4.windows-privileges-overview

whoami /priv

Initial Enumeration:

OS/Version: Determine the OS version (e.g., Windows 10, Server 2016) and patch level for potential exploits.
Running Services: Identify services running as SYSTEM or administrator, as they may be vulnerable.
Environment Variables: Examine the PATH variable for writable directories and other useful information.
System Information (systeminfo): Check for recent patches, system boot time, and installed hotfixes.
Installed Programs (wmic/PowerShell): Identify vulnerable applications.
Network Connections (netstat): Find open ports and listening services, especially on localhost.
User/Group Information (whoami, net user, net localgroup): Identify privileged users and groups.
Password Policy (net accounts): Understand password complexity and lockout policies.
PowerShell is very useful: Many of the standard commands have more powerful PowerShell equivalents.

Communication with Processes:

Access Tokens: Understand how access tokens define the security context of processes.
Network Services (netstat): Identify vulnerable services listening on network ports.
Named Pipes (pipelist, accesschk): Enumerate and analyze named pipe permissions for potential vulnerabilities.
Loopback connections: Pay close attention to services listening on the loopback address.
SeImpersonatePrivilege: This is a key privilege to look for, and is used in many privilege escalation attacks.

Windows Privileges Overview:

Privileges vs. Access Rights: Understand the difference between privileges (system-wide actions) and access rights (object-specific permissions).
Windows Authorization Process: Recognize the role of SIDs, ACEs, and security descriptors.
Key Groups: Know the privileges associated with groups like Administrators, Backup Operators, and Hyper-V Administrators.
User Rights Assignment: Understand the importance of rights like SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege.
whoami /priv: Use this command to list the privileges assigned to the current user.
UAC: Be aware of User Account Control and its impact on privilege management.
Privileges can be disabled: Just because a user has a privilege, does not mean that it is currently active.
Event ID 4672: This event can be used to detect the assignment of special privileges.

Last updated 12 days ago

whoami /priv

Initial Enumeration:

OS/Version: Determine the OS version (e.g., Windows 10, Server 2016) and patch level for potential exploits.
Running Services: Identify services running as SYSTEM or administrator, as they may be vulnerable.
Environment Variables: Examine the PATH variable for writable directories and other useful information.
System Information (systeminfo): Check for recent patches, system boot time, and installed hotfixes.
Installed Programs (wmic/PowerShell): Identify vulnerable applications.
Network Connections (netstat): Find open ports and listening services, especially on localhost.
User/Group Information (whoami, net user, net localgroup): Identify privileged users and groups.
Password Policy (net accounts): Understand password complexity and lockout policies.
PowerShell is very useful: Many of the standard commands have more powerful PowerShell equivalents.

Communication with Processes:

Access Tokens: Understand how access tokens define the security context of processes.
Network Services (netstat): Identify vulnerable services listening on network ports.
Named Pipes (pipelist, accesschk): Enumerate and analyze named pipe permissions for potential vulnerabilities.
Loopback connections: Pay close attention to services listening on the loopback address.
SeImpersonatePrivilege: This is a key privilege to look for, and is used in many privilege escalation attacks.

Windows Privileges Overview:

Privileges vs. Access Rights: Understand the difference between privileges (system-wide actions) and access rights (object-specific permissions).
Windows Authorization Process: Recognize the role of SIDs, ACEs, and security descriptors.
Key Groups: Know the privileges associated with groups like Administrators, Backup Operators, and Hyper-V Administrators.
User Rights Assignment: Understand the importance of rights like SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege.
whoami /priv: Use this command to list the privileges assigned to the current user.
UAC: Be aware of User Account Control and its impact on privilege management.
Privileges can be disabled: Just because a user has a privilege, does not mean that it is currently active.
Event ID 4672: This event can be used to detect the assignment of special privileges.

Last updated 12 days ago