2020-07-15 15:43:14 +00:00
# Checklist - Local Windows Privilege Escalation
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
### [Vulnerable Kernel?](windows-local-privilege-escalation/#kernel-exploits)
* [ ] Search for kernel **exploits using scripts** \(_post/windows/gather/enum\_patches, post/multi/recon/local\_exploit\_suggester, sherlock, watson_ \)
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] Any [**vulnerable Driver** ](windows-local-privilege-escalation/#vulnerable-drivers )?
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
* [ ] Check for **credentials** in[ **environment variables** ](windows-local-privilege-escalation/#environment)\*\*\*\*
* [ ] Check [**LAPS** ](windows-local-privilege-escalation/#laps )\*\*\*\*
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings )and [**WEF** ](windows-local-privilege-escalation/#wef )settings
* [ ] Check if any [**AV** ](windows-local-privilege-escalation/#av )\*\*\*\*
### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
* [ ] Check [**current** user **privileges** ](windows-local-privilege-escalation/#users-and-groups )\*\*\*\*
* [ ] Check if you have [any of these tokens enabled ](windows-local-privilege-escalation/#token-manipulation ): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] What is[ inside the Clipboard](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/#network)
* [ ] Check **current** [network **information** ](windows-local-privilege-escalation/#network )\*\*\*\*
* [ ] Check **hidden local services** restricted to the outside
### Vulnerable [Software ](windows-local-privilege-escalation/#software)or [Processes](windows-local-privilege-escalation/#running-processes)?
* [ ] Is any **unknown software running** ?
* [ ] Is any software with **more privileges that it should have running** ?
* [ ] Search for **exploits for running processes** \(specially if running of versions\)
* [ ] Can you **read any** interesting **process memory** \(where passwords could be saved\)?
* [ ] Have **write permissions** over the **binaries been** executed by the **processes** ?
* [ ] Have **write permissions** over the **folder** of a binary been executed to perform a **DLL Hijacking** ?
* [ ] What is[ **running** on **startup** or is **scheduled** ](windows-local-privilege-escalation/#run-at-startup)? Can you **modify** the binary?
* [ ] Can you [**dump** the **memory** ](windows-local-privilege-escalation/#memory-password-mining ) ** **of any **process** to extract **passwords** ?
### [Services](windows-local-privilege-escalation/#services)
* [ ] [Can you **modify any service**? ](windows-local-privilege-escalation/#permissions )
* [ ] [Can you **modify** the **binary** that is **executed** by any **service**? ](windows-local-privilege-escalation/#modify-service-binary-path )
* [ ] [Can you **modify** the **registry** of any **service**? ](windows-local-privilege-escalation/#services-registry-permissions )
* [ ] [Can you take advantage of any **unquoted service** binary **path**? ](windows-local-privilege-escalation/#unquoted-service-paths )
### [DLL Hijacking](windows-local-privilege-escalation/#dll-hijacking)
* [ ] Can you **write in any folder inside PATH** ?
* [ ] Is there any known service binary that **tries to load any non-existant DLL** ?
* [ ] Can you **write** in any **binaries folder** ?
### [Credentials](windows-local-privilege-escalation/#credentials)
* [ ] [**Windows Vault** ](windows-local-privilege-escalation/#windows-vault ) credentials that you could use?
* [ ] Interesting [**DPAPI credentials** ](windows-local-privilege-escalation/#dpapi )?
* [ ] [**Wifi netoworks** ](windows-local-privilege-escalation/#wifi )?
* [ ] \*\*\*\*[**SSH keys in registry** ](windows-local-privilege-escalation/#ssh-keys-in-registry )?
* [ ] [**Credentials inside "known files"** ](windows-local-privilege-escalation/#credentials-inside-files )? Inside the Recycle Bin? At home?
* [ ] [**Registry with credentials** ](windows-local-privilege-escalation/#inside-the-registry )?
* [ ] Inside [**Browser data** ](windows-local-privilege-escalation/#browsers-history ) \(dbs, history, bookmarks....\)?
* [ ] [**AppCmd.exe** exists ](windows-local-privilege-escalation/#appcmd-exe )? Credentials?
* [ ] [**SCClient.exe** ](windows-local-privilege-escalation/#scclient-sccm )? DLL Side Loading?
* [ ] [**Cloud credentials** ](windows-local-privilege-escalation/#cloud-credentials )?
### [AlwaysInstallElevated](windows-local-privilege-escalation/#alwaysinstallelevated)
* [ ] Is this **enabled** ?
### [Is vulnerable WSUS?](windows-local-privilege-escalation/#wsus)
* [ ] Is it **vulnerable** ?
### [Write Permissions](windows-local-privilege-escalation/#write-permissions)
* [ ] Are you able to **write files that could grant you more privileges** ?
### Any [open handler of a privileged process or thread](windows-local-privilege-escalation/#leaked-handlers)?
* [ ] Maybe the compromised process is vulnerable.
### [UAC Bypass](windows-local-privilege-escalation/#check-uac)
* [ ] There are several ways to bypass the UAC
2020-08-17 08:33:42 +00:00
If you want to **know** about my **latest modifications** /**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here** ](https://t.me/peass )**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to ** **[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ** **that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
2020-07-15 15:43:14 +00:00
