Windows Privilege Escalation Techniques Guide

Understanding Windows privilege escalation—the process of gaining higher-level permissions on a system than initially granted—is fundamental for both offensive security professionals and defenders. In penetration testing and security assessments, identifying and exploiting these vulnerabilities is often the critical step that transforms a limited foothold into full domain compromise. This guide systematically explores the common misconfigurations and attack vectors you will encounter, moving from basic enumeration to advanced exploitation.

Foundational Enumeration and Automated Tools

Before attempting any escalation, you must thoroughly understand the system you are targeting. Manual enumeration involves checking user privileges with commands like whoami /priv, reviewing network configurations with ipconfig, and examining running processes. However, automated enumeration tools dramatically increase efficiency and reduce the chance of overlooking a vulnerability.

Two of the most essential PowerShell-based tools are WinPEAS (Windows Privilege Escalation Awesome Script) and PowerUp. WinPEAS is a comprehensive script that checks for dozens of potential privilege escalation vectors, from patch levels to specific service misconfigurations, and presents them in a color-coded, prioritized output. PowerUp focuses more narrowly on abuses related to Windows services, registry paths, and configuration files. It not only finds issues but can also be used to execute specific escalation methods directly. The core principle is to let these tools do the heavy lifting of identifying low-hanging fruit, allowing you to focus your efforts on the most promising avenues for attack.

Exploiting Service Misconfigurations

Misconfigured Windows services are a goldmine for privilege escalation. Three classic vulnerabilities in this category are unquoted service paths, DLL hijacking, and insecure service permissions.

An unquoted service path vulnerability occurs when the path to a service's executable is unquoted and contains spaces. Windows searches for the executable in a specific way: given a path like C:\Program Files\My App\service.exe, it will first attempt to run C:\Program.exe, then C:\Program Files\My.exe, before finding the correct file. If you have write permissions to a directory earlier in this search order (like C:\), you can place a malicious executable there, and it will be executed with the service's privileges when the service starts or the system reboots.

DLL hijacking (or DLL side-loading) exploits the Windows DLL search order. If an application running with elevated privileges tries to load a DLL (like missing.dll) from a directory where you have write access, you can place a malicious DLL with the same name there. When the application searches for the DLL, it will find and execute your code with the application's privileges. This often works with applications that load DLLs from the current working directory or from writable user directories.

Furthermore, if you can modify an existing service's binary path or its startup configuration (due to weak ACLs), you can simply point the service to run your malicious executable. Tools like PowerUp's Get-ModifiableService cmdlet automate the discovery of services with modifiable properties.

Abusing Built-in Windows Policies and Features

Windows includes several features and legacy settings that, when enabled, create severe escalation risks. The AlwaysInstallElevated policy is a prime example. This is a system-wide setting that allows any user to install Microsoft Windows Installer (.msi) packages with NT AUTHORITY\SYSTEM privileges. If enabled (which is rare in modern, secure environments), you can generate a malicious .msi file containing your payload using msfvenom and execute it to gain immediate system-level access. You can check for this policy by examining two specific registry keys: HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated.

Another common feature is the use of scheduled tasks. These are scripts or programs set to run at specific times or events, often with elevated privileges. If you can identify a task that runs as SYSTEM and you have the ability to overwrite the executable it points to, or if you can modify the task's action directly (via schtasks or the Task Scheduler API), you can achieve escalation. Similarly, registry autoruns (persistence locations like Run and RunOnce keys) can be targeted if they point to a writable location. Modifying these entries ensures your payload executes at user logon or system startup, potentially with higher privileges.

Advanced Token Manipulation and UAC Bypass

When simple misconfigurations aren't present, attackers turn to more advanced techniques that abuse core Windows security mechanisms. Token impersonation is a central concept here. Every process runs under a security token that defines its privileges. Tools like Potato exploits (e.g., Juicy Potato, PrintSpoofer, RoguePotato) leverage flaws in the Windows process interaction model to impersonate higher-privilege tokens, typically NT AUTHORITY\SYSTEM. They work by tricking Windows into authenticating to a local RPC server controlled by the attacker, which then captures and impersonates the incoming high-integrity token. The success of these exploits depends on specific Windows versions and enabled components, but they represent a powerful method for jumping from a medium-integrity service account to full system control.

User Account Control (UAC) is Microsoft's mechanism to prevent unauthorized changes by requiring administrative consent. UAC bypass techniques aim to execute code with high integrity without triggering the visible prompt. These techniques don't create a new administrator account; they run a single process elevated by exploiting trust in signed Microsoft binaries, misconfigured registry keys, or DLL hijacking paths within the UAC process flow. For example, the fodhelper.exe bypass works by writing a custom command to a specific registry key that fodhelper.exe (a trusted, auto-elevating binary) will then execute with high privileges. These bypasses are often version-specific and patched over time, making continuous research essential.

Common Pitfalls

1. Skipping Thorough Enumeration: Jumping straight to advanced exploits without comprehensive enumeration is the most common mistake. You might waste time on a complex token impersonation attack when an unquoted service path is readily available. Always use automated scripts like WinPEAS first to map the entire attack surface.
2. Ignoring Context and AV/EDR: Blindly running public exploit code or toolkits without modification will often trigger antivirus or endpoint detection software. You must understand the technique's underlying mechanics to adapt the attack, use obfuscation, or compile your own tools to evade detection during an assessment.
3. Failing to Understand Dependencies: Techniques like Potato exploits or specific UAC bypasses have strict dependencies on OS build numbers, installed components (like IIS), or system architecture. Attempting an exploit without verifying these prerequisites will lead to failure and potential system instability. Always correlate your enumeration data with exploit requirements.
4. Overlooking the Obvious Path to Persistence: Gaining SYSTEM privileges is only half the battle. A critical pitfall is not establishing a backdoor or alternative credential method before exiting your session. Always ensure you have a persistent method to regain your elevated access, such as creating a new service, scheduled task, or admin user.

Summary

• Privilege escalation hinges on identifying misconfigurations such as unquoted service paths, insecure file/directory permissions (enabling DLL hijacking), and dangerous policies like AlwaysInstallElevated.
• Automated enumeration with WinPEAS and PowerUp is a non-negotiable first step, providing a systematic overview of potential vulnerabilities on a target Windows system.
• Service and task abuse are highly reliable vectors; always check for modifiable services, scheduled tasks running as SYSTEM, and writable registry autoruns.
• Advanced techniques like token impersonation (Potato exploits) abuse Windows authentication protocols, while UAC bypasses leverage trusted processes to elevate without a prompt, though both are often version-specific.
• A successful tester avoids pitfalls by prioritizing thorough enumeration over speculation, adapting payloads to the environment, verifying exploit dependencies, and always securing persistence after escalation.