Windows Local Privilege Escalation Cookbook

Table of Contents

• Windows Local Privilege Escalation Cookbook
  • Table of Contents
  • Disclaimer
  • Description (Keynote)
  • Definition
  • Useful Tools
  • Vulnerabilities
  • References

Disclaimer

This repository, "Windows Local Privilege Escalation Cookbook" is intended for educational purposes only. The author bears no responsibility for any illegal use of the information provided herein. Users are urged to use this knowledge ethically and lawfully. By accessing this repository, you agree to use its contents responsibly and in accordance with all applicable laws.

Description (Keynote)

This Cookbook was created with the main purpose of helping people understand local privilege escalation techniques on Windows environments. Moreover, it can be used for both attacking and defensive purposes.

:information_source: This Cookbook focuses only on misconfiguration vulnerabilities on Windows workstations/servers/machines.

:warning: Evasion techniques to bypass security protections, endpoints, or antivirus are not included in this cookbook. I created this PowerShell script, TurnOffAV.ps1, which permanently disables Windows Defender. Run this with local Administrator privileges.

The main structure of this Cookbook includes the following sections for any vulnerability:

• Description
• Lab Setup
• Enumeration
• Exploitation
• Mitigation
• (Useful) References

I hope to find this CookBook useful and learn new stuff 😉.

If you find any bugs, don’t hesitate to report them. Your feedback is valuable in improving the quality of this project!

Definition

Local Privilege Escalation, also known as LPE, refers to the process of elevating user privileges on a computing system or network beyond what is intended, granting unauthorized access to resources or capabilities typically restricted to higher privilege levels. This process occurs when attackers exploit weaknesses, vulnerabilities, or misconfigurations within the operating system, applications, or device drivers. By exploiting these flaws, attackers can bypass security controls and escalate their privileges, potentially gaining control over the system and accessing sensitive data.

Useful Tools

In the following table, some popular and useful tools for Windows local privilege escalation are presented:

Vulnerabilities

This Cookbook presents the following Windows vulnerabilities:

• AlwaysInstallElevated
• Answer files (Unattend files)
• Logon Autostart Execution (Registry Run Keys)
• Logon Autostart Execution (Startup Folder)
• Leaked Credentials (GitHub Repository)
• Leaked Credentials (Hardcoded Credentials)
• Leaked Credentials (PowerShell History)
• SeBackupPrivilege
• SeImpersonatePrivilege
• Stored Credentials (Runas)
• UAC Bypass
• Unquoted Service Path
• Weak Service Binary Permissions
• Weak Service Permissions
• Weak Registry Permissions

References

• Privilege Escalation Wikipedia
• SharpCollection GitHub by Flangvik
• Metasploit Official Website
• CrackMapExec GitHub by byt3bl33d3r
• NetExec GitHub by Pennyw0rth
• Evil-WinRM GitHub by Hackplayers
• Windows Privilege Escalation Youtube Playlist by Conda
• Windows Privilege Escalation by Bordergate
• Seatbelt GitHub by GhostPack
• Sysinternals Suite Microsoft
• Impacket GitHub by Forta
• dnSpy GitHub by dnSpyEx
• Java Decompiler Official Website
• CS-Situational-Awareness-BOF GitHub by TrustedSec
• HavocFramework GitHub by C5pider
• LPE Cookbook AutomatedLab Build Template