Checklist - Local Windows Privilege Escalation

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits

Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS​

​Vulnerable Kernel?​

• Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )

• Use Google to search for kernel exploits

• Use searchsploit to search for kernel exploits

• Any vulnerable Driver?

​Logging/AV enumeration​

• Check for credentials in environment variables​

• Check LAPS​

• Check Audit and WEF settings

• Check if any AV​

​User Privileges​

• Check current user privileges​

• Check if you have any of these token enable: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?

• What is inside the Clipboard?

​Network​

• Check current network information​

• Check hidden local services restricted to the outside

Vulnerable Software or Processes?

• Is any unknown software running?

• Is any software with more privileges that it should have running?

• Search for exploits for running processes (specially if running of versions)

• Can you read some interesting process memory (where passwords could be saved)?

• Have write permissions over the binaries executed by the processes?

• Have write permissions over the folder of a binary being executed to perform a DLL Hijacking?

• What is running on startup of is scheduled? Can you modify the binary?

• Can you dump the memory of any process to extract passwords?

​Services​

• ​Can you modify any service?​

• ​Can you modify the binary that is executed by any service?​

• ​Can you modify the registry of any service?​

• ​Can you take advantage of some unquoted service binary path?​

​DLL Hijacking​

• Can you write in any folder inside PATH?

• Is there any known service binary that tries to load any non-existant DLL?

• Can you write in some binaries folder?

​Credentials​

• ​Windows Vault credentials that you could use?

• Interesting DPAPI credentials?

• ​Wifi netoworks?

• ​Credentials inside "known files"? Inside the Recycle Bin? In home?

• ​Registry with credentials?

• Inside Browser data (dbs, history, bookmarks....)?

• ​AppCmd.exe exists? Credentials?

• ​SCClient.exe? DLL Side Loading?

• ​Cloud credentials?

​AlwaysInstallElevated​

• Is this enabled?

​Is vulnerable WSUS?​

• Is it vulnerable?

​Write Permissions​

• Are you able to write files that could grant you more privileges?

​UAC Bypass​

• There are several ways to bypass the UAC

​