Windows Privilege Escalation Cheatsheet: Your Ultimate Guide for Pentesters

Initial Reconnaissance for Windows Privilege Escalation

Enumerating System Information and User Privileges

The systeminfo command provides a wealth of details about the operating system, including version, build number, installed hotfixes, and system uptime. This is invaluable for identifying missing patches and potential kernel exploits.

systeminfo

Specifically look for the "OS Version," "OS Build," and "Hotfix(s)" sections.

Knowing your current user's privileges and local group memberships is fundamental. Are you a member of a privileged group, even if not an Administrator?

whoami /priv
whoami /groups
net user 
net localgroup administrators
net localgroup "Remote Desktop Users"
net localgroup "Backup Operators"

The whoami /priv command lists the privileges held by the current user. Look for interesting ones like SeDebugPrivilege, SeImpersonatePrivilege, or SeTakeOwnershipPrivilege. These often lead directly to privilege escalation. net user and net localgroup help map out the local users and their group memberships, revealing other potential targets or pathways.

Sometimes, sensitive information like passwords or API keys are stored in environment variables.

set

Identifying Running Processes and Services

The tasklist command shows all running processes. Use the /svc switch to see associated services, which might reveal services running with higher privileges.

tasklist /svc
tasklist /v /fo list

Look for processes running as SYSTEM or Administrator. Pay attention to their associated modules and paths. The /v (verbose) and /fo list (format output as list) switches give you more details.

The sc query command lets you query service configurations. You're particularly interested in services configured to run automatically or as SYSTEM.

sc query state= all | findstr "SERVICE_NAME DISPLAY_NAME STATE"

Once you identify a service of interest, query its specific configuration:

sc qc 

Look for the BINARY_PATH_NAME and SERVICE_START_NAME (the account the service runs as). This is crucial for identifying unquoted service paths or weak service permissions.

Checking Network Configuration and Shares

ipconfig /all

This reveals network adapters, IP addresses, DNS servers, and potentially domain information. Knowing the network layout is essential.

netstat -ano

Lists all active connections and listening ports, along with the PID of the process. This can reveal services listening locally or externally, or connections to other internal systems. Use tasklist | findstr to map PIDs to processes.

net share

Identifies shared folders on the system. Check permissions on these shares; sometimes sensitive files are exposed.

Key Takeaway: Thorough initial reconnaissance with native Windows commands is your foundational step. It helps paint a clear picture of the target system's vulnerabilities, guiding your Windows privilege escalation efforts effectively.

Common Windows Privilege Escalation Vectors

Unquoted Service Paths

Consider a service path: C:\Program Files\My Application\service.exe. If unquoted, Windows might try to execute C:\Program.exe, then C:\Program Files\My.exe, and so on, before reaching the intended executable. If you can place a malicious executable (e.g., Program.exe) in one of these intermediate directories with appropriate permissions, the service will execute it with its own privileges (often SYSTEM).

Use wmic to query services and filter for unquoted paths running automatically:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

This command lists services configured to start automatically, excludes Windows system services, and filters for paths not enclosed in double quotes.

If you find a vulnerable service, check if you have write permissions to any of the intermediate directories (e.g., C:\ or C:\Program Files\). If so, compile a malicious executable (like a reverse shell) named to match the potential misinterpretation (e.g., Program.exe) and place it in the highest-level writable directory. Restart the service or wait for the next system reboot/service start.

Weak Service Permissions

If a low-privileged user has write permissions to a service's executable file or its configuration (e.g., the registry key for the service), they can replace the legitimate executable with a malicious one or reconfigure the service to run a different binary.

After finding services of interest with sc qc , check the permissions on the service executable's path using icacls:

icacls "C:\Program Files\VulnerableApp\service.exe"

Look for `(M)` (modify) or `(F)` (full control) permissions for your current user or a group you belong to. You can also check permissions on the service's registry key: HKLM\SYSTEM\CurrentControlSet\Services\.

If you have write access to the executable, replace it with your malicious payload. If you have write access to the service's registry key, you can change the ImagePath to point to your payload. Then, restart the service to execute your payload with the service's privileges.

AlwaysInstallElevated

Two specific registry keys, one in HKLM and one in HKCU, enable this. If both are set to 1, the MSI engine will install packages with elevated privileges, regardless of the user's actual permissions.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If both commands return a value of 0x1, this vector is exploitable.

Create a malicious MSI package (e.g., using `msfvenom` or `DarkSide-MSI`) that adds a new administrator user or executes a reverse shell. Then, install it:

msiexec /qn /i C:\Path\To\Malicious.msi

DLL Hijacking

An application attempts to load malicious.dll. If it searches in a user-writable directory (like its current working directory or a path in the `PATH` environment variable) before the system directories, you can place your own malicious.dll there. When the application starts, it loads your DLL, executing your code with the application's privileges.

Use tools like `Procmon` (Process Monitor) from Sysinternals to monitor applications for "NAME NOT FOUND" errors when trying to load DLLs. This indicates a missing DLL that could be hijacked. Look for applications running with elevated privileges.

Create a malicious DLL (e.g., a reverse shell) named after the missing DLL. Place it in the directory where the application is searching first and has write permissions. When the application starts, it will load your DLL.

Stored Credentials (Registry, Files)

The registry can hold plaintext passwords, hashes, or other sensitive data. Look for common keywords.

reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f credential /t REG_SZ /s

These commands search the entire `HKLM` hive for entries containing "password" or "credential".

Files like unattend.xml or sysprep.xml (often found in C:\Windows\Panther, C:\Windows\System32\sysprep) can contain plaintext administrator passwords used during system setup.

dir /s C:\unattend.xml
dir /s C:\Windows\Panther\unattend.xml
dir /s C:\Windows\System32\sysprep\unattend.xml

Many applications store database credentials, API keys, or service account details in their configuration files (e.g., XML, INI, TXT). Search common application directories.

findstr /si password *.config *.xml *.ini *.txt

This command searches for "password" in common configuration file types recursively.

The `cmdkey` command can list cached credentials for network resources.

cmdkey /list

Key Takeaway: Many Windows privilege escalation vectors rely on misconfigurations rather than complex exploits. Focus on identifying weak permissions, unquoted paths, and cached credentials first, as these are often the easiest wins.

Kernel Exploits and Missing Patches for Windows Privilege Escalation

Microsoft regularly releases patches for vulnerabilities, including those in the kernel. If a system hasn't been updated, it might be susceptible to publicly known kernel exploits that can grant SYSTEM privileges.

You've already used `systeminfo` to list installed hotfixes. Now, you need to compare this list against known vulnerabilities for that specific Windows version.

Once you identify a potential CVE (Common Vulnerabilities and Exposures) through these tools, search Exploit-DB or similar databases for a matching exploit code. Often, these exploits are written in C/C++ and need to be compiled and executed on the target system. Remember to transfer and compile carefully.

Key Takeaway: Kernel exploits are powerful but require precision. Tools like Sherlock and Windows-Exploit-Suggester automate the discovery of missing patches, significantly reducing the manual effort in finding potential kernel-level Windows privilege escalation paths.

Post-Exploitation Tools and Techniques for Windows Privilege Escalation

PowerShell Scripts: PowerUp.ps1

powershell.exe -nop -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks

This will run all checks and print out potential vulnerabilities. It's a fantastic starting point for automated enumeration.

Metasploit Framework

meterpreter > getsystem
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"

The `incognito` module allows for token impersonation, which is another powerful Windows privilege escalation technique if you find a token for a highly privileged user.

Mimikatz

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

Running Mimikatz often requires high integrity, so you'll typically use it after an initial privilege escalation. The output from `sekurlsa::logonpasswords` is gold for further attacks.

Key Takeaway: Specialized tools like PowerUp and Metasploit streamline the search for Windows privilege escalation vectors, while Mimikatz is indispensable for extracting credentials that can lead to further compromise.

Best Practices for Preventing Windows Privilege Escalation

By focusing on these best practices, organizations can significantly reduce their attack surface and make it much harder for attackers to achieve Windows privilege escalation.

Frequently Asked Questions

What is Windows Privilege Escalation?

Windows privilege escalation is the unauthorized act of gaining higher-level access to a Windows system than initially obtained. This typically involves moving from a standard user account to an Administrator or SYSTEM account, allowing for greater control and impact on the compromised machine.

What are the most common Windows privilege escalation techniques?

Some of the most common techniques include exploiting unquoted service paths, weak service permissions, misconfigured AlwaysInstallElevated registry settings, DLL hijacking, finding stored credentials in files or the registry, and leveraging missing security patches for known kernel vulnerabilities.

What tools are essential for Windows privilege escalation?

Essential tools for Windows privilege escalation include native Windows commands (like systeminfo, tasklist, sc, icacls), PowerShell scripts like PowerUp.ps1, the Metasploit Framework, and credential dumping tools such as Mimikatz.

How can I prevent Windows privilege escalation on my systems?

Preventing Windows privilege escalation involves adhering to the Principle of Least Privilege, maintaining a rigorous patch management schedule, enforcing strong file and registry permissions, implementing application whitelisting, keeping UAC enabled, and effectively monitoring system logs for suspicious activity.