# Checklist - Local Windows Privilege Escalation

## Checklist - Local Windows Privilege Escalation

### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)**​** <a href="#best-tool-to-look-for-windows-local-privilege-escalation-vectors-winpeas" id="best-tool-to-look-for-windows-local-privilege-escalation-vectors-winpeas"></a>

### ​[Vulnerable Kernel?](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits)​ <a href="#vulnerable-kernel" id="vulnerable-kernel"></a>

* Search for kernel **exploits using scripts** (*post/windows/gather/enum\_patches, post/multi/recon/local\_exploit\_suggester, sherlock, watson* )
* Use **Google to search** for kernel **exploits**
* Use **searchsploit to search** for kernel **exploits**
* Any [**vulnerable Driver**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers)?

### ​[Logging/AV enumeration](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#enumeration)​ <a href="#logging-av-enumeration" id="logging-av-enumeration"></a>

* Check for **credentials** in[ **environment variables**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#environment)**​**
* Check [**LAPS**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#laps)**​**
* Check [**Audit**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#audit-settings) and [**WEF**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wef) settings
* Check if any [**AV**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#av)**​**

### **​**[**User Privileges**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups)​ <a href="#user-privileges" id="user-privileges"></a>

* Check [**current** user **privileges**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups)**​**
* Check if you have [any of these token enable](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* What is [inside the Clipboard](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#get-the-content-of-the-clipboard)?

### ​[Network](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#network)​ <a href="#network" id="network"></a>

* Check **current** [network **information**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#network)**​**
* Check **hidden local services** restricted to the outside

### Vulnerable [Software](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software) or [Processes](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes)? <a href="#vulnerable-software-or-processes" id="vulnerable-software-or-processes"></a>

* Is any **unknown software running**?
* Is any software with **more privileges that it should have running**?
* Search for **exploits for running processes** (specially if running of versions)
* Can you **read** some interesting **process memory** (where passwords could be saved)?
* Have **write permissions** over the **binaries** executed by the **processes**?
* Have **write permissions** over the **folder** of a binary being executed to perform a **DLL Hijacking**?
* What is[ **running** on **startup** of is **scheduled**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup)? Can you **modify** the binary?
* Can you [**dump** the **memory**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#memory-password-mining) of any **process** to extract **passwords**?

### ​[Services](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services)​ <a href="#services" id="services"></a>

* ​[Can you **modify any service**?](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#permissions)​
* ​[Can you **modify** the **binary** that is **executed** by any **service**?](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#modify-service-binary-path)​
* ​[Can you **modify** the **registry** of any **service**?](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions)​
* ​[Can you take advantage of some **unquoted service** binary **path**?](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#unquoted-service-paths)​

### ​[DLL Hijacking](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking)​ <a href="#dll-hijacking" id="dll-hijacking"></a>

* Can you **write in any folder inside PATH**?
* Is there any known service binary that **tries to load any non-existant DLL**?
* Can you **write** in some **binaries folder**?

### ​[Credentials](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials)​ <a href="#credentials" id="credentials"></a>

* ​[**Windows Vault**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault) credentials that you could use?
* Interesting [**DPAPI credentials**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi)?
* ​[**Wifi netoworks**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wifi)?
* ​[**Credentials inside "known files"**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files)? Inside the Recycle Bin? In home?
* ​[**Registry with credentials**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry)?
* Inside [**Browser data**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history) (dbs, history, bookmarks....)?
* ​[**AppCmd.exe** exists](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe)? Credentials?
* ​[**SCClient.exe**](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm)? DLL Side Loading?
* ​[Cloud credentials](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#cloud-credentials)?

### ​[AlwaysInstallElevated](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated)​ <a href="#alwaysinstallelevated" id="alwaysinstallelevated"></a>

* Is this **enabled**?

### ​[Is vulnerable WSUS?](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus)​ <a href="#is-vulnerable-wsus" id="is-vulnerable-wsus"></a>

* Is it **vulnerable**?

### ​[Write Permissions](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#write-permissions)​ <a href="#write-permissions" id="write-permissions"></a>

* Are you able to **write files that could grant you more privileges**?

### ​[UAC Bypass](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#check-uac)​ <a href="#uac-bypass" id="uac-bypass"></a>

* There are several ways to bypass the UAC

​


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infosecsanyam261.gitbook.io/tryharder/priv-escalation/windows-priv-escalation/checklist-local-windows-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.