HomeGitHubPortfolioTwitter/XMediumCont@ct

Windows Privilege Escalation

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

MS Windows and Privilege Escalation

Microsoft Windows OS

Microsoft Windows is a proprietary operating system developed by Microsoft Corporation. Unlike open-source operating systems such as Linux, the source code for Windows is not publicly accessible, and modifications to its core components are restricted to Microsoft. This closed-source model ensures that Microsoft maintains full control over its development, updates, and security measures.

Windows has been the dominant operating system for personal computers since its initial release in 1985. Its user-friendly graphical interface, compatibility with a wide range of hardware, and extensive software ecosystem have contributed to its widespread adoption. Windows is designed for a variety of devices, including desktops, laptops, tablets, and servers, offering versatility across different use cases.

One of the standout features of Windows is its integration with enterprise environments. It includes tools like Active Directory for centralized user and device management, Group Policy for configuration enforcement, and PowerShell for automation and scripting. These features make Windows particularly appealing to businesses and IT professionals.

Despite its advantages, Windows is sometimes criticized for its security vulnerabilities, given its popularity as a target for malware and cyberattacks. Microsoft addresses these concerns through regular updates, enhanced built-in security features like Windows Defender, and the implementation of secure boot mechanisms.

Microsoft DOS History

  • 1981 MS-DOS 1.0 was released August, 1981.

  • 1982 MS-DOS 1.25 was released August, 1982.

  • 1983 MS-DOS 2.0 was released March, 1983.

  • 1984 Microsoft introduces MS-DOS 3.0 for the IBM PC AT and MS-DOS 3.1 for networks.

  • 1986 MS-DOS 3.2 was released April, 1986. 1987 MS-DOS 3.3 was released April, 1987.

  • 1988 MS-DOS 4.0 was released July, 1988. 1988 MS-DOS 4.01 was released November, 1988.

  • 1991 MS-DOS 5.0 was released June, 1991.

  • 1993 MS-DOS 6.0 was released August, 1993.

  • 1993 MS-DOS 6.2 was released November, 1993.

  • 1994 MS-DOS 6.21 was released March, 1994.

  • 1994 MS-DOS 6.22 was released April, 1994.

Microsoft Windows History

  • 1985 Windows 1.0

  • 1990 Windows 3.0

  • 1993 Windows NT

  • 1995 Windows 95

  • 2001 Windows XP

  • 2006 Windows Vista

  • 2009 Windows 7

  • 2012 Windows 8

  • 2014 Windows 10

  • 2021 Windows 11

Privilege Escalation

Privilege escalation is a critical concept in cybersecurity that involves obtaining higher levels of access or privileges than those initially granted. It is often exploited by attackers to gain unauthorized control over a system, allowing them to perform actions that are typically restricted, such as accessing sensitive data, modifying system configurations, or executing arbitrary code.

Privilege escalation can be categorized into two main types:

  1. Vertical Privilege Escalation In vertical privilege escalation (or privilege elevation), an attacker gains access to higher-level permissions, such as escalating from a standard user account to an administrator or root account. This often provides the attacker full control over the system. Techniques to achieve this include exploiting unpatched vulnerabilities, abusing misconfigurations, or leveraging credential theft.

  2. Horizontal Privilege Escalation Horizontal privilege escalation involves gaining access to another user's account with similar privilege levels. For instance, an attacker might use stolen credentials or session hijacking techniques to impersonate another user, potentially accessing sensitive information or functions tied to that account.

Hardening OS

It is essential to harden systems by conducting regular audits using market-recognized checklists and frameworks, such as CIS, STIG Benchmarks, to ensure compliance with security best practices. This process should include the validation of system configurations, the implementation of least privilege access controls, continuous vulnerability assessments, and the application of security patches. Additionally, organizations should adopt automated tools to streamline compliance checks and integrate threat detection mechanisms to identify and respond to potential risks proactively.

Windows Hardening - HackTricks

Hardening Security Frameworks:

Lab Environment

QuickEmu

Quickemu is a wrapper for the excellent QEMU that automatically "does the right thing" when creating virtual machines. No requirement for exhaustive configuration options. You decide what operating system you want to run and Quickemu takes care of the rest 🤖

Steps

Windows Setup

Using Quickemu

quickget windows 11
quickemu --vm windows-11.conf --display spice

Labs and Practices

Background Information

Concepts and Pratice

Resources

Cheatsheet

Next1 - Introduction to the Windows Shells

Last updated