08-19 09:14:23 +00:00
* [ ] Passwords in [**unattended files** ](windows-local-privilege-escalation/#unattended-files )?
* [ ] Any [**SAM & SYSTEM** ](windows-local-privilege-escalation/#sam-and-system-backups ) backup?
* [ ] [**Cloud credentials** ](windows-local-privilege-escalation/#cloud-credentials )?
2022-08-08 22:59:21 +00:00
* [ ] [**McAfee SiteList.xml** ](windows-local-privilege-escalation/#mcafee-sitelist.xml ) file?
2022-03-27 23:48:53 +00:00
* [ ] [**Cached GPP Password** ](windows-local-privilege-escalation/#cached-gpp-pasword )?
2020-08-19 09:14:23 +00:00
* [ ] Password in [**IIS Web config file** ](windows-local-privilege-escalation/#iis-web-config )?
* [ ] Interesting info in [**web** **logs** ](windows-local-privilege-escalation/#logs )?
* [ ] Do you want to [**ask for credentials** ](windows-local-privilege-escalation/#ask-for-credentials ) to the user?
* [ ] Interesting [**files inside the Recycle Bin** ](windows-local-privilege-escalation/#credentials-in-the-recyclebin )?
* [ ] Other [**registry containing credentials** ](windows-local-privilege-escalation/#inside-the-registry )?
2022-08-08 22:59:21 +00:00
* [ ] Inside [**Browser data** ](windows-local-privilege-escalation/#browsers-history ) (dbs, history, bookmarks, ...)?
2022-03-27 23:48:53 +00:00
* [ ] [**Generic password search** ](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry ) in files and registry
* [ ] [**Tools** ](windows-local-privilege-escalation/#tools-that-search-for-passwords ) to automatically search for passwords
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
2020-07-15 15:43:14 +00:00
2020-08-19 09:14:23 +00:00
* [ ] Have you access to any handler of a process run by administrator?
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### [Pipe Client Impersonation](windows-local-privilege-escalation/#named-pipe-client-impersonation)
2020-07-15 15:43:14 +00:00
2020-08-19 09:14:23 +00:00
* [ ] Check if you can abuse it
2022-04-28 16:01:33 +00:00
2024-03-14 23:01:13 +00:00
**Try Hard Security Group**
2024-04-06 16:25:58 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:01:13 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
2022-04-28 16:01:33 +00:00
< details >
2024-01-12 07:53:44 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-12 07:53:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-04-06 16:25:58 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-01-12 07:53:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >