Privilege Escalation Checklist

Automated Tools

JAWS: https://github.com/411Hall/JAWS
Metasploit: multi/recon/local_exploit_suggester
PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Seatbelt: https://github.com/GhostPack/Seatbelt
Watson: https://github.com/rasta-mouse/Watson
Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
WinPEAS: https://github.com/carlospolop/PEASS-ng/releases

System Information

Check Installed OS and architecture

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Get Installed updates

systeminfo | find ": KB"

wmic qfe get Caption,Description,HotFixID,InstalledOn

List environment variables

set

List local and network drives

wmic logicaldisk get deviceid, volumename, description

View Domain Controllers

systeminfo | findstr /B /C:"Domain"

Network

Get interface and network configuration

ipconfig /all

Print routing table

route print

List active connections

netstat -ano

Show Firewall state and configuration

netsh firewall show state
netsh firewall show config

List network drives

net share

View DNS cache

ipconfig /displaydns

Users and Groups

Get current user

whoami
net user %username%

List all users

net user
whoami /all

Get details about a specific user

net user <user>

View password policy

net accounts

Get local groups

net localgroup

Services

Get running services

wmic service get Caption,StartName,State,pathname

List unquoted service binaries

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

World Writeable Folders

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public

Privilege Escalation Specific

Unquoted service paths

If value returned is AlwaysInstallElevated REG_DWORD 0x1 A malicious MSI can be used to install with elevated permissions from a standard privileged account.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Check Sticky Notes for passwords

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Search File System for passwords and files of interest

Search for passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass *.txt
findstr /si pass *.xml
findstr /si pass *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

If current user can read Event Logs then get the latest PowerShell commands run on the system

Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property *

Recycle Bin

cd 'c:\$recycle.bin\<User SID>'
dir /A

Last updated 3 years ago

hashtagAutomated Tools

hashtagSystem Information

hashtagNetwork

hashtagUsers and Groups

hashtagServices

hashtag

hashtagWorld Writeable Folders

hashtagPrivilege Escalation Specific

hashtagCheck Sticky Notes for passwords

hashtagSearch File System for passwords and files of interest

hashtagSearch for passwords

hashtagRecycle Bin