> For the complete documentation index, see [llms.txt](https://kabaneridev.gitbook.io/pentesting-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabaneridev.gitbook.io/pentesting-notes/core-knowledge-areas/windows-privilege-escalation.md). # Windows Privilege Escalation This section covers techniques, tools, and methods to escalate privileges on Windows systems during penetration testing. Windows privilege escalation is a critical component of the OSCP exam and real-world pentests. ## Key Areas Covered * [Enumeration](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/enumeration.md) - Collecting system information for privilege escalation vectors * [Credential Hunting](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/credential-hunting.md) - Finding stored passwords and credentials * [Service Exploitation](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/service-exploitation.md) - Exploiting vulnerable services and misconfigurations * [Token Impersonation](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/token-impersonation.md) - Leveraging Windows token privileges * [Registry Exploits](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/registry-exploits.md) - Exploiting registry-based vulnerabilities * [Scheduled Tasks](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/scheduled-tasks.md) - Exploiting scheduled tasks and jobs * [Kernel Exploits](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/kernel-exploits.md) - Using Windows kernel vulnerabilities * [UAC Bypass](https://github.com/kabaneridev/oscp-notes/blob/main/windows-privilege-escalation/uac-bypass.md) - Bypassing User Account Control * [Windows Persistence](https://github.com/kabaneridev/oscp-notes/blob/main/windows-privilege-escalation/persistence.md) - Maintaining access to compromised systems * [Windows Privilege Escalation Checklist](/pentesting-notes/core-knowledge-areas/windows-privilege-escalation/checklist.md) - Comprehensive checklist of attack vectors ## Automated Tools * **PowerUp**: PowerShell script for Windows privilege escalation checks * **WinPEAS**: Windows Privilege Escalation Awesome Script * **Bloodhound**: Active Directory reconnaissance tool * **PowerView**: PowerShell tool for network/AD reconnaissance * **SharpUp**: C# port of PowerUp ## External Resources * [PayloadsAllTheThings - Windows Privilege Escalation](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) * [HackTricks - Windows Local Privilege Escalation](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) * [Absolomb's Windows Privilege Escalation Guide](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) * [Fuzzy Security Windows Privilege Escalation](https://fuzzysecurity.com/tutorials/16.html) ## Disclaimer These techniques are documented for educational purposes and should only be used in legitimate, authorized penetration testing activities. Always ensure you have proper authorization before performing privilege escalation attempts. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabaneridev.gitbook.io/pentesting-notes/core-knowledge-areas/windows-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.