Field Manual

Windows PrivEsc Enumeration

4 min read

🛡️ Methodology Checklist

  • Current user and privileges: whoami /priv; whoami /groups
  • OS build number: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  • Local admins: net localgroup administrators
  • Installed software: wmic product get name,version
  • Running services: sc query state= all
  • Network listeners: netstat -ano
  • Scheduled tasks: schtasks /query /fo LIST /v
  • Run WinPEAS or PowerUp for automated enumeration

🎯 Operational Context

Use when: Windows foothold — systematic enumeration of system info, users, groups, processes, services, and installed software to identify privesc paths. Think Dumber First: whoami /allsysteminfonet localgroup administratorstasklist /svc. These four commands give: current privileges, OS version (for CVEs), local admin group membership, and all running services with their service accounts. Run them all immediately. Skip when: Already SYSTEM/Administrator — skip enumeration and go directly to post-exploitation objectives.

⚡ Tactical Cheatsheet

CommandTactical Outcome
whoami /privCurrent token privileges — look for Se* privs
whoami /groupsGroup memberships including domain groups
net user [USER]Local user details, last login, group membership
net localgroup administratorsMembers of local Administrators
query userLogged-on users and session IDs
systeminfoOS version, build, hotfixes, domain, architecture
wmic qfeInstalled hotfixes/patches — find missing KBs
tasklist /svcRunning processes and their associated services
netstat -anoActive connections + listening ports + PIDs
ipconfig /allNIC config, DNS servers, DHCP info
arp -aARP cache — adjacent hosts
route printRouting table — network segments reachable
Get-MpComputerStatusWindows Defender status (PowerShell)
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionsAppLocker policy
Get-Process | Where-Object {$_.Path -ne $null} | Select Name,Path | Sort-Object NameRunning processes with paths
dir /a C:\Root dir including hidden files
cmdkey /listSaved credentials — targets for runas /savecred

🔬 Deep Dive & Workflow

Priority Enumeration Sequence

1. whoami /priv → SeImpersonate? SeDebugPrivilege? SeTakeOwnership?
2. whoami /groups → Administrators? Backup Operators? DnsAdmins?
3. systeminfo → OS build → patch level → known CVEs
4. wmic qfe → missing KBs → searchsploit "KB[number]"
5. cmdkey /list → saved creds → runas /savecred
6. netstat -ano → internal services → tunneling opportunities
7. tasklist /svc → AV process names → evasion planning
8. Get-MpComputerStatus → Defender status → AMSI bypass needed?

Build Number to OS Mapping

BuildOS Version
10240Windows 10 v1507
14393Windows 10 v1607 / Server 2016
17763Windows 10 v1809 / Server 2019
19041Windows 10 v2004 / Server 2019
20348Server 2022
# Get exact build
[System.Environment]::OSVersion.Version
# → Major.Minor.Build.Revision
 
# Or from systeminfo:
systeminfo | findstr /B /C:"OS Version" /C:"OS Name"

Token Privilege Targets

PrivilegeAttack Path
SeImpersonatePrivilegeJuicyPotato (≤1809) or PrintSpoofer (≥1809)
SeAssignPrimaryTokenPrivilegeSame as SeImpersonate — Potato attacks
SeDebugPrivilegeDump LSASS → Mimikatz → credentials
SeTakeOwnershipPrivilegetakeown + icacls → read/overwrite any file
SeBackupPrivilegeRead any file including NTDS.dit
SeRestorePrivilegeWrite any file — overwrite system binaries
SeLoadDriverPrivilegeLoad malicious kernel driver
SeCreateSymbolicLinkPrivilegeSymlink attacks on privileged file ops

AV/EDR Detection

# Check Windows Defender status
Get-MpComputerStatus | Select RealTimeProtectionEnabled, AntivirusEnabled
 
# List all security products (WMI)
Get-WmiObject -Class AntiVirusProduct -Namespace root\SecurityCenter2
 
# Common AV process names to look for in tasklist:
# MsMpEng.exe (Defender), cb.exe (CarbonBlack), bdagent.exe (BitDefender)
# ekrn.exe (ESET), avgnt.exe (Avira), SEPMaster.exe (Symantec)
 
# Check AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# If blocked: use LOLBAS (Living Off the Land Binaries)

Network Enumeration

# Listening services → tunnel candidates
netstat -ano | findstr LISTEN
 
# Established connections → active sessions
netstat -ano | findstr ESTABLISHED
 
# Match PID to process
tasklist | findstr [PID]
 
# DNS servers (may be DC)
ipconfig /all | findstr "DNS Server"
 
# Shares
net share

Installed Software Hunt

# 64-bit apps
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName, DisplayVersion, InstallDate | Sort-Object DisplayName
 
# 32-bit apps on 64-bit OS
Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName, DisplayVersion | Sort-Object DisplayName
 
# Or via wmic
wmic product get name,version,vendor

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
systeminfo blockedRestricted shell or policyTry: wmic computersystem get caption,model,systemtype, wmic os get version,caption,buildnumber
WinPEAS finds nothing usefulAll low-hanging fruit patchedCheck manually: AlwaysInstallElevated, DLL hijacking paths, scheduled tasks as SYSTEM, SeImpersonatePrivilege
net commands blockedRestricted shellUse WMI: wmic group list brief, wmic localgroup list brief
Process list shows unknown servicesPossibly interesting custom serviceCheck: sc qc [SERVICE_NAME] for binary path; icacls [BINARY_PATH] for write permission
Installed software enumeration incomplete32-bit vs 64-bit registryCheck both: HKLM\SOFTWARE\ and HKLM\SOFTWARE\WOW6432Node\

📝 Reporting Trigger

Finding Title: Windows System Enumeration Reveals Privilege Escalation Paths Impact: Systematic Windows enumeration identifies unquoted service paths, weak service binary permissions, AlwaysInstallElevated policy, and other misconfigurations that enable privilege escalation from low-privileged user to SYSTEM. Root Cause: Windows system not hardened against common privilege escalation vectors. Default Windows configurations not reviewed or remediated post-deployment. Recommendation: Run PowerUp.ps1 and WinPEAS against all Windows systems during hardening review. Apply Windows security baselines. Implement automated misconfiguration detection in vulnerability scanning program.

🔗 Related Nodes

Graph View

Backlinks