Chapter 16 Further Reading

Windows Exploitation and Privilege Escalation

Essential References

HackTricks - Windows Local Privilege Escalation https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation Comprehensive reference covering virtually every Windows privilege escalation technique with practical commands and examples. Regularly updated with new techniques.

PayloadsAllTheThings - Windows Privilege Escalation https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md Extensive cheat sheet for Windows privilege escalation organized by category. An excellent quick reference during engagements.

LOLBAS Project (Living Off The Land Binaries, Scripts, and Libraries) https://lolbas-project.github.io/ A catalog of Windows binaries, scripts, and libraries that can be abused for execution, persistence, and privilege escalation. The Windows equivalent of GTFOBins.

Tools Documentation

WinPEAS https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS Official repository with documentation for both the executable and batch versions.

PowerSploit / PowerUp https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc The PowerUp module documentation for automated Windows privilege escalation enumeration.

Seatbelt https://github.com/GhostPack/Seatbelt GhostPack's comprehensive security enumeration tool. Review the README for all available modules and their descriptions.

SharpUp https://github.com/GhostPack/SharpUp C# port of PowerUp for environments where PowerShell is restricted. Useful when script-based tools are blocked by AMSI or AppLocker.

Windows Exploit Suggester - Next Generation (wesng) https://github.com/bitsadmin/wesng Python-based tool for identifying missing patches and potential privilege escalation CVEs based on systeminfo output.

Potato Attack Family

JuicyPotato https://github.com/ohpe/juicy-potato The original "evolved" Potato attack for SeImpersonatePrivilege exploitation.

PrintSpoofer https://github.com/itm4n/PrintSpoofer A modern alternative to JuicyPotato that works on newer Windows versions. Itm4n's blog post explaining the technique is essential reading.

GodPotato https://github.com/BeichenDream/GodPotato The latest evolution in the Potato family, supporting Windows Server 2012 through 2022.

Itm4n's Blog: PrintSpoofer Technical Writeup https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ Detailed technical explanation of how PrintSpoofer exploits named pipes and the Print Spooler to achieve SYSTEM.

Books

Windows Internals Part 1 by Pavel Yosifovich, Alex Ionescu, Mark Russinovich, and David Solomon (Microsoft Press, 7th Edition) The definitive reference for understanding Windows internals---processes, threads, memory management, security, and more. Essential for understanding why privilege escalation techniques work.

Windows Security Internals by James Forshaw (No Starch Press, 2024) A deep dive into the Windows security model from the perspective of the security researcher. Covers access tokens, security descriptors, privileges, and UAC in exceptional detail.

Red Team Field Manual (RTFM) by Ben Clark Quick reference guide containing Windows commands, tools, and techniques commonly used during penetration testing.

CVE Deep Dives

PrintNightmare Analysis by Microsoft https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Microsoft's official advisory and technical guidance for PrintNightmare.

HiveNightmare/SeriousSAM (CVE-2021-36934) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 Microsoft advisory with workaround guidance for the SAM/SYSTEM ACL vulnerability.

KrbRelayUp https://github.com/Dec0ne/KrbRelayUp Tool and documentation for the Kerberos relay-based local privilege escalation technique.

Defensive Resources

Microsoft Security Baselines https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-guard/introduction-to-device-guard Microsoft's recommended security configurations for Windows systems.

CIS Benchmarks for Windows https://www.cisecurity.org/benchmark/microsoft_windows_desktop https://www.cisecurity.org/benchmark/microsoft_windows_server Industry-standard hardening guides for Windows desktop and server operating systems.

LAPS (Local Administrator Password Solution) https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview Microsoft's solution for managing unique local administrator passwords across domain-joined systems.

Windows Event Log Reference for Security Monitoring https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/ Complete reference for security-relevant Windows Event IDs used for detecting privilege escalation attempts.

Practice Platforms

TryHackMe - Windows PrivEsc Room https://tryhackme.com/room/windowsprivesc20 Guided Windows privilege escalation practice with multiple techniques.

TryHackMe - Steel Mountain https://tryhackme.com/room/steelmountain A Windows machine requiring service exploitation for privilege escalation.

HackTheBox - Windows Machines https://www.hackthebox.com/ Regular releases of Windows machines with varying difficulty levels and privilege escalation challenges.

Offensive Security PG Practice https://www.offensive-security.com/labs/ OSCP-aligned practice machines with Windows privilege escalation scenarios.

Vulnerable Windows Lab by StefanScherer https://github.com/StefanScherer/adlab Scripts to build a vulnerable Windows AD lab for testing privilege escalation techniques.

Research and Conference Talks

"Potato Family" Research Timeline Review the evolution of Potato attacks from Hot Potato through GodPotato to understand how Windows privilege escalation research progresses and how defenders can anticipate new variants.

Itm4n's Security Blog https://itm4n.github.io/ Excellent blog covering Windows privilege escalation research, including detailed writeups of PrintSpoofer, FullPowers, and other techniques.

SpecterOps Blog https://posts.specterops.io/ Research posts covering Windows security, including Red Team techniques, defense evasion, and Active Directory security.