Checklist - Local Windows Privilege Escalation
Best tool to look for Windows local privilege escalation vectors: WinPEAS****
System Info
- Obtain System information****
- Search for kernel exploits using scripts****
- Use Google to search for kernel exploits
- Use searchsploit to search for kernel exploits
- Interesting info in env vars?
- Passwords in PowerShell history?
- Interesting info in Internet settings?
- Drives?
- ****WSUS exploit?
- ****AlwaysInstallElevated?
Logging/AV enumeration
- Check Audit and WEF settings
- Check LAPS****
- Check if WDigest is active
- LSA Protection?
- ****Credentials Guard?
- Cached Credentials?
- Check if any AV****
- ****AppLocker Policy?
- UAC?
****User Privileges
- Check current user privileges****
- Are you member of any privileged group?
- Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
- Users Sessions?
- Check users homes (access?)
- Check Password Policy****
- What is inside the Clipboard?
Network
- Check current network information****
- Check hidden local services restricted to the outside
Running Processes
- Processes binaries file and folders permissions****
- ****Memory Password mining****
- ****Insecure GUI apps****
Services
- Can you modify any service?
- Can you modify the binary that is executed by any service?
- Can you modify the registry of any service?
- Can you take advantage of any unquoted service binary path?
****Applications****
- Write permissions on installed applications****
- ****Startup Applications****
- Vulnerable Drivers****
DLL Hijacking
- Can you write in any folder inside PATH?
- Is there any known service binary that tries to load any non-existant DLL?
- Can you write in any binaries folder?
Network
- Enumerate the network(shares, interfaces, routes, neighbours…)
- Take a special look to network services listing on local (127.0.0.1)
Windows Credentials
- ****Winlogon credentials
- Windows Vault credentials that you could use?
- Interesting DPAPI credentials?
- Passwords of saved Wifi networks?
- Interesting info in ****saved RDP Connections?
- Passwords in recently run commands?
- Remote Desktop Credentials Manager passwords?
- AppCmd.exe exists? Credentials?
- SCClient.exe? DLL Side Loading?
Files and Registry (Credentials)
- Putty: Creds and SSH host keys****
- ****SSH keys in registry?
- Passwords in unattended files?
- Any SAM & SYSTEM backup?
- Cloud credentials?
- ****McAfee SiteList.xml file?
- ****Cached GPP Password?
- Password in IIS Web config file?
- Interesting info in web logs?
- Do you want to ask for credentials to the user?
- Interesting files inside the Recycle Bin?
- Other registry containing credentials?
- Inside Browser data (dbs, history, bookmarks….)?
- ****Generic password search in files and registry
- ****Tools to automatically search for passwords
Leaked Handlers
- Have you access to any handler of a process run by administrator?
Pipe Client Impersonation
- Check if you can abuse it
And more…
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the 💬 **PEASS & HackTricks telegram group here, or follow me on Twitter** 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don’t forget to give ⭐ on the github to motivate me to continue developing this book.
Buy me a coffee here****