4.windows-privileges-overview

whoami /priv

Initial Enumeration:

  • OS/Version: Determine the OS version (e.g., Windows 10, Server 2016) and patch level for potential exploits.

  • Running Services: Identify services running as SYSTEM or administrator, as they may be vulnerable.

  • Environment Variables: Examine the PATH variable for writable directories and other useful information.

  • System Information (systeminfo): Check for recent patches, system boot time, and installed hotfixes.

  • Installed Programs (wmic/PowerShell): Identify vulnerable applications.

  • Network Connections (netstat): Find open ports and listening services, especially on localhost.

  • User/Group Information (whoami, net user, net localgroup): Identify privileged users and groups.

  • Password Policy (net accounts): Understand password complexity and lockout policies.

  • PowerShell is very useful: Many of the standard commands have more powerful PowerShell equivalents.

Communication with Processes:

  • Access Tokens: Understand how access tokens define the security context of processes.

  • Network Services (netstat): Identify vulnerable services listening on network ports.

  • Named Pipes (pipelist, accesschk): Enumerate and analyze named pipe permissions for potential vulnerabilities.

  • Loopback connections: Pay close attention to services listening on the loopback address.

  • SeImpersonatePrivilege: This is a key privilege to look for, and is used in many privilege escalation attacks.

Windows Privileges Overview:

  • Privileges vs. Access Rights: Understand the difference between privileges (system-wide actions) and access rights (object-specific permissions).

  • Windows Authorization Process: Recognize the role of SIDs, ACEs, and security descriptors.

  • Key Groups: Know the privileges associated with groups like Administrators, Backup Operators, and Hyper-V Administrators.

  • User Rights Assignment: Understand the importance of rights like SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege.

  • whoami /priv: Use this command to list the privileges assigned to the current user.

  • UAC: Be aware of User Account Control and its impact on privilege management.

  • Privileges can be disabled: Just because a user has a privilege, does not mean that it is currently active.

  • Event ID 4672: This event can be used to detect the assignment of special privileges.

Previous2.Windows User PrivilegesNext5.Seimpersonate-and-seassignprimarytoken

Last updated