Checklist - Local Windows Privilege Escalation

{{#include ../banners/hacktricks-training.md}}

Best tool to look for Windows local privilege escalation vectors: WinPEAS

System Info

• [ ] Obtain System information
• [ ] Search for kernel exploits using scripts
• [ ] Use Google to search for kernel exploits
• [ ] Use searchsploit to search for kernel exploits
• [ ] Interesting info in env vars?
• [ ] Passwords in PowerShell history?
• [ ] Interesting info in Internet settings?
• [ ] Drives?
• [ ] WSUS exploit?
• [ ] Third-party agent auto-updaters / IPC abuse
• [ ] AlwaysInstallElevated?

Logging/AV enumeration

• [ ] Check Audit and WEF settings
• [ ] Check LAPS
• [ ] Check if WDigest is active
• [ ] LSA Protection?
• [ ] Credentials Guard?
• [ ] Cached Credentials?
• [ ] Check if any AV
• [ ] AppLocker Policy?
• [ ] UAC
• [ ] Admin Protection / UIAccess silent elevation?
• [ ] Secure Desktop accessibility registry propagation (RegPwn)?
• [ ] User Privileges
• [ ] Check current user privileges
• [ ] Are you member of any privileged group?
• [ ] Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
• [ ] Check if you have SeManageVolumePrivilege to read raw volumes and bypass file ACLs
• [ ] Users Sessions?
• [ ] Check users homes (access?)
• [ ] Check Password Policy
• [ ] What is inside the Clipboard?

Network

• [ ] Check current network information
• [ ] Check hidden local services restricted to the outside

Running Processes

• [ ] Processes binaries file and folders permissions
• [ ] Memory Password mining
• [ ] Insecure GUI apps
• [ ] Steal credentials with interesting processes via ProcDump.exe ? (firefox, chrome, etc ...)

Services

• [ ] Can you modify any service?
• [ ] Can you modify the binary that is executed by any service?
• [ ] Can you modify the registry of any service?
• [ ] Can you take advantage of any unquoted service binary path?
• [ ] Service Triggers: enumerate and trigger privileged services

Applications

• [ ] Write permissions on installed applications
• [ ] Startup Applications
• [ ] Vulnerable Drivers

DLL Hijacking

• [ ] Can you write in any folder inside PATH?
• [ ] Is there any known service binary that tries to load any non-existant DLL?
• [ ] Can you write in any binaries folder?

Network

• [ ] Enumerate the network (shares, interfaces, routes, neighbours, ...)
• [ ] Take a special look at network services listening on localhost (127.0.0.1)

Windows Credentials

• [ ] Winlogon credentials
• [ ] Windows Vault credentials that you could use?
• [ ] Interesting DPAPI credentials?
• [ ] Passwords of saved Wifi networks?
• [ ] Interesting info in saved RDP Connections?
• [ ] Passwords in recently run commands?
• [ ] Remote Desktop Credentials Manager passwords?
• [ ] AppCmd.exe exists? Credentials?
• [ ] SCClient.exe? DLL Side Loading?

Files and Registry (Credentials)

• [ ] Putty: Creds and SSH host keys
• [ ] SSH keys in registry?
• [ ] Passwords in unattended files?
• [ ] Any SAM & SYSTEM backup?
• [ ] If SeManageVolumePrivilege is present, try raw-volume reads for SAM, SYSTEM, DPAPI material, and MachineKeys
• [ ] Cloud credentials?
• [ ] McAfee SiteList.xml file?
• [ ] Cached GPP Password?
• [ ] Password in IIS Web config file?
• [ ] Interesting info in web logs?
• [ ] Do you want to ask for credentials to the user?
• [ ] Interesting files inside the Recycle Bin?
• [ ] Other registry containing credentials?
• [ ] Inside Browser data (dbs, history, bookmarks, ...)?
• [ ] Generic password search in files and registry
• [ ] Tools to automatically search for passwords

Leaked Handlers

• [ ] Have you access to any handler of a process run by administrator?

Pipe Client Impersonation

• [ ] Check if you can abuse it

References

• Project Zero - Bypassing Administrator Protection by Abusing UI Access
• MDSec - RIP RegPwn

{{#include ../banners/hacktricks-training.md}}