PriveEsc checklist
Automated Tools
Metasploit:
multi/recon/local_exploit_suggesterSeatbelt: https://github.com/GhostPack/Seatbelt
Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
System Information
Check Installed OS and architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"Get-ComputerInfo -property 'WindowsProductName', 'OsVersion', 'OsArchitecture'
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseIdGet Installed updates
systeminfo | find ": KB"
wmic qfe get Caption,Description,HotFixID,InstalledOnget-wmiobject -class win32_quickfixengineeringList environment variables
setGet-ChildItem Env: | ft Key,ValueList local and network drives
wmic logicaldisk get deviceid, volumename, descriptionget-psdrive -psprovider filesystemView Domain Controllers
systeminfo | findstr /B /C:"Domain"Network
Get interface and network configuration
ipconfig /allGet-NetIPConfiguration | Select-Object -Property InterfaceAlias, IPv4AddressPrint routing table
route printList active connections
netstat -anoGet-NetTCPConnectionShow Firewall state and configuration
netsh firewall show state
netsh firewall show configList network drives
net shareGet-SMBMappingView DNS cache
ipconfig /displaydnsUsers and Groups
Get current user
whoami
net user %username%List all users
net user
whoami /allGet-LocalUser | ft Name,Enabled,LastLogon,DescriptionGet details about a specific user
net user <user>View password policy
net accountsGet local groups
net localgroupServices
Get running services
wmic service get Caption,StartName,State,pathnamenet startList unquoted service binaries
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """World Writeable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\PublicPrivilege Escalation Specific
Unquoted service paths
If value returned is AlwaysInstallElevated REG_DWORD 0x1 A malicious MSI can be used to install with elevated permissions from a standard privileged account.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedCheck Sticky Notes for passwords
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqliteSearch File System for passwords and files of interest
Search for passwords
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass *.txt
findstr /si pass *.xml
findstr /si pass *.ini
#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*If current user can read Event Logs then get the latest PowerShell commands run on the system
Get-EventLog -LogName 'Windows PowerShell' -Newest 100 | Select-Object -Property * Recycle Bin
cd 'c:\$recycle.bin\<User SID>'
dir /ALast updated