Windows Privilege Escalation
Privilege Escalation
Overview
Techniques to escalate privileges on Windows systems.
2
Exercises
3
Flashcards
1
Mind Maps
Cheatsheet
Enumeration
whoami /all # User privileges and groups systeminfo # System info and hotfixes net user # List users net localgroup administrators # List local admins
Services
sc query # Query services Get-Service # PowerShell list services wmic service get name,pathname # List service binary paths
Unquoted Paths
wmic service get name,displayname,pathname | findstr /i /v "C:\Windows" # Find non-standard service paths
Always Install Elevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer # Check AlwaysInstallElevated registry key
Tools
winPEAS.exe # Run WinPEAS enumeration tool Import-Module .\PowerUp.ps1; Invoke-AllChecks # Run PowerUp checks
Command Examples
Common Pitfalls
- Not checking AlwaysInstallElevated
- Missing service misconfigs
Exam Survival Tips
- Run winPEAS
- Check stored creds