November 12, 2025

Windows Privilege Escalation Checklist

Base Enumeration

Windows version systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Patch Information wmic qfe get Caption, Description, HotFixID, InstalledOn

Get OSArchitecture wmic OS get OSArchitecture

User Enumeration

Who is the current user whoami

Can the user do special things

whoami /priv
- If SeImpersonate is shown look at potato attacks
  - Here is a blog on potato attacks
- If SeShutdownPrivilege privilege’s are enabled, look at unquoted services etc.

What groups is this user apart of? whoami /groups

What are the users on the domain net users

What is the local group? net localgroup

What is the admin capability? net localgroup ADMINISTRATORS

Variables

What is the environment variable? dir env:

Network capability

NET START

NETSTAT -ANOY

NETSTAT -ano

Firewall

netsh advfirewall firewall show rule name=all

netsh advfirewall firewall show rule name=inbound

netsh advfirewall firewall show rule name=outbound

Transfer capability

CERTUTIL :

FTP :

TFTP :

VB :

PS :

SMB :

NFS :

Hidden Directories

Are there any hidden directories? Get-ChildItem -Path "C:\" -Directory -Hidden -Recurse

Was there a .git hidden directory? If so, follow below
- cd .git
- git log
- git diff 8b430c17c16e6c0515e49c4eafdd129f719fde74 967fa71c359fffcbeb7e2b72b27a321612e3ad11

App enumeration

Get 64 bit applications Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get processes via Powershell Get-Process

Get process paths Get-Process | Select-Object -ExpandProperty Path

Service Enumeration

What are the services running? wmic service get name,startname

Look for unquoted service paths Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Scheduled tasks

Any Scheduled Task I/O operations? schtasks /query /fo LIST /v schtasks /query /fo LIST /v | Select-String -Pattern "TaskName:” schtasks /query /fo LIST /v | Select-String -Pattern "Task To Run:”

What are the permissions of this tasks? icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe

It is important to look for the (F) access flag

Abusing Permissions

Get service name and path Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} Get permissions for a specific file icacls "C:\xampp\apache\bin\httpd.exe” Refer to the table below for privilege escalation

MASK	PERMISSIONS
F	Full Access
M	Modify Access
RX	Read and execute access
R	Read-Only Acccess
W	Write-only access

PowerShell History

Get the history save path (Get-PSReadlineOption).HistorySavePath Then print it out type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Password search

Are there any password manager files? Get-ChildItem -Path C:\ -Recurse -Include *.kdbx -File -ErrorAction SilentlyContinue

Look for various password extensions Get-ChildItem -Path C:\\Users\\ -Recurse -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.kdbx -File -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\\ -Recurse -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -ErrorAction SilentlyContinue

`Get-ChildItem -Path C:\ -Recurse -Include *.kdbx -File -ErrorAction SilentlyContinue```

Standard search

findstr /si password *.txt 
findstr /si password *.xml 
findstr /si password *.ini

#Find all those strings in config files. 
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files. 
findstr /spin "password" *.* 
findstr /spin "password" *.

In files

c:\sysprep.inf 
c:\sysprep\sysprep.xml 
c:\unattend.xml 
%WINDIR%\Panther\Unattend\Unattended.xml 
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b 
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

In registry

# VNC 
reg query "HKCU\Software\ORL\WinVNC3\Password" 

# Windows autologin 
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 

# SNMP Paramters 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 

# Putty 
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 

# Search for password in registry 
reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

SAM

Looking for possible known files that can contain Creds (winpeas output) C:\Windows\Repair\SAM C:\Windows\Repair\SYSTEM