https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
Obtain System informationarrow-up-right
Search for kernel exploits using scriptsarrow-up-right
Use Google to search for kernel exploits
Use searchsploit to search for kernel exploits
Interesting info in env varsarrow-up-right?
Passwords in PowerShell historyarrow-up-right?
Interesting info in Internet settingsarrow-up-right?
Drivesarrow-up-right?
WSUS exploitarrow-up-right?
AlwaysInstallElevatedarrow-up-right?
Check Audit arrow-up-rightand WEF arrow-up-rightsettings
Check LAPSarrow-up-right
Check if WDigest is active
LSA Protectionarrow-up-right?
Credentials Guardarrow-up-right?
Cached Credentialsarrow-up-right?
Check if any AVarrow-up-right
AppLocker Policyarrow-up-right?
UACarrow-up-right?
Check current user privilegesarrow-up-right
Are you member of any privileged grouparrow-up-right?
Check if you have any of these tokens enabledarrow-up-right: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
Users Sessionsarrow-up-right?
Check users homesarrow-up-right (access?)
Check Password Policyarrow-up-right
What is inside the Clipboardarrow-up-right?
Check current network informationarrow-up-right
Check hidden local services restricted to the outside
Processes binaries file and folders permissionsarrow-up-right
Memory Password miningarrow-up-right
Insecure GUI appsarrow-up-right
Can you modify any service?arrow-up-right
Can you modify the binary that is executed by any service?arrow-up-right
Can you modify the registry of any service?arrow-up-right
Can you take advantage of any unquoted service binary path?arrow-up-right
Write permissions on installed applicationsarrow-up-right
Startup Applicationsarrow-up-right
Vulnerable Driversarrow-up-right
Can you write in any folder inside PATH?
Is there any known service binary that tries to load any non-existant DLL?
Can you write in any binaries folder?
Enumerate the network(shares, interfaces, routes, neighbours...)
Take a special look to network services listing on local (127.0.0.1)
Winlogon arrow-up-rightcredentials
Windows Vaultarrow-up-right credentials that you could use?
Interesting DPAPI credentialsarrow-up-right?
Passwords of saved Wifi networksarrow-up-right?
Interesting info in saved RDP Connectionsarrow-up-right?
Passwords in recently run commandsarrow-up-right?
Remote Desktop Credentials Managerarrow-up-right passwords?
AppCmd.exe existsarrow-up-right? Credentials?
SCClient.exearrow-up-right? DLL Side Loading?
Putty: Credsarrow-up-right and SSH host keysarrow-up-right
SSH keys in registryarrow-up-right?
Passwords in unattended filesarrow-up-right?
Any SAM & SYSTEMarrow-up-right backup?
Cloud credentialsarrow-up-right?
McAfee SiteList.xmlarrow-up-right file?
Cached GPP Passwordarrow-up-right?
Password in IIS Web config filearrow-up-right?
Interesting info in web logsarrow-up-right?
Do you want to ask for credentialsarrow-up-right to the user?
Interesting files inside the Recycle Binarrow-up-right?
Other registry containing credentialsarrow-up-right?
Inside Browser dataarrow-up-right (dbs, history, bookmarks....)?
Generic password searcharrow-up-right in files and registry
Toolsarrow-up-right to automatically search for passwords
Have you access to any handler of a process run by administrator?
Check if you can abuse it
Last updated 1 year ago