Situational awareness is the first critical step in Windows privilege escalation. Before attempting any escalation techniques, we must understand:
- Network topology and dual-homed systems
- Security protections in place (AV, EDR, AppLocker)
- System context and current privileges
- Network connectivity and potential lateral movement paths
"We cannot function and react effectively without an understanding of our current surroundings"
# Complete network interface information
ipconfig /all
# Quick IP address overview
ipconfig
# DNS configuration
ipconfig /displaydns# Look for:
- Multiple network interfaces (dual-homed systems)
- DNS servers and domain information
- DHCP configuration
- IPv6 addresses and tunneling adaptersExample Output Analysis:
# Dual-homed system identified
IPv4 Address: 10.129.43.8 # External/DMZ network
IPv4 Address: 192.168.20.56 # Internal network
# Domain information
Primary Dns Suffix: .htb
DNS Suffix Search List: .htb# View ARP cache for recent communications
arp -a
# Analyze per interface
arp -a -N [interface_ip]Strategic Value:
- Recent communications - Shows hosts recently contacted
- Network discovery - Identifies active hosts on each network
- Lateral movement targets - Potential next hop systems
- Administrative patterns - RDP/WinRM connection evidence
# Complete routing information
route print
# IPv4 routes only
route print -4
# IPv6 routes only
route print -6Analysis Points:
# Network segments accessible:
Network Destination Netmask Gateway Interface
10.129.0.0 255.255.0.0 10.129.0.1 10.129.43.8 # External
192.168.20.0 255.255.255.0 192.168.20.1 192.168.20.56 # Internal
# Default routes - potential egress points
0.0.0.0 0.0.0.0 10.129.0.1 # Primary route
0.0.0.0 0.0.0.0 192.168.20.1 # Secondary route# Active TCP connections
netstat -an
# Processes and associated connections
netstat -anb
# Network statistics
netstat -s
# Network interfaces with statistics
netstat -i# PowerShell network cmdlets
Get-NetIPConfiguration
Get-NetRoute
Get-NetAdapter
Get-NetTCPConnection -State Established# Comprehensive Defender status
Get-MpComputerStatus
# Key status indicators
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, BehaviorMonitorEnabled
# Threat detection settings
Get-MpPreference | Select-Object DisableRealtimeMonitoring, DisableBehaviorMonitoringCritical Status Fields:
AntivirusEnabled- AV engine statusRealTimeProtectionEnabled- Live scanningBehaviorMonitorEnabled- Behavioral analysisOnAccessProtectionEnabled- File access monitoring
# Current effective AppLocker rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Local AppLocker policy only
Get-AppLockerPolicy -Local
# Domain AppLocker policy
Get-AppLockerPolicy -Domain
# Test specific executable against policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User EveryoneAppLocker Rule Types:
- Executable Rules - Controls .exe, .com files
- Windows Installer Rules - Controls .msi, .msp files
- Script Rules - Controls .ps1, .bat, .cmd files
- Packaged App Rules - Controls Windows Store apps
- DLL Rules - Controls .dll files (rarely used)
# Look for path-based rules that can be bypassed
PathConditions: {%PROGRAMFILES%\*} # May allow unsigned executables in Program Files
PathConditions: {%WINDIR%\*} # May allow execution from Windows directory# Running services (potential EDR)
net start | findstr /i "carbon\|crowd\|cylinder\|defend\|fire\|malware\|secure"
# Process list for security tools
tasklist | findstr /i "carbon\|crowd\|cylinder\|defend\|fire\|malware\|secure"
# Windows Firewall status
netsh advfirewall show allprofiles# PowerShell security service enumeration
Get-Service | Where-Object {$_.Name -match "Defend|Malware|Antivirus|Carbon|Crowd|Fire"}
# Check for common EDR processes
Get-Process | Where-Object {$_.ProcessName -match "cb|crowd|fire|defend|malware"}# Current user information
whoami /all
# User privileges
whoami /priv
# Group memberships
whoami /groups
# Current user only
whoami# PowerShell user context
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Get-LocalUser | Where-Object {$_.Enabled -eq $true}
Get-LocalGroupMember -Group "Administrators"# System details
systeminfo | findstr /i "system\|os\|service\|hotfix"
# OS version
ver
# Environment variables
set
# Installed software
wmic product get name,version# PowerShell system information
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, TotalPhysicalMemory
Get-WmiObject -Class Win32_OperatingSystem
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10- Multiple interfaces identified - Check for dual-homed systems
- Internal networks mapped - Document accessible network segments
- ARP cache analyzed - Note recent communication patterns
- Routing table reviewed - Understand network topology
- Active connections listed - Identify current network activity
- Windows Defender status - Determine AV/EDR protection level
- AppLocker rules assessed - Understand execution restrictions
- Firewall configuration - Check for outbound restrictions
- Security services identified - Note EDR/monitoring tools
- Admin privileges confirmed - Verify current access level
- User privileges enumerated - Document current user context
- Group memberships verified - Check for privileged groups
- System version identified - Note OS version and patch level
- Installed software cataloged - Identify potential attack vectors
- Target: Windows system accessible via RDP
- Credentials:
htb-student:HTB_@cademy_stdnt! - Objective: Identify network configuration and security restrictions
Objective: Find the IP address of the other NIC attached to the target host
# Solution approach
ipconfig /all
# Look for multiple Ethernet adapters
# Identify IP addresses on different network segments
# Answer format: X.X.X.X (IP address of secondary interface)Objective: Identify which executable (other than cmd.exe) is blocked by AppLocker
# Solution approach
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Test common executables
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\powershell.exe -User Everyone
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\net.exe -User Everyone
# Look for PolicyDecision: DeniedCommon Blocked Executables:
powershell.exe- PowerShell interpretercmd.exe- Command prompt (mentioned as blocked)net.exe- Network configuration utilitywmic.exe- Windows Management Instrumentation tool
# Network discovery result
Interface 1: 10.129.43.8 (External/HTB network)
Interface 2: 192.168.20.56 (Internal network)
# AppLocker restriction result
powershell.exe: DENIED
cmd.exe: DENIED
net.exe: ALLOWED- Network topology understanding - Dual-homed systems provide lateral movement opportunities
- Security awareness - Early protection enumeration prevents detection
- Context establishment - Know your current privileges before escalation attempts
- Tool restrictions - AppLocker policies affect available attack vectors
- Systematic approach - Complete situational awareness before technical exploitation
This guide covers the essential first step in Windows privilege escalation - gathering comprehensive situational awareness to inform subsequent attack strategies.