hacktricks/windows/checklist-windows-privilege-escalation.md

Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS****

System Info

• Obtain System information****
• Search for kernel exploits using scripts****
• Use Google to search for kernel exploits
• Use searchsploit to search for kernel exploits
• Interesting info in env vars?
• Passwords in PowerShell history?
• Interesting info in Internet settings?
• Drives?
• ****WSUS exploit?
• ****AlwaysInstallElevated?

Logging/AV enumeration

• Check Audit and WEF settings
• Check LAPS****
• Check if WDigest is active
• LSA Protection?
• ****Credentials Guard?
• Cached Credentials?
• Check if any AV****
• ****AppLocker Policy?
• UAC?

****User Privileges

• Check current user privileges****
• Are you member of any privileged group?
• Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
• Users Sessions?
• Check users homes access?
• Check Password Policy****
• What is inside the Clipboard?

Network

• Check current network information****
• Check hidden local services restricted to the outside

Running Processes

• Processes binaries file and folders permissions****
• ****Memory Password mining****
• ****Insecure GUI apps****

Services

• Can you modify any service?
• Can you modify the binary that is executed by any service?
• Can you modify the registry of any service?
• Can you take advantage of any unquoted service binary path?

****Applications****

• Write permissions on installed applications****
• ****Startup Applications****
• Vulnerable Drivers****

DLL Hijacking

• Can you write in any folder inside PATH?
• Is there any known service binary that tries to load any non-existant DLL?
• Can you write in any binaries folder?

Credentials

• Windows Vault credentials that you could use?
• Interesting DPAPI credentials?
• Wifi netoworks?
• ****SSH keys in registry?
• Credentials inside "known files"? Inside the Recycle Bin? At home?
• Registry with credentials?
• Inside Browser data dbs, history, bookmarks....?
• AppCmd.exe exists? Credentials?
• SCClient.exe? DLL Side Loading?
• Cloud credentials?

AlwaysInstallElevated

• Is this enabled?

Is vulnerable WSUS?

• Is it vulnerable?

Write Permissions

• Are you able to write files that could grant you more privileges?

Any open handler of a privileged process or thread?

• Maybe the compromised process is vulnerable.

UAC Bypass

• There are several ways to bypass the UAC

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the PEASS & HackTricks telegram group here.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.

​Buy me a coffee here****