KaraboSec

Overview

Windows Privilege Escalation is the process of elevating access from a limited user account to SYSTEM (or high-integrity) on a Windows system.

Windows privesc techniques target service permissions, registry misconfigurations, token privileges, stored credentials, kernel exploits, and DLL hijacking.

Category: Privilege Escalation — Post-exploitation privilege escalation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Windows Privilege Escalation:

whoami /priv

whoami /groups

Get-Service | Where-Object {$_.CanStopAndUninstall}

Get-CimInstance -ClassName Win32_Service

Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\*

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"

cmdkey /list

dir C:\Users\*\AppData\Local\Microsoft\Credentials\

wmic service get name,pathname | findstr /i /v "C:\Windows"

schtasks /query /fo LIST /v

Get-ChildItem -Path "C:\Program Files\*" -Recurse | select Fullname

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v ImagePath

Tools & Techniques

Recommended tools for Windows Privilege Escalation:

WinPEAS: automated Windows privilege escalation auditing
PowerUp: PowerShell-based privilege escalation checker
SharpUp: C# port of PowerUp
Seatbelt: C# security audit tool
JuicyPotato / PrintSpoofer / RoguePotato: token exploitation
Manual: check AlwaysInstallElevated, unquoted paths, weak service permissions, token privileges

Prevention & Mitigation

Security recommendations to prevent Windows Privilege Escalation:

Apply the principle of least privilege for all services
Use managed service accounts (gMSA) for services
Fix unquoted service paths
Secure registry permissions for service configuration
Disable unnecessary user privileges
Apply security patches regularly
Monitor for suspicious privilege use with Windows Event Logging
Use LAPS for local administrator password management

References

Additional resources: