Privilege Escalation Checklist

This checklist helps you avoid rabbit holes by systematically verifying prerequisites for various privilege escalation techniques. Before spending time on a potential vector, check if the necessary conditions are met.

Initial Enumeration Checklist

Identify current user and privileges (whoami /all)
Check operating system version (systeminfo)
Check installed patches (wmic qfe list brief)
Identify installed applications (wmic product get name,version,vendor)
Check for running services (net start or sc query)
Check network connections (netstat -ano)
Identify scheduled tasks (schtasks /query /fo LIST /v)

Privilege Abuse Prerequisites

Token Privileges

SeBackupPrivilege
- Current user has this privilege
- You can read sensitive files (SAM, SYSTEM)
- You have a way to transfer files off the system
SeRestorePrivilege
- Current user has this privilege
- You can write to system directories
- You know which files to modify for privilege escalation
SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
- Current user has one of these privileges
- For "Potato" attacks: Windows version is susceptible
- For RogueWinRM: Not patched against this technique
SeTakeOwnershipPrivilege
- Current user has this privilege
- Target system file is not protected by additional mechanisms
SeLoadDriverPrivilege
- Current user has this privilege
- You have a malicious driver ready to load
- Driver signing enforcement can be bypassed
SeDebugPrivilege
- Current user has this privilege
- Target processes are running
- Memory protection mechanisms can be bypassed

Service Exploitation Prerequisites

Unquoted Service Paths
- Service path contains spaces but no quotes
- You have write permissions to one of the parent directories
- Service runs as SYSTEM or elevated account
- Service can be restarted or system can be rebooted
Weak Service Permissions
- You have permission to modify service configuration (sc qc <service>)
- Service runs as SYSTEM or elevated account
- Service can be restarted or system can be rebooted
Weak Service Binary Permissions
- You have write permission to the service executable
- Service runs as SYSTEM or elevated account
- Service can be restarted or system can be rebooted
DLL Hijacking
- Application/service loads DLLs without specifying full path
- You have write permissions to a directory in the search path
- Target application runs with elevated privileges
- You can restart the application or service

Registry Exploits Prerequisites

AlwaysInstallElevated
- Both registry keys are set to 1:
  HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
- You can create and execute a malicious MSI package
Autorun Programs
- You have write access to an autorun registry key
- You can create a malicious executable
- You can wait for or trigger a reboot or user login
Stored Credentials
- Registry contains saved credentials
- Credentials are for a high-privilege account

Credential Hunting Prerequisites

Stored Credentials
- Identified potential locations for credential storage
- You have read access to these locations
- Credentials are not encrypted or can be decrypted
Memory Dumping
- You have permission to create memory dumps
- Target process (e.g., LSASS) is running
- You have a way to extract credentials from the dump
Configuration Files
- You've identified potential configuration files
- Files contain credentials in plaintext or weak encoding

Kernel Exploits Prerequisites

Missing Patches
- You've identified missing patches (systeminfo)
- Kernel version is vulnerable to a known exploit
- You have a compiled exploit for this specific version
- Exploit is stable and won't crash the system
- System doesn't have mitigations (e.g., ASLR, DEP) that prevent the exploit

Misconfiguration Prerequisites

Weak File Permissions
- You've found writable system files
- These files are executed by high-privilege processes
- You can modify the file without triggering security alerts
Scheduled Tasks
- You've identified interesting scheduled tasks
- Task runs with high privileges
- You can modify the task or its target executable

Software-Specific Exploits

Installed Software Vulnerabilities
- You've identified vulnerable software versions
- Exploit is available for these specific versions
- Software runs with elevated privileges
- You can trigger the vulnerable functionality

Avoiding Common Rabbit Holes

Don't waste time on kernel exploits first
- They're riskier and can crash the system
- Exhaust other methods before attempting these
- Verify the exact OS version and patches before attempting
Don't try exploits without checking prerequisites
- Verify all checklist items before investing time in an exploit
- Test exploits in a similar environment if possible
Don't ignore the "low-hanging fruit"
- Always check basic misconfigurations first
- Look for stored credentials before complex exploits
- Check user privileges immediately (whoami /priv)
Don't forget to document attempts
- Keep track of what you've tried
- Note partial successes for later combination attacks
- Document why certain approaches failed

Time Management Tips

Set a time limit for each potential vector (15-30 minutes)
If a technique is taking too long, move on and come back later
Prioritize techniques based on:
- Reliability (less likely to crash the system)
- Simplicity (fewer steps means fewer potential failures)
- Prerequisites you've already confirmed

Remember: The goal is to find the easiest path to privilege escalation, not to try every possible technique.

PreviousKernel Exploits NextTools & Utilities

Last updated 6 months ago

hashtagInitial Enumeration Checklist

hashtagPrivilege Abuse Prerequisites

hashtagToken Privileges

hashtagService Exploitation Prerequisites

hashtagRegistry Exploits Prerequisites

hashtagCredential Hunting Prerequisites

hashtagKernel Exploits Prerequisites

hashtagMisconfiguration Prerequisites

hashtagSoftware-Specific Exploits

hashtagAvoiding Common Rabbit Holes

hashtagTime Management Tips