Privilege Escalation Checklist

Automated Tools

• JAWS: https://github.com/411Hall/JAWS

• Metasploit: multi/recon/local_exploit_suggester

• PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

• Seatbelt: https://github.com/GhostPack/Seatbelt

• Watson: https://github.com/rasta-mouse/Watson

• Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

• WinPEAS: https://github.com/carlospolop/PEASS-ng/releases

System Information

Check Installed OS and architecture

CMD

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

PS

Get Installed updates

CMD

systeminfo | find ": KB"

wmic qfe get Caption,Description,HotFixID,InstalledOn

PS

List environment variables

CMD

set

PS

List local and network drives

CMD

wmic logicaldisk get deviceid, volumename, description

PS

View Domain Controllers

CMD

systeminfo | findstr /B /C:"Domain"

Network

Get interface and network configuration

CMD

ipconfig /all

PS

Print routing table

CMD

route print

List active connections

CMD

netstat -ano

PS

Show Firewall state and configuration

CMD

netsh firewall show state
netsh firewall show config

List network drives

CMD

net share

PS

View DNS cache

CMD

ipconfig /displaydns

Users and Groups

Get current user

CMD

whoami
net user %username%

List all users

CMD

net user
whoami /all

PS

Get details about a specific user

CMD

net user <user>

View password policy

CMD

net accounts

Get local groups

CMD

net localgroup

Services

Get running services

CMD

wmic service get Caption,StartName,State,pathname

CMD

List unquoted service binaries

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

World Writeable Folders

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public

Privilege Escalation Specific

Unquoted service paths

If value returned is AlwaysInstallElevated REG_DWORD 0x1 A malicious MSI can be used to install with elevated permissions from a standard privileged account.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Check Sticky Notes for passwords

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Search File System for passwords and files of interest

Search for passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass *.txt
findstr /si pass *.xml
findstr /si pass *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

If current user can read Event Logs then get the latest PowerShell commands run on the system

Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property * 

Recycle Bin

cd 'c:\$recycle.bin\<User SID>'
dir /A