Privilege Escalation Checklist

Automated Tools

System Information

Check Installed OS and architecture

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Get Installed updates

systeminfo | find ": KB"

wmic qfe get Caption,Description,HotFixID,InstalledOn

List environment variables


List local and network drives

wmic logicaldisk get deviceid, volumename, description

View Domain Controllers

systeminfo | findstr /B /C:"Domain"


Get interface and network configuration

ipconfig /all

Print routing table

route print

List active connections

netstat -ano

Show Firewall state and configuration

netsh firewall show state
netsh firewall show config

List network drives

net share

View DNS cache

ipconfig /displaydns

Users and Groups

Get current user

net user %username%

List all users

net user
whoami /all

Get details about a specific user

net user <user>

View password policy

net accounts

Get local groups

net localgroup


Get running services

wmic service get Caption,StartName,State,pathname

List unquoted service binaries

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

World Writeable Folders


Privilege Escalation Specific

Unquoted service paths

If value returned is AlwaysInstallElevated REG_DWORD 0x1 A malicious MSI can be used to install with elevated permissions from a standard privileged account.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Check Sticky Notes for passwords


Search File System for passwords and files of interest

Search for passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass *.txt
findstr /si pass *.xml
findstr /si pass *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

If current user can read Event Logs then get the latest PowerShell commands run on the system

Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property * 

Recycle Bin

cd 'c:\$recycle.bin\<User SID>'
dir /A

Last updated