Introduction
Beginners
- Getting Started
Guides
Cheat Sheets
Methodologies
Linux
- Checklist - Linux Priv Esc
Windows
- Checklist - Windows Priv Esc
Things to do/look at

Powered by GitBook

On this page

Best tool to look for Windows local privilege escalation vectors: WinPEAS
System Info
Logging/AV enumeration
User Privileges
Network
Running Processes
Services
Applications
DLL Hijacking
Network
Windows Credentials
Files and Registry (Credentials)
Leaked Handlers
Pipe Client Impersonation
And more...

Was this helpful?

Windows

Checklist - Windows Priv Esc

https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

PreviousChecklist - Linux Priv Esc NextThings to do/look at

Last updated 4 months ago

Was this helpful?

Best tool to look for Windows local privilege escalation vectors:

Obtain
Search for kernel
Use Google to search for kernel exploits
Use searchsploit to search for kernel exploits
Interesting info in ?
Passwords in ?
Interesting info in ?
?
?
?

Check and settings
Check
Check if WDigest is active
?
?
?
Check if any
?
?

Check hidden local services restricted to the outside

Can you write in any folder inside PATH?
Is there any known service binary that tries to load any non-existant DLL?
Can you write in any binaries folder?

Enumerate the network(shares, interfaces, routes, neighbours...)
Take a special look to network services listing on local (127.0.0.1)

Have you access to any handler of a process run by administrator?

Check if you can abuse it

And more...

Check

Are you ?

Check if you have : SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?

?

Check (access?)

Check

What is?

Check current

Processes binaries

Write

Vulnerable

credentials

credentials that you could use?

Interesting ?

Passwords of saved ?

Interesting info in ?

Passwords in ?

passwords?

? Credentials?

? DLL Side Loading?

Putty: and

?

Passwords in ?

Any backup?

?

file?

?

Password in ?

Interesting info in ?

Do you want to to the user?

Interesting ?

Other ?

Inside (dbs, history, bookmarks....)?

in files and registry

to automatically search for passwords

System information

exploits using scripts

PowerShell history

Internet settings

WSUS exploit

AlwaysInstallElevated

Logging/AV enumeration

WEF

LAPS

LSA Protection

Credentials Guard

Cached Credentials

AppLocker Policy

UAC

User Privileges

current user privileges

member of any privileged group

any of these tokens enabled

Users Sessions

users homes

Password Policy

inside the Clipboard

network information

Running Processes

file and folders permissions

Memory Password mining

Insecure GUI apps

Can you modify any service?

Can you modify the binary that is executed by any service?

Can you modify the registry of any service?

Can you take advantage of any unquoted service binary path?

Applications

permissions on installed applications

Startup Applications

Windows Credentials

Windows Vault

DPAPI credentials

Wifi networks

saved RDP Connections

recently run commands

Remote Desktop Credentials Manager

AppCmd.exe exists

SCClient.exe

Files and Registry (Credentials)

SSH host keys

SSH keys in registry

unattended files

SAM & SYSTEM

Cloud credentials

McAfee SiteList.xml

Cached GPP Password

IIS Web config file

web logs

ask for credentials

files inside the Recycle Bin

registry containing credentials

Browser data

Generic password search

Leaked Handlers

Pipe Client Impersonation