Windows privilege escalation techniques for penetration testing and CPTS preparation. This section covers systematic approaches to elevating privileges from a low-privileged user account to local administrator or system-level access.
- Situational Awareness - Network enumeration, security protections, system context
- Initial Enumeration - System info, processes, users, groups, and services enumeration
- Communication with Processes - Network services and named pipes analysis
- SeImpersonate & SeAssignPrimaryToken - Token impersonation attacks (Potato techniques)
- SeDebugPrivilege - LSASS memory dumping and SYSTEM privilege escalation
- SeTakeOwnershipPrivilege - File ownership takeover and ACL manipulation
- Windows Built-in Groups - Backup Operators, SeBackupPrivilege, and NTDS.dit extraction
- Event Log Readers - Event log analysis and credential extraction from command lines
- DnsAdmins - DNS service DLL injection and Domain Controller privilege escalation
- Hyper-V Administrators - VM cloning attacks and hard link exploitation
- Print Operators - SeLoadDriverPrivilege exploitation and Capcom.sys driver attacks
- Server Operators - Service control, binary path modification, and local administrator access
- UAC Bypass - User Account Control bypass via DLL hijacking and auto-elevating binaries
- Weak Permissions - File system ACLs, service permissions, unquoted paths, and registry exploitation
- Kernel Exploits - Historical and modern Windows kernel vulnerabilities for privilege escalation
- Vulnerable Services - Third-party application exploitation and service-based privilege escalation
- Credential Hunting - File system credential discovery, PowerShell history, and DPAPI decryption
- Other Files - Advanced credential hunting in StickyNotes, system files, and network shares
- Further Credential Theft - Browser credentials, password managers, LaZagne, SessionGopher, and registry-stored credentials
- Windows User Privileges - Token privileges and abuse techniques
- Windows Group Privileges - Dangerous group memberships and exploitation
- Attacking the OS - Kernel exploits, service misconfigurations
- Credential Theft - LSASS, registry, memory-based attacks
- Service Exploitation - Unquoted service paths, weak permissions
- Scheduled Task Abuse - Task scheduler misconfigurations
- AppLocker Bypass - Application whitelisting evasion
- AMSI Bypass - Antimalware Scan Interface evasion
- UAC Bypass - User Access Control circumvention
- DLL Hijacking - DLL search order exploitation
- Registry Exploitation - Registry-based privilege escalation
- File System - NTFS permissions and symbolic links
- Windows Subsystem - WSL and containerization issues
- End of Life Systems - Windows 7, Server 2008 specific techniques
- Legacy Service Exploitation - Deprecated service vulnerabilities
- Systematic enumeration - Comprehensive information gathering
- Attack vector identification - Spotting escalation opportunities
- Tool proficiency - PowerShell, WinPEAS, PrivescCheck
- Evasion techniques - Bypassing security controls
- Persistence methods - Maintaining elevated access
# Automated enumeration
WinPEAS.exe
PrivescCheck.ps1
PowerUp.ps1
Seatbelt.exe
# Manual techniques
whoami /all
Get-Process
Get-Service
Get-ScheduledTask- Current user privileges (
whoami /priv) - Group memberships (
whoami /groups) - Running services (
Get-Service) - Network configuration (
ipconfig /all) - Installed software (
Get-WmiObject Win32_Product) - Security protections (
Get-MpComputerStatus) - Scheduled tasks (
Get-ScheduledTask) - File/folder permissions (
icacls)
This section provides comprehensive coverage of Windows privilege escalation techniques aligned with the CPTS certification requirements.