🤖
Guides
  • Introduction
  • Beginners
    • Getting Started
  • Guides
    • SQLi Walkthrough
    • My First BoF
    • OSCP Buffer Overflow Guide (Windows)
    • Parrot OS customisation
    • Terminal Customisation
    • Video Guides
  • Cheat Sheets
    • Reverse Shells
    • Tunnelling, Pivoting and Proxies
    • SQL Injection
      • WAF Bypass
      • SQLMap
      • DBMS Cheatsheets
        • MSSQL
        • MySQL
        • Oracle
        • SQLite
        • PostgreSQL
      • References
    • Bash Cheat Sheets
      • Terminal
      • Find
      • Grep
      • Sed
      • Awk
      • Xargs
      • System
      • Download
      • Networking
      • Hardware
      • Variable
      • Math
      • Data Manipulation
      • Random
      • Time
      • Condition and Loop
      • Other
    • OSINT
    • Ping Sweeps
  • Methodologies
    • VOIP Checklist
    • OWASP v4 Checklist
    • External Inf
    • Internal Infrastructure
  • Linux
    • Checklist - Linux Priv Esc
  • Windows
    • Checklist - Windows Priv Esc
  • Things to do/look at
Powered by GitBook
On this page
  • Best tool to look for Windows local privilege escalation vectors: WinPEAS
  • System Info
  • Logging/AV enumeration
  • User Privileges
  • Network
  • Running Processes
  • Services
  • Applications
  • DLL Hijacking
  • Network
  • Windows Credentials
  • Files and Registry (Credentials)
  • Leaked Handlers
  • Pipe Client Impersonation
  • And more...

Was this helpful?

  1. Windows

Checklist - Windows Priv Esc

https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

PreviousChecklist - Linux Priv EscNextThings to do/look at

Last updated 4 months ago

Was this helpful?

Best tool to look for Windows local privilege escalation vectors:

And more...

Check

Are you ?

Check if you have : SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?

?

Check (access?)

Check

What is?

Check current

Processes binaries

Write

Vulnerable

credentials

credentials that you could use?

Interesting ?

Passwords of saved ?

Interesting info in ?

Passwords in ?

passwords?

? Credentials?

? DLL Side Loading?

Putty: and

?

Passwords in ?

Any backup?

?

file?

?

Password in ?

Interesting info in ?

Do you want to to the user?

Interesting ?

Other ?

Inside (dbs, history, bookmarks....)?

in files and registry

to automatically search for passwords

WinPEAS
System Info
System information
exploits using scripts
env vars
PowerShell history
Internet settings
Drives
WSUS exploit
AlwaysInstallElevated
Logging/AV enumeration
Audit
WEF
LAPS
LSA Protection
Credentials Guard
Cached Credentials
AV
AppLocker Policy
UAC
User Privileges
current user privileges
member of any privileged group
any of these tokens enabled
Users Sessions
users homes
Password Policy
inside the Clipboard
Network
network information
Running Processes
file and folders permissions
Memory Password mining
Insecure GUI apps
Services
Can you modify any service?
Can you modify the binary that is executed by any service?
Can you modify the registry of any service?
Can you take advantage of any unquoted service binary path?
Applications
permissions on installed applications
Startup Applications
Drivers
DLL Hijacking
Network
Windows Credentials
Winlogon
Windows Vault
DPAPI credentials
Wifi networks
saved RDP Connections
recently run commands
Remote Desktop Credentials Manager
AppCmd.exe exists
SCClient.exe
Files and Registry (Credentials)
Creds
SSH host keys
SSH keys in registry
unattended files
SAM & SYSTEM
Cloud credentials
McAfee SiteList.xml
Cached GPP Password
IIS Web config file
web logs
ask for credentials
files inside the Recycle Bin
registry containing credentials
Browser data
Generic password search
Tools
Leaked Handlers
Pipe Client Impersonation