# Privilege Escalation Checklist ## Automated Tools * **JAWS:** * **Metasploit:** `multi/recon/local_exploit_suggester` * **PowerUp:** * **Seatbelt:** * **Watson:** * **Windows Exploit Suggester:** * **WinPEAS:** ## System Information Check Installed OS and architecture {% tabs %} {% tab title="CMD" %} ``` systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" ``` {% endtab %} {% tab title="PS" %} ``` Get-ComputerInfo -property 'WindowsProductName', 'OsVersion', 'OsArchitecture' Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId ``` {% endtab %} {% endtabs %} Get Installed updates {% tabs %} {% tab title="CMD" %} ``` systeminfo | find ": KB" wmic qfe get Caption,Description,HotFixID,InstalledOn ``` {% endtab %} {% tab title="PS" %} ``` get-wmiobject -class win32_quickfixengineering ``` {% endtab %} {% endtabs %} List environment variables {% tabs %} {% tab title="CMD" %} ``` set ``` {% endtab %} {% tab title="PS" %} ``` Get-ChildItem Env: | ft Key,Value ``` {% endtab %} {% endtabs %} List local and network drives {% tabs %} {% tab title="CMD" %} ``` wmic logicaldisk get deviceid, volumename, description ``` {% endtab %} {% tab title="PS" %} ``` get-psdrive -psprovider filesystem ``` {% endtab %} {% endtabs %} View Domain Controllers {% tabs %} {% tab title="CMD" %} ``` systeminfo | findstr /B /C:"Domain" ``` {% endtab %} {% endtabs %} ## Network Get interface and network configuration {% tabs %} {% tab title="CMD" %} ``` ipconfig /all ``` {% endtab %} {% tab title="PS" %} ``` Get-NetIPConfiguration | Select-Object -Property InterfaceAlias, IPv4Address ``` {% endtab %} {% endtabs %} Print routing table {% tabs %} {% tab title="CMD" %} ``` route print ``` {% endtab %} {% endtabs %} List active connections {% tabs %} {% tab title="CMD" %} ``` netstat -ano ``` {% endtab %} {% tab title="PS" %} ``` Get-NetTCPConnection ``` {% endtab %} {% endtabs %} Show Firewall state and configuration {% tabs %} {% tab title="CMD" %} ``` netsh firewall show state netsh firewall show config ``` {% endtab %} {% endtabs %} List network drives {% tabs %} {% tab title="CMD" %} ``` net share ``` {% endtab %} {% tab title="PS" %} ``` Get-SMBMapping ``` {% endtab %} {% endtabs %} View DNS cache {% tabs %} {% tab title="CMD" %} ``` ipconfig /displaydns ``` {% endtab %} {% endtabs %} ## Users and Groups Get current user {% tabs %} {% tab title="CMD" %} ``` whoami net user %username% ``` {% endtab %} {% endtabs %} List all users {% tabs %} {% tab title="CMD" %} ``` net user whoami /all ``` {% endtab %} {% tab title="PS" %} ``` Get-LocalUser | ft Name,Enabled,LastLogon,Description ``` {% endtab %} {% endtabs %} Get details about a specific user {% tabs %} {% tab title="CMD" %} ``` net user ``` {% endtab %} {% endtabs %} View password policy {% tabs %} {% tab title="CMD" %} ``` net accounts ``` {% endtab %} {% endtabs %} Get local groups {% tabs %} {% tab title="CMD" %} ``` net localgroup ``` {% endtab %} {% endtabs %} ## Services Get running services {% tabs %} {% tab title="CMD" %} ``` wmic service get Caption,StartName,State,pathname ``` {% endtab %} {% tab title="CMD" %} ``` net start ``` {% endtab %} {% endtabs %} List unquoted service binaries ``` wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ``` ## ## World Writeable Folders ``` C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\drivers\color C:\Windows\Tasks C:\Windows\tracing C:\Windows\Temp C:\Users\Public ``` ## Privilege Escalation Specific Unquoted service paths If value returned is `AlwaysInstallElevated REG_DWORD 0x1` A malicious MSI can be used to install with elevated permissions from a standard privileged account. ``` reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated ``` ### Check Sticky Notes for passwords ``` C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite ``` ## Search File System for passwords and files of interest ### Search for passwords ``` findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini findstr /si pass *.txt findstr /si pass *.xml findstr /si pass *.ini #Find all those strings in config files. dir /s *pass* == *cred* == *vnc* == *.config* ``` If current user can read Event Logs then get the latest PowerShell commands run on the system ``` Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property * ``` ### Recycle Bin ``` cd 'c:\$recycle.bin\' dir /A ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/privilege-escalation/privilege-escalation-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.