Chapter 16 Key Takeaways

Windows Exploitation and Privilege Escalation

1. Understand the Windows Security Model Before Attacking It

Access tokens, SIDs, ACLs, privileges, integrity levels, and UAC form a layered security model. Effective privilege escalation requires understanding how these layers interact. The command whoami /all is your single most important initial command---it reveals your complete security context.

2. Token Impersonation Is the Most Reliable Escalation Path

When you have a shell as a service account (IIS, MSSQL, etc.) with SeImpersonatePrivilege, Potato-family attacks provide near-guaranteed SYSTEM access. PrintSpoofer and GodPotato work on modern Windows versions and require minimal setup. Always check whoami /priv first.

3. Service Misconfigurations Are Pervasive in Enterprise Environments

Unquoted service paths, weak service permissions, and writable service binaries are consistently found in real-world engagements. These misconfigurations are low-risk to exploit (no kernel-level danger), reliable, and well-understood. They should be your second priority after token impersonation.

4. Credential Hunting Yields Results More Often Than You Expect

Stored credentials (cmdkey /list), AutoLogon passwords in the registry, PowerShell history, unattend.xml files, and SAM backup files are found in a surprising percentage of engagements. Always search for credentials before attempting more complex exploitation techniques.

5. Registry and DLL Hijacking Provide Stealthy Escalation

AlwaysInstallElevated, autorun registry keys, and DLL search order hijacking are lower-profile than service manipulation. They are particularly useful in red team engagements where stealth is paramount and you can wait for a natural trigger (reboot, service restart, user login).

6. Modern CVEs Change the Landscape Rapidly

PrintNightmare, HiveNightmare, KrbRelayUp, and other recent CVEs demonstrate that new privilege escalation vectors emerge regularly. Stay current with Microsoft security advisories and update your exploit assessment tools (wesng, WinPEAS) before each engagement.

7. Automated Tools Are Essential but Not Sufficient

WinPEAS, PowerUp, and Seatbelt each have strengths and gaps. Running all three provides comprehensive coverage. However, custom applications and non-standard configurations require manual analysis that no automated tool can fully replace.

8. UAC Is a Speed Bump, Not a Security Boundary

For an authenticated administrator, UAC bypass techniques (fodhelper, eventvwr, sdclt) are well-documented and reliable. Never treat UAC as a meaningful security control for determined attackers. Defense-in-depth beyond UAC is essential.

9. Privilege Escalation on Windows Has Organizational-Scale Consequences

The escalation from standard user to local administrator is just the beginning. Combined with techniques from Chapter 17 (Active Directory attacks), local administrator access on a single workstation can cascade to complete domain compromise, as demonstrated by the SolarWinds attack chain.

10. Defensive Measures Must Be Layered

No single defense prevents all Windows privilege escalation. Effective protection requires patching, least-privilege service configurations, credential protection (Credential Guard, LAPS), monitoring (event log analysis, EDR), and organizational practices (tiered administration, regular auditing).

Quick Reference: Windows Privilege Escalation Checklist