Skip to content
HackTricks Press
Search
K
Main Navigation
Table of Contents
Appearance
Menu
Return to top
On this page
Checklist - Local Windows Privilege Escalation
โ
Learn AWS hacking from zero to hero with
htARTE (HackTricks AWS Red Team Expert)
!
Other ways to support HackTricks:
If you want to see your
company advertised in HackTricks
or
download HackTricks in PDF
Check the
SUBSCRIPTION PLANS
!
Get the
official PEASS & HackTricks swag
Discover
The PEASS Family
, our collection of exclusive
NFTs
Join the
๐ฌ
Discord group
or the
telegram group
or
follow
us on
Twitter
๐ฆ
@carlospolopm
.
Share your hacking tricks by submitting PRs to the
HackTricks
and
HackTricks Cloud
github repos.
Try Hard Security Group
โ๏ธ External Link
https://discord.gg/tryhardsecurity
Best tool to look for Windows local privilege escalation vectors:
WinPEAS
โ
System Info
โ
Obtain
System information
Search for
kernel
exploits using scripts
Use
Google to search
for kernel
exploits
Use
searchsploit to search
for kernel
exploits
Interesting info in
env vars
?
Passwords in
PowerShell history
?
Interesting info in
Internet settings
?
Drives
?
WSUS exploit
?
AlwaysInstallElevated
?
Logging/AV enumeration
โ
Check
Audit
and
WEF
settings
Check
LAPS
Check if
WDigest
is active
LSA Protection
?
Credentials Guard
?
Cached Credentials
?
Check if any
AV
AppLocker Policy
?
UAC
User Privileges
Check
current
user
privileges
Are you
member of any privileged group
?
Check if you have
any of these tokens enabled
:
SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege
?
Users Sessions
?
Check
users homes
(access?)
Check
Password Policy
What is
inside the Clipboard
?
Network
โ
Check
current
network
information
Check
hidden local services
restricted to the outside
Running Processes
โ
Processes binaries
file and folders permissions
Memory Password mining
Insecure GUI apps
Steal credentials with
interesting processes
via
ProcDump.exe
? (firefox, chrome, etc ...)
Services
โ
Can you
modify any service
?
Can you
modify
the
binary
that is
executed
by any
service
?
Can you
modify
the
registry
of any
service
?
Can you take advantage of any
unquoted service
binary
path
?
Applications
โ
Write
permissions on installed applications
Startup Applications
Vulnerable
Drivers
DLL Hijacking
โ
Can you
write in any folder inside PATH
?
Is there any known service binary that
tries to load any non-existant DLL
?
Can you
write
in any
binaries folder
?
Network
โ
Enumerate the network (shares, interfaces, routes, neighbours, ...)
Take a special look at network services listening on localhost (127.0.0.1)
Windows Credentials
โ
Winlogon
credentials
Windows Vault
credentials that you could use?
Interesting
DPAPI credentials
?
Passwords of saved
Wifi networks
?
Interesting info in
saved RDP Connections
?
Passwords in
recently run commands
?
Remote Desktop Credentials Manager
passwords?
AppCmd.exe
exists
? Credentials?
SCClient.exe
? DLL Side Loading?
Files and Registry (Credentials)
โ
Putty:
Creds
and
SSH host keys
SSH keys in registry
?
Passwords in
unattended files
?
Any
SAM & SYSTEM
backup?
Cloud credentials
?
McAfee SiteList.xml
file?
Cached GPP Password
?
Password in
IIS Web config file
?
Interesting info in
web
logs
?
Do you want to
ask for credentials
to the user?
Interesting
files inside the Recycle Bin
?
Other
registry containing credentials
?
Inside
Browser data
(dbs, history, bookmarks, ...)?
Generic password search
in files and registry
Tools
to automatically search for passwords
Leaked Handlers
โ
Have you access to any handler of a process run by administrator?
Pipe Client Impersonation
โ
Check if you can abuse it
Try Hard Security Group
โ๏ธ External Link
https://discord.gg/tryhardsecurity
Learn AWS hacking from zero to hero with
htARTE (HackTricks AWS Red Team Expert)
!
Other ways to support HackTricks:
If you want to see your
company advertised in HackTricks
or
download HackTricks in PDF
Check the
SUBSCRIPTION PLANS
!
Get the
official PEASS & HackTricks swag
Discover
The PEASS Family
, our collection of exclusive
NFTs
Join the
๐ฌ
Discord group
or the
telegram group
or
follow
us on
Twitter
๐ฆ
@carlospolopm
.
Share your hacking tricks by submitting PRs to the
HackTricks
and
HackTricks Cloud
github repos.