Windows - Privilege Escalation

Content of this page has been moved to InternalAllTheThings/redteam/escalation/windows-privilege-escalation

• Tools
• Windows Version and Configuration
• User Enumeration
• Network Enumeration
• Antivirus Enumeration
• Default Writeable Folders
• EoP - Looting for passwords
  • SAM and SYSTEM files
  • HiveNightmare
  • LAPS Settings
  • Search for file contents
  • Search for a file with a certain filename
  • Search the registry for key names and passwords
  • Passwords in unattend.xml
  • Wifi passwords
  • Sticky Notes passwords
  • Passwords stored in services
  • Passwords stored in Key Manager
  • Powershell History
  • Powershell Transcript
  • Password in Alternate Data Stream
• EoP - Processes Enumeration and Tasks
• EoP - Incorrect permissions in services
• EoP - Windows Subsystem for Linux (WSL)
• EoP - Unquoted Service Paths
• EoP - $PATH Interception
• EoP - Named Pipes
• EoP - Kernel Exploitation
• EoP - Microsoft Windows Installer
  • AlwaysInstallElevated
  • CustomActions
• EoP - Insecure GUI apps
• EoP - Evaluating Vulnerable Drivers
• EoP - Printers
  • Universal Printer
  • Bring Your Own Vulnerability
• EoP - Runas
• EoP - Abusing Shadow Copies
• EoP - From local administrator to NT SYSTEM
• EoP - Living Off The Land Binaries and Scripts
• EoP - Impersonation Privileges
  • Restore A Service Account's Privileges
  • Meterpreter getsystem and alternatives
  • RottenPotato (Token Impersonation)
  • Juicy Potato (Abusing the golden privileges)
  • Rogue Potato (Fake OXID Resolver))
  • EFSPotato (MS-EFSR EfsRpcOpenFileRaw))
  • PrintSpoofer (Printer Bug)))
• EoP - Privileged File Write
  • DiagHub
  • UsoDLLLoader
  • WerTrigger
  • WerMgr
• EoP - Privileged File Delete
• EoP - Common Vulnerabilities and Exposures
  • MS08-067 (NetAPI)
  • MS10-015 (KiTrap0D)
  • MS11-080 (adf.sys)
  • MS15-051 (Client Copy Image)
  • MS16-032
  • MS17-010 (Eternal Blue)
  • CVE-2019-1388
• EoP - $PATH Interception
• References