# Privilege Escalation Checklist This checklist helps you avoid rabbit holes by systematically verifying prerequisites for various privilege escalation techniques. Before spending time on a potential vector, check if the necessary conditions are met. ## Initial Enumeration Checklist * [ ] Identify current user and privileges (`whoami /all`) * [ ] Check operating system version (`systeminfo`) * [ ] Check installed patches (`wmic qfe list brief`) * [ ] Identify installed applications (`wmic product get name,version,vendor`) * [ ] Check for running services (`net start` or `sc query`) * [ ] Check network connections (`netstat -ano`) * [ ] Identify scheduled tasks (`schtasks /query /fo LIST /v`) ## Privilege Abuse Prerequisites ### Token Privileges * [ ] **SeBackupPrivilege** * Current user has this privilege * You can read sensitive files (SAM, SYSTEM) * You have a way to transfer files off the system * [ ] **SeRestorePrivilege** * Current user has this privilege * You can write to system directories * You know which files to modify for privilege escalation * [ ] **SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege** * Current user has one of these privileges * For "Potato" attacks: Windows version is susceptible * For RogueWinRM: Not patched against this technique * [ ] **SeTakeOwnershipPrivilege** * Current user has this privilege * Target system file is not protected by additional mechanisms * [ ] **SeLoadDriverPrivilege** * Current user has this privilege * You have a malicious driver ready to load * Driver signing enforcement can be bypassed * [ ] **SeDebugPrivilege** * Current user has this privilege * Target processes are running * Memory protection mechanisms can be bypassed ## Service Exploitation Prerequisites * [ ] **Unquoted Service Paths** * Service path contains spaces but no quotes * You have write permissions to one of the parent directories * Service runs as SYSTEM or elevated account * Service can be restarted or system can be rebooted * [ ] **Weak Service Permissions** * You have permission to modify service configuration (`sc qc `) * Service runs as SYSTEM or elevated account * Service can be restarted or system can be rebooted * [ ] **Weak Service Binary Permissions** * You have write permission to the service executable * Service runs as SYSTEM or elevated account * Service can be restarted or system can be rebooted * [ ] **DLL Hijacking** * Application/service loads DLLs without specifying full path * You have write permissions to a directory in the search path * Target application runs with elevated privileges * You can restart the application or service ## Registry Exploits Prerequisites * [ ] **AlwaysInstallElevated** * Both registry keys are set to 1: * HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated * HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated * You can create and execute a malicious MSI package * [ ] **Autorun Programs** * You have write access to an autorun registry key * You can create a malicious executable * You can wait for or trigger a reboot or user login * [ ] **Stored Credentials** * Registry contains saved credentials * Credentials are for a high-privilege account ## Credential Hunting Prerequisites * [ ] **Stored Credentials** * Identified potential locations for credential storage * You have read access to these locations * Credentials are not encrypted or can be decrypted * [ ] **Memory Dumping** * You have permission to create memory dumps * Target process (e.g., LSASS) is running * You have a way to extract credentials from the dump * [ ] **Configuration Files** * You've identified potential configuration files * Files contain credentials in plaintext or weak encoding ## Kernel Exploits Prerequisites * [ ] **Missing Patches** * You've identified missing patches (`systeminfo`) * Kernel version is vulnerable to a known exploit * You have a compiled exploit for this specific version * Exploit is stable and won't crash the system * System doesn't have mitigations (e.g., ASLR, DEP) that prevent the exploit ## Misconfiguration Prerequisites * [ ] **Weak File Permissions** * You've found writable system files * These files are executed by high-privilege processes * You can modify the file without triggering security alerts * [ ] **Scheduled Tasks** * You've identified interesting scheduled tasks * Task runs with high privileges * You can modify the task or its target executable ## Software-Specific Exploits * [ ] **Installed Software Vulnerabilities** * You've identified vulnerable software versions * Exploit is available for these specific versions * Software runs with elevated privileges * You can trigger the vulnerable functionality ## Avoiding Common Rabbit Holes 1. **Don't waste time on kernel exploits first** * They're riskier and can crash the system * Exhaust other methods before attempting these * Verify the exact OS version and patches before attempting 2. **Don't try exploits without checking prerequisites** * Verify all checklist items before investing time in an exploit * Test exploits in a similar environment if possible 3. **Don't ignore the "low-hanging fruit"** * Always check basic misconfigurations first * Look for stored credentials before complex exploits * Check user privileges immediately (`whoami /priv`) 4. **Don't forget to document attempts** * Keep track of what you've tried * Note partial successes for later combination attacks * Document why certain approaches failed ## Time Management Tips 1. Set a time limit for each potential vector (15-30 minutes) 2. If a technique is taking too long, move on and come back later 3. Prioritize techniques based on: * Reliability (less likely to crash the system) * Simplicity (fewer steps means fewer potential failures) * Prerequisites you've already confirmed Remember: The goal is to find the easiest path to privilege escalation, not to try every possible technique.