Post

Local Windows Privilege Escalation Checklist

Local Windows Privilege Escalation Checklist

Posted
By Avinash Kattamanchi
2 min read
Local Windows Privilege Escalation Checklist

Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS

System Info

  • Obtain System information
  • Search for kernel exploits using scripts
  • Use Google to search for kernel exploits
  • Use searchsploit to search for kernel exploits
  • Interesting info in env vars?
  • Passwords in PowerShell history?
  • Interesting info in Internet settings?
  • Drives?
  • WSUS exploit?
  • Third-party agent auto-updaters / IPC abuse
  • AlwaysInstallElevated?

Logging/AV enumeration

  • Check Audit and WEF settings
  • Check LAPS
  • Check if WDigest is active
  • LSA Protection?
  • Credentials Guard?
  • Cached Credentials?
  • Check if any AV
  • AppLocker Policy?
  • UAC
  • User Privileges
  • Check current user privileges
  • Are you member of any privileged group?
  • Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
  • Users Sessions?
  • Check users homes (access?)
  • Check Password Policy
  • What is inside the Clipboard?

Network

  • Check current network information
  • Check hidden local services restricted to the outside

Running Processes

  • Processes binaries file and folders permissions
  • Memory Password mining
  • Insecure GUI apps
  • Steal credentials with interesting processes via ProcDump.exe ? (firefox, chrome, etc …)

Services

  • Can you modify any service?
  • Can you modify the binary that is executed by any service?
  • Can you modify the registry of any service?
  • Can you take advantage of any unquoted service binary path?

    Applications

  • Write permissions on installed applications
  • Startup Applications
  • Vulnerable Drivers

DLL Hijacking

  • Can you write in any folder inside PATH?
  • Is there any known service binary that tries to load any non-existant DLL?
  • Can you write in any binaries folder?

Network

  • Enumerate the network (shares, interfaces, routes, neighbours, …)
  • Take a special look at network services listening on localhost (127.0.0.1)

Windows Credentials

  • Winlogon credentials
  • Windows Vault credentials that you could use?
  • Interesting DPAPI credentials?
  • Passwords of saved Wifi networks?
  • Interesting info in saved RDP Connections?
  • Passwords in recently run commands?
  • Remote Desktop Credentials Manager passwords?
  • AppCmd.exe exists? Credentials?
  • SCClient.exe? DLL Side Loading?

Files and Registry (Credentials)

  • Putty: Creds and SSH host keys
  • SSH keys in registry?
  • Passwords in unattended files?
  • Any SAM & SYSTEM backup?
  • Cloud credentials?
  • McAfee SiteList.xml file?
  • Cached GPP Password?
  • Password in IIS Web config file?
  • Interesting info in web logs?
  • Do you want to ask for credentials to the user?
  • Interesting files inside the Recycle Bin?
  • Other registry containing credentials?
  • Inside Browser data (dbs, history, bookmarks, …)?
  • Generic password searchin files and registry
  • Tools to automatically search for passwords

Leaked Handlers

  • Have you access to any handler of a process run by administrator?

Pipe Client Impersonation

  • Check if you can abuse it
Checklist
Pentest Checklist Windows Privilage-Escalation
This post is licensed under CC BY 4.0 by the author.