Orodha ya Ukaguzi - Local Windows Privilege Escalation

Reading time: 7 minutes

Chombo bora cha kutafuta Windows local privilege escalation vectors: WinPEAS

Taarifa za Mfumo

• Pata Taarifa za Mfumo
• Tafuta kernel exploits using scripts
• Tumia Google kutafuta kernel exploits
• Tumia searchsploit kutafuta kernel exploits
• Je, kuna taarifa za kuvutia katika env vars?
• Je, kuna nywila katika PowerShell history?
• Je, kuna taarifa za kuvutia katika Internet settings?
• Drives?
• WSUS exploit?
• Third-party agent auto-updaters / IPC abuse
• AlwaysInstallElevated?

Uchunguzi wa Logging/AV

• Kagua Audit na WEF mipangilio
• Kagua LAPS
• Kagua kama WDigest iko imewezeshwa
• LSA Protection?
• Credentials Guard?
• Cached Credentials?
• Kagua kama kuna AV
• AppLocker Policy?
• UAC
• User Privileges
• Kagua current user privileges
• Je, wewe ni member of any privileged group?
• Kagua kama una any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
• Users Sessions?
• Kagua users homes (ufikaji?)
• Kagua Password Policy
• Kuna nini katika Clipboard?

Mtandao

• Kagua taarifa za mtandao ya sasa
• Kagua huduma za ndani zilizofichika zinazotengwa kwa nje

Michakato Inayoendeshwa

• Idhini za [file and folders] za binaries za michakato (permissions) (windows-local-privilege-escalation/index.html#file-and-folder-permissions)
• Memory Password mining
• Insecure GUI apps
• Pora nywila kwa michakato yenye [vitu vya kuvutia] kwa kutumia ProcDump.exe ? (firefox, chrome, n.k.)

Services

• Je, unaweza kubadilisha service yoyote? (windows-local-privilege-escalation/index.html#permissions)
• Je, unaweza kubadilisha binary inayotekelezwa na service yoyote? (windows-local-privilege-escalation/index.html#modify-service-binary-path)
• Je, unaweza kubadilisha registry ya service yoyote? (windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
• Je, unaweza kuchukua faida ya njia ya binary isiyo na nukuu ya service yoyote? (windows-local-privilege-escalation/index.html#unquoted-service-paths)

Programu

• [Write] ruhusa kwenye programu zilizosakinishwa (windows-local-privilege-escalation/index.html#write-permissions)
• Startup Applications
• Vulnerable Drivers

DLL Hijacking

• Je, unaweza kuandika katika folda yoyote ndani ya PATH?
• Je, kuna binary ya service inayojulikana ambayo inajaribu kupakia DLL isiyokuwepo?
• Je, unaweza kuandika katika folder za binaries yoyote?

Mtandao

• Fanya uorodheshaji wa mtandao (shares, interfaces, routes, neighbours, ...)
• Tazama kwa makini huduma za mtandao zinazolisikiliza localhost (127.0.0.1)

Windows Credentials

• Winlogon credentials
• Windows Vault credentials ambazo unaweza kutumia?
• Je, kuna DPAPI credentials za kuvutia?
• Nywila za Wifi networks?
• Taarifa za kuvutia katika saved RDP Connections?
• Nywila katika recently run commands?
• Remote Desktop Credentials Manager nywila?
• AppCmd.exe exists? Credentials?
• SCClient.exe? DLL Side Loading?

Files and Registry (Credentials)

• Putty: Creds and SSH host keys
• SSH keys in registry?
• Nywila katika unattended files?
• Kuna nakala za kuhifadhi za SAM & SYSTEM?
• Cloud credentials?
• McAfee SiteList.xml file?
• Cached GPP Password?
• Nywila katika IIS Web config file?
• Taarifa za kuvutia katika web logs?
• Unataka kuomba nywila kutoka kwa mtumiaji?
• Faili za kuvutia ndani ya Recycle Bin?
• Mengine registry containing credentials?
• Ndani ya Browser data (dbs, history, bookmarks, ...)?
• Generic password search katika files na registry
• Tools za kutafuta nywila moja kwa moja

Leaked Handlers

• Je, una ufikiaji wa handler yoyote ya mchakato unaoendeshwa na administrator?

Pipe Client Impersonation

• Kagua kama unaweza kuiboresha (abuse) hiyo