Windows PrivEsc Checklist
Windows privilege escalation methodology
Windows Privilege EscalationTip: Click on any node to see related information!
Interactive Mind Map
graph TD
A[Initial Shell] --> B[whoami /all]
B --> C[Service Misconfigs]
C --> D[Unquoted Paths]
D --> E[AlwaysInstallElevated]
E --> F[Stored Credentials]
F --> G[Kernel Exploits]
G --> H[Token Impersonation]
C -->|Found| I[Replace Binary]
D -->|Found| J[Place Malicious EXE]
E -->|Found| K[MSI Installer]
Related Modules
Quick Reference
Enumeration
whoami /all # User privileges and groups systeminfo # System info and hotfixes net user # List users net localgroup administrators # List local admins
Services
sc query # Query services Get-Service # PowerShell list services wmic service get name,pathname # List service binary paths
Unquoted Paths
wmic service get name,displayname,pathname | findstr /i /v "C:\Windows" # Find non-standard service paths
Always Install Elevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer # Check AlwaysInstallElevated registry key
Tools
winPEAS.exe # Run WinPEAS enumeration tool Import-Module .\PowerUp.ps1; Invoke-AllChecks # Run PowerUp checks