Privilege Escalation Checklist
Automated Tools
Metasploit:
multi/recon/local_exploit_suggester
Seatbelt: https://github.com/GhostPack/Seatbelt
Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
System Information
Check Installed OS and architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Get Installed updates
systeminfo | find ": KB"
wmic qfe get Caption,Description,HotFixID,InstalledOn
List environment variables
set
List local and network drives
wmic logicaldisk get deviceid, volumename, description
View Domain Controllers
systeminfo | findstr /B /C:"Domain"
Network
Get interface and network configuration
ipconfig /all
Print routing table
route print
List active connections
netstat -ano
Show Firewall state and configuration
netsh firewall show state
netsh firewall show config
List network drives
net share
View DNS cache
ipconfig /displaydns
Users and Groups
Get current user
whoami
net user %username%
List all users
net user
whoami /all
Get details about a specific user
net user <user>
View password policy
net accounts
Get local groups
net localgroup
Services
Get running services
wmic service get Caption,StartName,State,pathname
List unquoted service binaries
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
World Writeable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
Privilege Escalation Specific
Unquoted service paths
If value returned is AlwaysInstallElevated REG_DWORD 0x1
A malicious MSI can be used to install with elevated permissions from a standard privileged account.
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Check Sticky Notes for passwords
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Search File System for passwords and files of interest
Search for passwords
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass *.txt
findstr /si pass *.xml
findstr /si pass *.ini
#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
If current user can read Event Logs then get the latest PowerShell commands run on the system
Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property *
Recycle Bin
cd 'c:\$recycle.bin\<User SID>'
dir /A
Last updated