Windows Privesc

Situational Awareness

Important information that should be obtained shortly after landing

Username / host name
Group memberships
Existing users and groups
OS
Network information / Ports / Connections
Installed applications
Running processes

cmd

whoami
whoami /groups
systeminfo
ipconfig /all
route print # Display all the routing information
netstat -ano # Display all active connections and show the processes ID
net user timothy

powershell

Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-Process
Get-ChildItem -Path C:\Directory -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\james\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Get-History
(Get-PSReadlineOption).HistorySavePath ## Clear-History doesn't clear the returned file.
type C:\Users\james\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Public\Transcripts\transcript01.txt # Will exist if powershell Start-Transcript was used.

PrivEsc Scripts

Using powerup.ps1

Copy and paste the entire powerup.ps1 file into powershell
Invoke-AllChecks

Invoke-ServiceAbuse -Name 'SNMPTRAP'

WinPEAS

Release Release refs/heads/master 20220410 · peass-ng/PEASS-ngGitHub

PreviousPowershell NextAnti-Virus / EDR

Last updated 2 years ago

Was this helpful?