Privilege Escalation Checklist

Automated Tools

• JAWS: https://github.com/411Hall/JAWS

• Metasploit: multi/recon/local_exploit_suggester

• PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

• Seatbelt: https://github.com/GhostPack/Seatbelt

• Watson: https://github.com/rasta-mouse/Watson

• Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

• WinPEAS: https://github.com/carlospolop/PEASS-ng/releases

System Information

Check Installed OS and architecture

CMD

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

PS

Get-ComputerInfo -property 'WindowsProductName', 'OsVersion', 'OsArchitecture'
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId

Get Installed updates

CMD

systeminfo | find ": KB"

wmic qfe get Caption,Description,HotFixID,InstalledOn

PS

get-wmiobject -class win32_quickfixengineering

List environment variables

CMD

set

PS

Get-ChildItem Env: | ft Key,Value

List local and network drives

CMD

wmic logicaldisk get deviceid, volumename, description

PS

get-psdrive -psprovider filesystem

View Domain Controllers

CMD

systeminfo | findstr /B /C:"Domain"

Network

Get interface and network configuration

CMD

ipconfig /all

PS

Get-NetIPConfiguration | Select-Object -Property InterfaceAlias, IPv4Address

Print routing table

CMD

route print

List active connections

CMD

netstat -ano

PS

Get-NetTCPConnection

Show Firewall state and configuration

CMD

netsh firewall show state
netsh firewall show config

List network drives

CMD

net share

PS

Get-SMBMapping

View DNS cache

CMD

ipconfig /displaydns

Users and Groups

Get current user

CMD

whoami
net user %username%

List all users

CMD

net user
whoami /all

PS

Get-LocalUser | ft Name,Enabled,LastLogon,Description

Get details about a specific user

CMD

net user <user>

View password policy

CMD

net accounts

Get local groups

CMD

net localgroup

Services

Get running services

CMD

wmic service get Caption,StartName,State,pathname

CMD

net start

List unquoted service binaries

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

World Writeable Folders

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public

Privilege Escalation Specific

Unquoted service paths

If value returned is AlwaysInstallElevated REG_DWORD 0x1 A malicious MSI can be used to install with elevated permissions from a standard privileged account.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Check Sticky Notes for passwords

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Search File System for passwords and files of interest

Search for passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass *.txt
findstr /si pass *.xml
findstr /si pass *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

If current user can read Event Logs then get the latest PowerShell commands run on the system

Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property * 

Recycle Bin

cd 'c:\$recycle.bin\<User SID>'
dir /A