CheatSheet

Windows Privilege Escalation

Enumeration and privilege escalation techniques for Windows.

Local Enumeration (Windows)

Local Users and Groups

Users

net users

Local Groups

net localgroup

Current User Group Membership

net user alex

Administrators Group Members

net localgroup administrators

Current User Privileges

whoami /priv

System

System Information

systeminfo

Patch Information

Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" } | format-table -wrap
wmic qfe get Description,HotFixID,InstalledOn | findstr /i "Security Update"

Network

Local Interfaces

ipconfig /all

Active Connections

netstat -aon

Applications

32bit Applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,installlocation | format-table -wrap
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName InstallLocation"

64bit Applications

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,installlocation | format-table -wrap
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName InstallLocation"

Software for Current User

reg query "HKCU\SOFTWARE"
reg query "HKCU\SOFTWARE"

Software System Wide

Get-ItemProperty "HKLM:\SOFTWARE\*" | select displayname,installlocationclear
reg query "HKLM\SOFTWARE"

Processes

Running Processes

Get-Process
tasklist

Services

List of All Running Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} | Format-Table -Wrap

All Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} | Format-Table -Wrap
sc query state= all

Inactive Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} | Format-Table -Wrap
sc query state= inactive

Scheduled Tasks

Listing Tasks with Paths

Get-ScheduledTask | Select-Object TaskName, @{Name='ExecutablePath'; Expression={$_.Actions.Execute}}
schtasks /query /fo LIST /v

Powershell Command History

Check History

Get-History

Get Path to History File from PSReadline

(Get-PSReadlineOption).HistorySavePath

Checking Credential Manager

Code

cmdkey /list

Searching Registry for Credentials

Query Local Machine Registry

reg query HKLM /f password /t REG_SZ /s
for %k in (passw secret admin pwd) do reg query HKLM /f %k /t REG_SZ /s
foreach ($k in "passw","secret","admin","pwd") { reg query HKLM /f $k /t REG_SZ /s }

Query Current User Registry

reg query HKCU /f password /t REG_SZ /s

Query WinLogon Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Query SNMP Registry

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Query Putty Registry

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Interesting Files to Investigate

Files Containing Password (txt,config,ini,xml)

findstr /si /m “password” *.xml *.ini *.conf *.txt,*.cnf,*config

Directory Search (Any Files)

Get-ChildItem -Path . -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d 2>nul

Directory Search (Any Files && Hidden Files)

Get-ChildItem -Path . -File -Recurse -ErrorAction SilentlyContinue -Hidden -Exclude desktop.ini,NTUSER.DAT*,Desktop.ini,ntuser.pol
dir /s /b /a:h-d 2>nul

Directory Search (Text Files)

Get-ChildItem -Path . -Include *.txt -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.txt 2>nul

Directory Search (Config Files)

Get-ChildItem -Path . -Include *.config -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.config 2>nul

Directory Search (Microsoft Office Suite Files)

Get-ChildItem -Path . -Include *.xls,*.xlsx,*.xlsm,*.xltx,*.xltm,*.doc,*.docx,*.docm,*.dotm,*.ppt,*.pptx,*.pptm,*.potx,*potm,*.accdb,*.pst,*.oft -File -Recurse -ErrorAction SilentlyContinue
(for %E in (xls xlsx xlsm xltx xltm doc docx docm dotm ppt pptx pptm potx potm accdb pst oft) do @dir /s /b /a:-d *.%E 2>nul)

Directory Search (PDF Files)

Get-ChildItem -Path . -Include *.pdf -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.pdf 2>nul

Directory Search (xml Files)

Get-ChildItem -Path . -Include *.xml -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.xml 2>nul

Directory Search (init Files)

Get-ChildItem -Path . -Include *.ini,*.init -File -Recurse -ErrorAction SilentlyContinue
(for %E in (ini init) do @dir /s /b /a:-d *.%E 2>nul)

Directory Search ( All Potential Programming Files)

Get-ChildItem -Path . -Include *.c,*.cpp,*.cc,*.cxx,*.h,*.hpp,*.hh,*.hxx,*.ino,*.cs,*.java,*.py,*.pyw,*.pyi,*.pyx,*.pxd,*.js,*.mjs,*.cjs,*.ts,*.tsx,*.php,*.phtml,*.php3,*.php4,*.php5,*.phps,*.rb,*.erb,*.pl,*.pm,*.t,*.pod,*.go,*.rs,*.swift,*.kt,*.kts,*.scala,*.sc,*.r,*.R,*.Rmd,*.jl,*.d,*.m,*.mm,*.f,*.for,*.f90,*.f95,*.pas,*.pp,*.dpr,*.adb,*.ads,*.asm,*.s,*.a51,*.html,*.htm,*.xhtml,*.css,*.scss,*.sass,*.less,*.ejs,*.mustache,*.hbs,*.twig,*.jinja,*.njk,*.md,*.markdown,*.rst,*.adoc,*.bat,*.cmd,*.ps1,*.psm1,*.psd1,*.sh,*.bash,*.zsh,*.vbs,*.vba,*.wsf,*.wsc,*.m,*.hs,*.lhs,*.erl,*.hrl,*.ex,*.exs,*.ml,*.mli,*.lisp,*.cl,*.el,*.scm,*.rkt,*.clj,*.cljs,*.cljc,*.edn,*.pro,*.cbl,*.cob,*.cpy,*.fs,*.fsi,*.fsx,*.m,*.prolog,*.sql,*.psql,*.dbml,*.json,*.json5,*.yaml,*.yml,*.toml,*.ini,*.cfg,*.conf,*.env,*.properties,*.cmake,*.mak,*.gradle -File -Recurse -ErrorAction SilentlyContinue
(for %E in (c cpp cc cxx h hpp hh hxx ino cs java py pyw pyi pyx pxd js mjs cjs ts tsx php phtml php3 php4 php5 phps rb erb pl pm t pod go rs swift kt kts scala sc r R Rmd jl d m mm f for f90 f95 pas pp dpr adb ads asm s a51 html htm xhtml css scss sass less ejs mustache hbs twig jinja njk md markdown rst adoc bat cmd ps1 psm1 psd1 sh bash zsh vbs vba wsf wsc m hs lhs erl hrl ex exs ml mli lisp cl el scm rkt clj cljs cljc edn pro cbl cob cpy fs fsi fsx m prolog sql psql dbml json json5 yaml yml toml ini cfg conf env properties cmake mak gradle) do @dir /s /b /a:-d *.%E 2>nul)