hacktricks/windows/checklist-windows-privilege-escalation.md
2021-03-15 22:35:58 +00:00

124 lines
9.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Checklist - Local Windows Privilege Escalation
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
### [System Info](windows-local-privilege-escalation/#system-info)
* [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)\*\*\*\*
* [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)\*\*\*\*
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
* [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
* [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
* [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
* [ ] \*\*\*\*[**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
* [ ] \*\*\*\*[**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
* [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
* [ ] \*\*\*\*[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
* [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
* [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)\*\*\*\*
* [ ] \*\*\*\*[**AppLocker Policy**](windows-local-privilege-escalation/#applocker-policy)?
* [ ] [**UAC**](windows-local-privilege-escalation/#uac)?
### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)\*\*\*\*
* [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
* [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) \(access?\)
* [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)\*\*\*\*
* [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/#network)
* [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)\*\*\*\*
* [ ] Check **hidden local services** restricted to the outside
### [Running Processes](windows-local-privilege-escalation/#running-processes)
* [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)\*\*\*\*
* [ ] \*\*\*\*[**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)\*\*\*\*
* [ ] \*\*\*\*[**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)\*\*\*\*
### [Services](windows-local-privilege-escalation/#services)
* [ ] [Can you **modify any service**?](windows-local-privilege-escalation/#permissions)
* [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
### \*\*\*\*[**Applications**](windows-local-privilege-escalation/#applications)\*\*\*\*
* [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)\*\*\*\*
* [ ] \*\*\*\*[**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)\*\*\*\*
* [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)\*\*\*\*
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
* [ ] Can you **write in any folder inside PATH**?
* [ ] Is there any known service binary that **tries to load any non-existant DLL**?
* [ ] Can you **write** in any **binaries folder**?
### [Network](windows-local-privilege-escalation/#network)
* [ ] Enumerate the network\(shares, interfaces, routes, neighbours...\)
* [ ] Take a special look to network services listing on local \(127.0.0.1\)
### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
* [ ] \*\*\*\*[**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
* [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
* [ ] Interesting info in ****[**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
* [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
* [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/#remote-desktop-credential-manager) passwords?
* [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
* [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)? DLL Side Loading?
### [Files and Registry \(Credentials\)](windows-local-privilege-escalation/#files-and-registry-credentials)
* [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)\*\*\*\*
* [ ] \*\*\*\*[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
* [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
* [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
* [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
* [ ] \*\*\*\*[**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist-xml) file?
* [ ] \*\*\*\*[**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)?
* [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)?
* [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)?
* [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user?
* [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
* [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)?
* [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) \(dbs, history, bookmarks....\)?
* [ ] \*\*\*\*[**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry
* [ ] \*\*\*\*[**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
* [ ] Have you access to any handler of a process run by administrator?
### [Pipe Client Impersonation](windows-local-privilege-escalation/#named-pipe-client-impersonation)
* [ ] Check if you can abuse it
### And more...
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*