Windows Privilege Escalation is a crucial technique for ethical hackers and security professionals to learn as it allows them to elevate their privileges on a Windows system and gain access to sensitive information or execute unauthorized actions. This Cheatsheet is a comprehensive guide to Windows Privilege Escalation that outlines various techniques for exploiting weak service permissions, unquoted service paths, DLL hijacking, weak registry permissions, insecure service startup, weak file permissions, weak credentials, and AlwaysInstallElevated. By following this Cheatsheet, security professionals can better understand how to identify and exploit Windows Privilege Escalation vulnerabilities to secure their own systems or to conduct ethical hacking activities.
Note that this is not an exhaustive list and there may be other privileges available depending on the version of Windows and the specific configuration of the system.
Desktop view recommended in mobile
Security Management Privileges
Privilege Name
Constant Name
Description
Assign Primary Token
SE_ASSIGNPRIMARYTOKEN_NAME
Allows a process to replace the token that represents a client with another token.
Backup
SE_BACKUP_NAME
Allows a user or process to bypass file and directory permissions to back up the system.
Restore
SE_RESTORE_NAME
Allows a user or process to bypass file and directory permissions to restore the system.
Security
SE_SECURITY_NAME
Allows a user or process to modify security settings of objects, such as files, directories, and registry keys.
System Privileges
Privilege Name
Constant Name
Description
Change Notify
SE_CHANGE_NOTIFY_NAME
Allows a user or process to receive notifications when a file or directory is changed.
Debug
SE_DEBUG_NAME
Allows a user or process to debug another process.
Shutdown
SE_SHUTDOWN_NAME
Allows a user or process to shut down the system.
System Time
SE_SYSTEMTIME_NAME
Allows a user or process to modify the system time.
Take Ownership
SE_TAKE_OWNERSHIP_NAME
Allows a user or process to take ownership of files, directories, and other objects.
User Rights
User Right
Constant Name
Description
Access Credential Manager
SeInteractiveLogonRight
Allows a user to manage credentials, such as usernames and passwords, stored on the computer.
Change the System Time
SeSystemtimePrivilege
Allows a user to modify the system time.
Log on as a batch job
SeBatchLogonRight
Allows a user to log on as a batch job, which is a set of instructions that are processed in sequence, without requiring user interaction.
Log on as a service
SeServiceLogonRight
Allows a user to log on as a service, which is a program that runs in the background and provides a specific function to other programs or users.
Remote Desktop Services
SeRemoteInteractiveLogonRight
Allows a user to connect to the computer using Remote Desktop.
Restore Files and Directories
SeRestorePrivilege
Allows a user to restore files and directories, which is useful for recovering data that has been accidentally deleted or corrupted.
Shut down the system
SeShutdownPrivilege
Allows a user to shut down the system.
Take ownership of files or other objects
SeTakeOwnershipPrivilege
Allows a user to take ownership of files, directories, and other objects.
Process Management Privileges
Privilege Name
Constant Name
Description
Create Process
SE_CREATE_PROCESS_NAME
Allows a user or process to create a new process.
Create Thread
SE_CREATE_THREAD_NAME
Allows a user or process to create a new thread within a process.
Debug Process
SE_DEBUG_NAME
Allows a user or process to debug another process.
Set Session ID
SE_ASSIGNPRIMARYTOKEN_NAME
Allows a user or process to set the session identifier (ID) for a process.
Terminate Process
SE_TERMINATE_NAME
Allows a user or process to terminate a process.
Network Privileges
Privilege Name
Constant Name
Description
Access Network Connections
SE_NETWORK_NAME
Allows a user or process to access network-related information, such as the network address of a computer.
Impersonate a Client
SE_IMPERSONATE_NAME
Allows a user or process to impersonate another user, which means that the user or process can act as if it were the other user. This is useful for accessing network resources that are restricted to a particular user.
Manage auditing and security log
SE_AUDIT_NAME
Allows a user or process to manage the security log, which contains records of security-related events, such as logon attempts and file access attempts.
Miscellaneous Privileges
Privilege Name
Constant Name
Description
Act as part of the operating system
SE_TCB_NAME
Allows a user or process to perform actions that are normally reserved for the operating system, such as installing device drivers and modifying system settings.
Allow log on locally
SeInteractiveLogonRight
Allows a user to log on locally to the computer.
Bypass traverse checking
SeChangeNotifyPrivilege
Allows a user or process to bypass checks that prevent the user or process from accessing files and directories that are located outside of the user’s or process’s scope.
Increase scheduling priority
SE_INC_BASE_PRIORITY_NAME
Allows a user or process to increase the scheduling priority of a process, which means that the process will be given more resources, such as CPU time, than other processes.
Load and unload device drivers
SE_LOAD_DRIVER_NAME
Allows a user or process to load and unload device drivers, which are programs that interact with hardware devices, such as printers and disk drives.
Lock pages in memory
SE_LOCK_MEMORY_NAME
Allows a user or process to lock pages in memory, which means that the pages cannot be paged out to the paging file. This is useful for programs that need to access data quickly and efficiently.
Profile system performance
SE_PROF_SINGLE_PROCESS_NAME
Allows a user or process to profile the performance of a single process, which means that the user or process can collect data about how much CPU time, memory, and other resources the process is using.
Security and User Rights Privileges
Privilege Name
Constant Name
Description
Add workstations to domain
SeMachineAccountPrivilege
Allows a user or process to add computers to a domain.
Backup files and directories
SeBackupPrivilege
Allows a user or process to back up files and directories on the computer.
Change the system time
SeSystemtimePrivilege
Allows a user or process to change the system time on the computer.
Generate security audits
SeAuditPrivilege
Allows a user or process to generate security-related audit messages in the Security log.
Manage auditing and security log
SeSecurityPrivilege
Allows a user or process to manage the security log, which contains records of security-related events, such as logon attempts and file access attempts.
Modify firmware environment values
SeSystemEnvironmentPrivilege
Allows a user or process to modify the firmware environment variables on the computer, which are used to store configuration information for hardware devices.
Restore files and directories
SeRestorePrivilege
Allows a user or process to restore files and directories on the computer.
Take ownership of files or other objects
SeTakeOwnershipPrivilege
Allows a user or process to take ownership of files or other objects on the computer. This is useful for recovering access to files or directories that have been locked down or for troubleshooting permissions issues.
Service Privileges
Privilege Name
Constant Name
Description
Create a token object
SeCreateTokenPrivilege
Allows a user or process to create a token object, which is an object that contains security-related information, such as the user’s or process’s identity and group memberships. This is useful for creating a new process with specific security settings.
Manage the backup and restore privileges
SeBackupPrivilege
Allows a user or process to manage the backup and restore privileges, which are used to back up and restore files and directories on the computer.
Query Service Status
SeQueryServiceStatusPrivilege
Allows a user or process to query the status of a service, which is a program that runs in the background and provides functionality to other programs.
Start a service
SeServiceLogonRight
Allows a user or process to start a service, which is a program that runs in the background and provides functionality to other programs.
Stop a service
SeServiceLogonRight
Allows a user or process to stop a service, which is a program that runs in the background and provides functionality to other programs.
Virtualization Privileges
Privilege Name
Constant Name
Description
Create a virtual machine
SeCreateVirtualMachinePrivilege
Allows a user or process to create a virtual machine, which is a software emulation of a computer system. This is useful for running multiple operating systems or applications on a single computer or for creating test environments.
Modify firmware settings
SeSystemEnvironmentPrivilege
Allows a user or process to modify the computer’s firmware settings, such as the boot order or startup configuration. This is useful for administrators who need to configure the computer’s firmware or for troubleshooting issues related to the computer’s startup process.
Remote Desktop Privileges
Privilege Name
Constant Name
Description
Allow logon through Remote Desktop Services
SeRemoteInteractiveLogonRight
Allows a user to log on to a remote computer using Remote Desktop. This privilege is required for users who want to connect to a remote computer using Remote Desktop.
Deny logon through Remote Desktop Services
SeDenyRemoteInteractiveLogonRight
Denies a user the ability to log on to a remote computer using Remote Desktop. This privilege is useful for administrators who want to restrict Remote Desktop access to certain users or groups.
Backup and Restore Privileges
Privilege Name
Constant Name
Description
Back up files and directories
SeBackupPrivilege
Allows a user or process to back up files and directories, which means that the user or process can create backups of files and directories even if they do not have explicit permissions to access them. This is useful for backup and disaster recovery purposes.
Restore files and directories
SeRestorePrivilege
Allows a user or process to restore files and directories, which means that the user or process can restore backups of files and directories to their original locations. This is useful for restoring data that has been lost or damaged.
Cryptography Privileges
Privilege Name
Constant Name
Description
Create a pagefile
SeCreatePagefilePrivilege
Allows a user or process to create a pagefile, which is a file on disk that is used to store data that does not fit into physical memory. This is useful for improving system performance by providing additional virtual memory.
Manage volumes
SeManageVolumePrivilege
Allows a user or process to manage volumes, which are logical partitions on a disk. This is useful for managing disk space, creating new volumes, or troubleshooting issues related to disk management.
Exploiting Weak Service Permissions
Technique
Description
Find weak service permissions using tools like accesschk.exe or sc.exe
Search for services with weak file or registry permissions
Modify service binary or configuration file to include a backdoor
Replace the service binary or configuration file with a backdoored version
Start the service and gain elevated privileges
Start the vulnerable service to execute the backdoor with elevated privileges
Exploiting Unquoted Service Paths
Technique
Description
Identify services with unquoted service paths using wmic service get name, displayname, pathname, startmode command
Search for services with unquoted service paths
Create a malicious file with the same name as the vulnerable service and place it in the directory specified by the service path
Create a malicious file and place it in a directory that the vulnerable service searches for executable files
Start the vulnerable service to execute the malicious file with elevated privileges
Start the vulnerable service to execute the backdoor with elevated privileges
Exploiting DLL Hijacking
Technique
Description
Identify vulnerable applications using tools like procmon.exe or dependencywalker.com
Search for applications that load DLLs with a predictable name from a directory that is writable by the attacker
Create a malicious DLL with the same name as the vulnerable DLL and place it in a directory that the application searches for DLLs
Create a malicious DLL and place it in a directory that the vulnerable application searches for DLLs
Start the vulnerable application to execute the malicious DLL with elevated privileges
Start the vulnerable application to execute the backdoor with elevated privileges
Exploiting Weak Registry Permissions
Technique
Description
Find weak registry permissions using tools like accesschk.exe or regedit.exe
Search for registry keys with weak permissions
Modify a registry key to include a backdoor
Modify a vulnerable registry key to include a backdoor
Restart the system to gain elevated privileges
Restart the system to execute the backdoor with elevated privileges
Exploiting Insecure Service Startup
Technique
Description
Find services that run with high privileges using tools like sc.exe, tasklist.exe, or task manager
Search for services that run with high privileges and can be stopped and started by non-administrative users
Stop the service and replace the binary or configuration file with a backdoored one
Stop the vulnerable service and replace the binary or configuration file with a backdoored version
Start the service to execute the backdoor with elevated privileges
Start the vulnerable service to execute the backdoor with elevated privileges
Exploiting Weak File Permissions
Technique
Description
Find files with weak permissions using tools like accesschk.exe or cacls.exe
Search for files with weak permissions that are executed by an administrator
Modify the file to include a backdoor
Modify the vulnerable file to include a backdoor
Wait for an administrator to execute the file to gain elevated privileges
Wait for an administrator to execute the vulnerable file and execute the backdoor with elevated privileges
Exploiting Weak Credentials
Technique
Description
Find weak credentials using tools like hashdump.exe, mimikatz.exe, or metasploit-framework
Search for weak or default credentials
Use the credentials to gain administrative access to the system
Use the obtained credentials to gain administrative access to the system
Exploiting Clear Text password
Technique
Description
Identify services, applications or scripts that store passwords in clear text
Search for clear text passwords in configuration files, scripts, or memory dumps using tools like grep or strings
Extract the clear text password
Extract the password from the configuration file, script, or memory dump using tools like awk, sed, or python
Use the obtained credentials to gain administrative access to the system
Use the obtained credentials to gain administrative access to the system
Note: It’s important to note that exploiting clear text passwords is not recommended as it is a significant security risk. It is important to use secure password storage methods, such as encryption or hashing, to protect sensitive information.
Dangerous User Privileges
Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:
SEImpersonatePrivilege
It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato
SeAssignPrimaryPrivilege
Assign an access token to new process. Can be exploited with JuicyPotato
SeBackUpPrivilege
If a user has this privilege he is able to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack
SeRestorePrivilege
This privilege grant a user to modify service binary, dll, also modify registry settings
Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.