Windows Privesc Checklist
Last updated
Was this helpful?
Last updated
Was this helpful?
Check for hidden files in powershell with ls -fo
Refer
Check Group membership with whoami /groups
If in Print Operators group --> SeLoadDriverPrivilege
DnsAdmins group
Hyper-V Administrators group
Server Operators group
If in the 'Event Log Readers Group' then use
to view logs(can be used without creds). Can also use:
To check for GPO use Powerview
Check for tokens with
To list:.\incognito.exe list_tokens -u
To impersonate: .\incognito.exe execute -c "domain\user" C:\Windows\system32\cmd.exe
To check environment variable: set
. Check Path to execute
View named pipes:
Or in powershell:
To check DACLs of all named pipes
To check of a particular pipe:
If in Ad Recycle Bin group try:
If applocker is present place executable in C:\Windows\System32\spool\drivers\color
Use mimikatz once Administrator access is gained. Multiple techniques are outlined in the Mimikatz page
scf file:
To check running services: tasklist /svc
Check for Weak Permissions
Check for Vulnerable Services
Check for DLL Injection
Applocker info :
If Citrix try Citrix Breakout
To get installed applications:
Remove "select displayname" to display all properties 32 bit:
64 bit:
Also check Program files directory and Downloads
To get running processes: Get-Process
For arp cache: arp -a
Network config: ipconfig /all
Routing table:route
For active ports that are listening: netstat -ano
Look for loopback addresses (127.0.0.1 and ::1) that are not listening on the IP Address (10.129.43.8) or broadcast (0.0.0.0, ::/0).The reason for this is network sockets on localhost are often insecure due to the thought that "they aren't accessible to the network."
Powershell
To check if Script Block Logging or Powershell Transcription is turned on:
Clear-History does not delete PSReadline
Go to that path and check too.
To display now:
Check for stored credentials
If stored credentials present can run commands as other users:
Browser Credentials:
Use LaZagne for getting various credentials
To look for saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials:
Clear text passwords in registry. Autologon:
Putty: For sessions->
For keys and values of session:
Make a scf or file and put it in frequently accessed shares and start responder :)