Privilege Escalation — Windows/Windows Post-Exploitation Enumeration
Windows Post-Exploitation Enumeration
Systematic enumeration is the key to effective privilege escalation on Windows. Before exploiting anything, you must map the environment.
◆
User and System Context
enumeration windows privesc◆
Current Account Privileges
◆
Users and Groups
◆
Services and Processes
◆
Registry — Sensitive Keys
◆
Sensitive Files
◆
Network and Connections
◆
Automated Enumeration Tools
| Tool | Description | Command |
|---|---|---|
| WinPEAS | Comprehensive colored enumeration (Windows equivalent of LinPEAS) | .\winPEAS.exe |
| Seatbelt | Targeted security enumeration | .\Seatbelt.exe all |
| PowerUp | PowerShell privesc automation | Import-Module PowerUp.ps1; Invoke-AllChecks |
| SharpUp | C# version of PowerUp | .\SharpUp.exe audit |
◆
Flashcards
FLASHCARDS · 1/2
CARD #0001
_□×
UNSEEN
Which Windows privileges are the most exploitable for privilege escalation?
◆
Exercises
Exercise 1 — Build a Windows privesc checklist
- On a Windows VM, run
whoami /alland identify enabled privileges - Check for
SeImpersonatePrivilege(often present on IIS service accounts) - Run WinPEAS:
.\winPEAS.exeand review highlighted sections - Search for credentials in the registry:
reg query HKLM /f password /t REG_SZ /s - Check for Unattend.xml files:
dir /s /b C:\*unattend* 2>nul
◆
Open Questions
Question 1 — Why is enumeration the key in Windows privesc?
◆
Next Lesson
With enumeration complete, the next lesson exploits the most common Windows privilege escalation vector: Unquoted Service Paths.
Next: Unquoted Service Paths