Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['windows-hardening/checklist-windows-privilege-escalation.md

Browse source
This commit is contained in:
Translator 2024-02-15 12:03:50 +00:00
parent 9ce925dedc
commit a332e35a8c
1 changed files with 51 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
windows-hardening/checklist-windows-privilege-escalation.md
View file

@ -2,14 +2,14 @@
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS Red Team Expert</strong></a><strong></strong></summary>
支持HackTricks的其他方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASSHackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
@ -22,9 +22,9 @@
* [ ] 使用脚本搜索**内核**[**漏洞**](windows-local-privilege-escalation/#version-exploits)
* [ ] 使用**Google搜索**内核**漏洞**
* [ ] 使用**searchsploit搜索**内核**漏洞**
* [ ] [**环境变量**](windows-local-privilege-escalation/#environment)中有趣的信息
* [ ] [**PowerShell历史记录**](windows-local-privilege-escalation/#powershell-history)中有密码吗
* [ ] [**Internet设置**](windows-local-privilege-escalation/#internet-settings)中有趣的信息
* [ ] [**环境变量**](windows-local-privilege-escalation/#environment)中有趣的信息?
* [ ] [**PowerShell历史记录**](windows-local-privilege-escalation/#powershell-history)中的密码
* [ ] [**Internet设置**](windows-local-privilege-escalation/#internet-settings)中有趣的信息?
* [ ] [**驱动器**](windows-local-privilege-escalation/#drives)
* [ ] [**WSUS漏洞**](windows-local-privilege-escalation/#wsus)
* [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)
@ -33,19 +33,19 @@
* [ ] 检查[**审计**](windows-local-privilege-escalation/#audit-settings)和[**WEF**](windows-local-privilege-escalation/#wef)设置
* [ ] 检查[**LAPS**](windows-local-privilege-escalation/#laps)
* [ ] 检查[**WDigest**](windows-local-privilege-escalation/#wdigest)是否激活
* [ ] [**LSA保护**](windows-local-privilege-escalation/#lsa-protection)
* [ ] [**凭据保护**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
* [ ] [**缓存凭据**](windows-local-privilege-escalation/#cached-credentials)
* [ ] 检查是否有任何[**AV**](windows-av-bypass)
* [ ] [**AppLocker策略**](authentication-credentials-uac-and-efs#applocker-policy)
* 检查[**WDigest**](windows-local-privilege-escalation/#wdigest)是否激活
* [**LSA保护**](windows-local-privilege-escalation/#lsa-protection)?
* [**凭据保护**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
* [**缓存凭据**](windows-local-privilege-escalation/#cached-credentials)
* 检查是否有任何[**AV**](windows-av-bypass)
* [**AppLocker策略**](authentication-credentials-uac-and-efs#applocker-policy)
* [**UAC**](authentication-credentials-uac-and-efs/uac-user-account-control)
* [**用户权限**](windows-local-privilege-escalation/#users-and-groups)
* 检查[**当前**用户**权限**](windows-local-privilege-escalation/#users-and-groups)
* 您是[**任何特权组的成员**](windows-local-privilege-escalation/#privileged-groups)
* 检查是否启用了以下任何一个令牌:**SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege**
* 检查[**当前用户**权限](windows-local-privilege-escalation/#users-and-groups)
* 您是否是[**任何特权组的成员**](windows-local-privilege-escalation/#privileged-groups)
* 检查是否启用了以下任何令牌](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [**用户会话**](windows-local-privilege-escalation/#logged-users-sessions)
* 检查[**用户主目录**](windows-local-privilege-escalation/#home-folders)(访问权限)
* 检查[**用户主目录**](windows-local-privilege-escalation/#home-folders)(访问?
* 检查[**密码策略**](windows-local-privilege-escalation/#password-policy)
* [**剪贴板**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)中有什么?
@ -56,20 +56,21 @@
### [运行进程](windows-local-privilege-escalation/#running-processes)
* 进程二进制文件和文件夹权限[**文件和文件夹权限**](windows-local-privilege-escalation/#file-and-folder-permissions)
* 进程二进制文件和文件夹权限](windows-local-privilege-escalation/#file-and-folder-permissions)
* [**内存密码挖掘**](windows-local-privilege-escalation/#memory-password-mining)
* [**不安全的GUI应用程序**](windows-local-privilege-escalation/#insecure-gui-apps)
* 通过`ProcDump.exe`窃取**有趣进程**的凭据firefoxchrome等...
### [服务](windows-local-privilege-escalation/#services)
* [您能否**修改任何服务**](windows-local-privilege-escalation#permissions)
* [您能否**修改**任何**服务**执行的**二进制文件**](windows-local-privilege-escalation/#modify-service-binary-path)
* [您能否**修改**任何**服务**的**注册表**](windows-local-privilege-escalation/#services-registry-modify-permissions)
* 您能否利用任何**未加引号的服务**二进制**路径**](windows-local-privilege-escalation/#unquoted-service-paths)
* [您能否利用任何**未加引号的服务**二进制**路径**](windows-local-privilege-escalation/#unquoted-service-paths)
### [**应用程序**](windows-local-privilege-escalation/#applications)
* 安装应用程序的[**写入权限**](windows-local-privilege-escalation/#write-permissions)
* **写入**[**已安装应用程序的权限**](windows-local-privilege-escalation/#write-permissions)
* [**启动应用程序**](windows-local-privilege-escalation/#run-at-startup)
* **易受攻击的**[**驱动程序**](windows-local-privilege-escalation/#drivers)
@ -78,45 +79,45 @@
* 您能否**写入PATH中的任何文件夹**
* 是否有任何已知的服务二进制文件**尝试加载任何不存在的DLL**
* 您能否在任何**二进制文件夹**中**写入**
### [网络](windows-local-privilege-escalation/#network)
* 枚举网络(共享、接口、路由、邻居,...
* 特别关注监听在本地主机127.0.0.1)上的网络服务
* [ ] 枚举网络(共享、接口、路由、邻居,...
* [ ] 特别关注监听在本地主机127.0.0.1)上的网络服务
### [Windows凭](windows-local-privilege-escalation/#windows-credentials)
### [Windows凭](windows-local-privilege-escalation/#windows-credentials)
* [**Winlogon**](windows-local-privilege-escalation/#winlogon-credentials)凭
* [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault)中您可以使用的凭据
* 有趣的[**DPAPI凭据**](windows-local-privilege-escalation/#dpapi)
* 已保存的[**Wifi网络**](windows-local-privilege-escalation/#wifi)密码?
* 已保存的[**RDP连接**](windows-local-privilege-escalation/#saved-rdp-connections)中有有趣的信息吗
* 最近运行命令中的密码[**密码**](windows-local-privilege-escalation/#recently-run-commands)
* [**远程桌面凭据管理器**](windows-local-privilege-escalation/#remote-desktop-credential-manager)密码?
* [**AppCmd.exe**存在](windows-local-privilege-escalation/#appcmd-exe)?凭
* [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)DLL侧加载
* [ ] [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)凭
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault) 可以使用的凭证
* [ ] 有趣的[**DPAPI凭证**](windows-local-privilege-escalation/#dpapi)
* [ ] 已保存的[**Wifi网络**](windows-local-privilege-escalation/#wifi)密码?
* [ ] 已保存的RDP连接中的有趣信息[**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)
* [ ] 最近运行命令中的密码[**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)
* [ ] [**远程桌面凭据管理器**](windows-local-privilege-escalation/#remote-desktop-credential-manager)密码?
* [ ] [**AppCmd.exe** 是否存在](windows-local-privilege-escalation/#appcmd-exe)?凭
* [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)DLL侧加载
### [文件和注册表(凭](windows-local-privilege-escalation/#files-and-registry-credentials)
### [文件和注册表(凭](windows-local-privilege-escalation/#files-and-registry-credentials)
* **Putty**[**凭据**](windows-local-privilege-escalation/#putty-creds)**和**[**SSH主机密钥**](windows-local-privilege-escalation/#putty-ssh-host-keys)
* 注册表中的[**SSH密钥**](windows-local-privilege-escalation/#ssh-keys-in-registry)
* 未经人工干预的文件中的密码[**密码**](windows-local-privilege-escalation/#unattended-files)
* 任何[**SAM和SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups)备份?
* [**云凭据**](windows-local-privilege-escalation/#cloud-credentials)
* [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml)文件?
* [**缓存的GPP密码**](windows-local-privilege-escalation/#cached-gpp-pasword)
* [**IIS Web配置文件**](windows-local-privilege-escalation/#iis-web-config)中的密码?
* [**Web日志**](windows-local-privilege-escalation/#logs)中有有趣的信息吗?
* 您想向用户[**请求凭据**](windows-local-privilege-escalation/#ask-for-credentials)吗?
* 回收站中的有趣[**文件**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)
* 其他包含凭据的[**注册表**](windows-local-privilege-escalation/#inside-the-registry)
* 浏览器数据中的[**通用密码搜索**](windows-local-privilege-escalation/#browsers-history)(数据库、历史记录、书签,...
* 在文件和注册表中进行[**通用密码搜索**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry)的[**工具**](windows-local-privilege-escalation/#tools-that-search-for-passwords)
* [ ] **Putty:** [**凭证**](windows-local-privilege-escalation/#putty-creds) **和** [**SSH主机密钥**](windows-local-privilege-escalation/#putty-ssh-host-keys)
* [ ] 注册表中的[**SSH密钥**](windows-local-privilege-escalation/#ssh-keys-in-registry)
* [ ] 无人值守文件中的密码[**unattended files**](windows-local-privilege-escalation/#unattended-files)
* [ ] 任何[**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups)备份?
* [ ] [**云凭证**](windows-local-privilege-escalation/#cloud-credentials)
* [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml) 文件?
* [ ] [**缓存的GPP密码**](windows-local-privilege-escalation/#cached-gpp-pasword)
* [ ] [**IIS Web配置文件**](windows-local-privilege-escalation/#iis-web-config)中的密码?
* [ ] 日志中的有趣信息[**web** **logs**](windows-local-privilege-escalation/#logs)
* [ ] 想要向用户[**请求凭证**](windows-local-privilege-escalation/#ask-for-credentials)吗?
* [ ] 回收站中的有趣[**文件**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)
* [ ] 其他包含凭证的[**注册表**](windows-local-privilege-escalation/#inside-the-registry)
* [ ] 浏览器数据中的[**内容**](windows-local-privilege-escalation/#browsers-history)(数据库、历史记录、书签,...
* [**在文件和注册表中进行通用密码搜索**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry)
* [**工具**](windows-local-privilege-escalation/#tools-that-search-for-passwords)自动搜索密码
### [泄漏的处理程序](windows-local-privilege-escalation/#leaked-handlers)
* 是否可以访问由管理员运行的进程的任何处理程序?
* [ ] 是否可以访问由管理员运行的进程的任何处理程序?
### [管道客户端冒充](windows-local-privilege-escalation/#named-pipe-client-impersonation)
* 检查是否可以滥用它
* [ ] 检查是否可以滥用它