# Windows Privilege Escalation

## Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## MS Windows and Privilege Escalation

<details>

<summary>Microsoft Windows OS</summary>

Microsoft Windows is a proprietary operating system developed by Microsoft Corporation. Unlike open-source operating systems such as Linux, the source code for Windows is not publicly accessible, and modifications to its core components are restricted to Microsoft. This closed-source model ensures that Microsoft maintains full control over its development, updates, and security measures.

Windows has been the dominant operating system for personal computers since its initial release in 1985. Its user-friendly graphical interface, compatibility with a wide range of hardware, and extensive software ecosystem have contributed to its widespread adoption. Windows is designed for a variety of devices, including desktops, laptops, tablets, and servers, offering versatility across different use cases.

One of the standout features of Windows is its integration with enterprise environments. It includes tools like Active Directory for centralized user and device management, Group Policy for configuration enforcement, and PowerShell for automation and scripting. These features make Windows particularly appealing to businesses and IT professionals.

Despite its advantages, Windows is sometimes criticized for its security vulnerabilities, given its popularity as a target for malware and cyberattacks. Microsoft addresses these concerns through regular updates, enhanced built-in security features like Windows Defender, and the implementation of secure boot mechanisms.

</details>

<details>

<summary>Microsoft DOS History</summary>

* 1981 MS-DOS 1.0 was released August, 1981.
* 1982 MS-DOS 1.25 was released August, 1982.
* 1983 MS-DOS 2.0 was released March, 1983.
* 1984 Microsoft introduces MS-DOS 3.0 for the IBM PC AT and MS-DOS 3.1 for networks.
* 1986 MS-DOS 3.2 was released April, 1986. 1987 MS-DOS 3.3 was released April, 1987.
* 1988 MS-DOS 4.0 was released July, 1988. 1988 MS-DOS 4.01 was released November, 1988.
* 1991 MS-DOS 5.0 was released June, 1991.
* 1993 MS-DOS 6.0 was released August, 1993.
* 1993 MS-DOS 6.2 was released November, 1993.
* 1994 MS-DOS 6.21 was released March, 1994.
* 1994 MS-DOS 6.22 was released April, 1994.

</details>

<details>

<summary>Microsoft Windows History</summary>

* 1985 Windows 1.0
* 1990 Windows 3.0
* 1993 Windows NT
* 1995 Windows 95
* 2001 Windows XP
* 2006 Windows Vista
* 2009 Windows 7
* 2012 Windows 8
* 2014 Windows 10
* 2021 Windows 11

</details>

### Privilege Escalation

Privilege escalation is a critical concept in cybersecurity that involves obtaining higher levels of access or privileges than those initially granted. It is often exploited by attackers to gain unauthorized control over a system, allowing them to perform actions that are typically restricted, such as accessing sensitive data, modifying system configurations, or executing arbitrary code.

Privilege escalation can be categorized into two main types:

1. **Vertical Privilege Escalation**\
   In vertical privilege escalation (or privilege elevation), an attacker gains access to higher-level permissions, such as escalating from a standard user account to an administrator or root account. This often provides the attacker full control over the system. Techniques to achieve this include exploiting unpatched vulnerabilities, abusing misconfigurations, or leveraging credential theft.
2. **Horizontal Privilege Escalation**\
   Horizontal privilege escalation involves gaining access to another user's account with similar privilege levels. For instance, an attacker might use stolen credentials or session hijacking techniques to impersonate another user, potentially accessing sensitive information or functions tied to that account.

### Hardening OS

It is essential to harden systems by conducting regular audits using market-recognized checklists and frameworks, such as CIS, STIG Benchmarks, to ensure compliance with security best practices. This process should include the validation of system configurations, the implementation of least privilege access controls, continuous vulnerability assessments, and the application of security patches. Additionally, organizations should adopt automated tools to streamline compliance checks and integrate threat detection mechanisms to identify and respond to potential risks proactively.

[Windows Hardening - HackTricks](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)

Hardening Security Frameworks:

* [CIS Benchmark](https://www.cisecurity.org/cis-benchmarks)
* [STIG Benchmark](https://www.google.com/search?q=stig+benchmark+windows\&oq=stig+benchmark+windows\&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIJCAEQABgTGIAEMgoIAhAAGBMYFhgeMgoIAxAAGBMYFhgeMgoIBBAAGBMYFhgeMgoIBRAAGBMYFhgeMgoIBhAAGBMYFhgeMgoIBxAAGBMYFhgeMgoICBAAGBMYFhgeMgoICRAAGBMYFhge0gEIMzg3OGowajSoAgCwAgA\&sourceid=chrome\&ie=UTF-8)

### Lab Environment <a href="#lab-environment" id="lab-environment"></a>

#### ​[QuickEmu](https://github.com/quickemu-project/quickemu)​ <a href="#quickemu" id="quickemu"></a>

{% embed url="<https://github.com/quickemu-project/quickemu>" %}
<https://github.com/quickemu-project/quickemu>
{% endembed %}

**Quickemu** is a wrapper for the excellent [QEMU](https://www.qemu.org/) that automatically *"does the right thing"* when creating virtual machines. No requirement for exhaustive configuration options. You decide what operating system you want to run and Quickemu takes care of the rest 🤖

#### Steps

* [**Installation**](https://github.com/quickemu-project/quickemu/wiki/01-Installation) 💾
* [**Create Linux virtual machines**](https://github.com/quickemu-project/quickemu/wiki/02-Create-Linux-virtual-machines) 🐧
* [**Create macOS virtual machines**](https://github.com/quickemu-project/quickemu/wiki/03-Create-macOS-virtual-machines) 🍏
* [**Create Windows virtual machines**](https://github.com/quickemu-project/quickemu/wiki/04-Create-Windows-virtual-machines) 🪟
* [**Advanced quickemu configuration**](https://github.com/quickemu-project/quickemu/wiki/05-Advanced-quickemu-configuration) 🔧

#### Windows Setup

Using Quickemu

```bash
quickget windows 11
quickemu --vm windows-11.conf --display spice
```

## Labs and Practices

### Background Information <a href="#background-information" id="background-information"></a>

* Windows Fundamentals Module 🏠 [THM Room](https://tryhackme.com/module/windows-fundamentals)
* Intro To Offensive Security 🏠 [THM Room](https://tryhackme.com/room/introtooffensivesecurity)
* Pentesting Fundamentals 🏠 [THM Room](https://tryhackme.com/room/pentestingfundamentals)
* eJPTv2 Ine Full Course 🗒️ [eJPTv2 Notes](https://app.gitbook.com/o/s2H3MdEB0Qp2IbE58Gxw/s/PNcjhcAuvH4mlZKYrNu3/)

### Concepts and Pratice <a href="#concepts-and-pratice" id="concepts-and-pratice"></a>

* Post Exploitation Basics 🏠 [THM Room](https://tryhackme.com/room/postexploit)
* Sudo Security Bypass 🏠 [THM Room](https://tryhackme.com/room/sudovulnsbypass)
* Windows Privilege Escalation 🗒️ [Hackersploit Article](https://hackersploit.org/windows-privilege-escalation-fundamentals/)
* Windows Privesc Arena 🏠 [THM Room](https://tryhackme.com/room/windowsprivescarena)
* Windows Privesc 🏠 [THM Room](https://tryhackme.com/room/windows10privesc)
* Bypass UAC 🏠 [THM Room](https://tryhackme.com/room/bypassinguac)
* Post-Exploitation Basics 🏠 [THM Room](https://tryhackme.com/r/room/postexploit)

## Resources

* [Windows Privilege Escalation - Hexdump (YT) - EN](https://www.youtube.com/playlist?list=PLJnLaWkc9xRh8hmNFWyzWMFgAHo8Lgr93) 🇬🇧
* [Windows Privilege Escalation for beginners - TCM (YT) - EN](https://www.youtube.com/watch?v=uTcrbNBcoxQ\&t=1s\&pp=ygUccHJpdmlsZWdlIGVzY2FsYXRpb24gd2luZG93cw%3D%3D) 🇬🇧
* [Windows Privilege Escalation - HackTricks Blog](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)
* [GTFOBins](https://gtfobins.github.io/)
* [Windows Privilege Escalation Methodology](https://github.com/LeonardoE95/yt-en/blob/main/src/2024-12-30-windows-privesc-cheatsheet-and-methodology/content/windows-privesc-methodology.txt) - [Cheatsheet](https://github.com/LeonardoE95/yt-en/blob/main/src/2024-12-30-windows-privesc-cheatsheet-and-methodology/content/windows-privesc-cheatsheet.txt) (Hexdump)

## Cheatsheet

* 🗒️ [My Cheatsheet](https://dev-angelist.gitbook.io/windows-privilege-escalation/cheatsheet)
* 🗒️ [Hexdump Cheatsheet](https://github.com/LeonardoE95/yt-en/blob/main/src/2024-12-30-windows-privesc-cheatsheet-and-methodology/content/windows-privesc-cheatsheet.txt)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/windows-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.