WINDOWS PRIVESC CHECKLIST

PRIMARY CATEGORY → CHECKLISTS   •   WINDOWS PRIVESC

Mindmap

Windows Privesc Mindmap

Zoom in

---

Non-Privileged

• Local Network Enumeration

e.g. Network Interfaces, ARP Table, Routing Table…

• Is the current system a domain-joined machine?

• Software running on any Network Interface

e.g. HTTP ↔ 8000 TCP Port ( 127.0.0.1:8080 )

See the point below

• Any HTTP Web Application or MSSQL Instance → Privesc to LOCAL SERVICE or NETWORK SERVICE → SeImpersonate and SeAssignPrimaryToken → LOCAL SYSTEM

e.g. A Webapp with an Upload Feature → Uploaded files not accesible externally ( e.g. C:\Windows\Tasks\Uploads ) → Current user with WRITE Privileges over the Uploads directory → Junction ( Windows Symlink ) creation pointing to the webroot → Uploaded resources accesible externally

See Media from HTB

• SeImpersonate and SeAssignPrimaryToken Privileges

From LOCAL SERVICE or NETWORK SERVICE to LOCAL SYSTEM

   RoguePotato ↔ RottenPotato ↔ JuicyPotato ↔ PrintSpoofer

• Other Sensitive Windows Privileges related to the Current Access Token

e.g. seDebug, seBackup, seLoadDriver, seTcb and so on

• Local and Domain Privileged Groups to which the Current User belongs

• Look for any valuable local user to target

e.g. A local user account named Alex which belongs to Backup Operators

• Vulnerable or Non-Vulnerable Software Installed

e.g. MRemoteNG

• Check Nested Group Membership

• Sensitive Environment Variables

• Windows Missing Patches and Updates

   Sherlock ↔ Windows Exploit Suggester

• Autologon

   Netexec ↔ Impacket’s REG.py ↔ Get-GPPAutologon

• Always Install Elevated

• Directory Content Checking → C: | Program Files | Program Files (x86) | Users

• Currently Logged-in Users

• Leaked Credentials on Local Users or Computer Description

• Powershell History File

• Look for Powershell Credential Objects

• Interesting Configuration Files

e.g. Resources containing juicy strings such as “pass|password|passwd” and so on

See also Other Interesting Files and Unattended Installation Files

• Windows Sticky Notes

• Credential Extraction from Browsers ( Chrome, Firefox… )

e.g. Cookies, Saved Logins…

• Windows Kernel Abuse

• Credentials stored in Windows Vault and Credential Manager

See DPAPI Abuse

• Look for system directories for which the current user has WRITE Permissions

Accesschk.exe

• Weak Service Permissions

• Coercion through a Shortcut File Upload if the current user has WRITE permissions over interesting and busy local folders or shares

• Monitor for new System Processes

• Credential Hunting in Network Traffic

• UAC Bypasses if needed

• Current User’s Clipboard Monitoring

• For any Microsoft Exchange Server deployed, see Sensitive Information Extraction from Microsoft Exchange Inbox

• Check for ADS in files

• List existing Scheduled Tasks

• Existing Named Pipes with wrong DACLs (e.g. Everyone → Write Permissions )

• If we land on a CITRIX Windows Restricted Environment, see CITRIX Breakout

• Credential Extraction Automated Tools Execution

• LPE Automated Tools Execution

---

Pillaging

• Windows Credential Dump - NTDS | SAM | SYSTEM | SECURITY | LSASS

   Impacket’s Secretsdump.py ↔ Mimikatz ↔ Netexec

• Credentials for all system users stored in Windows Vault and Credential Manager

See DPAPI Abuse

e.g. Browser Credentials

• NT Hash Cracking

   Impacket’s Secretsdump.py + ( Hashcat + John )

• If the victim has a Wireless Netword Card, see WiFi Credential Extraction

• Look for Sensitive Credentials again in the entire system

As we have access to the entire system ( Privileged Access )

e.g. Files with Sensitive Information, Unattended Installation Files, All PS History Files…

• Credential Extraction Automated Tools Execution

Credentials for all system users