Windows privilege escalation involves techniques that elevate an attacker from a standard user account to SYSTEM, Administrator, or other high-privilege contexts. These techniques target the complex permission model, service architecture, and legacy compatibility features unique to Windows environments.
Attackers enumerate escalation vectors using tools like WinPEAS, PowerUp, and Seatbelt. Primary vectors include unquoted service paths where Windows resolves executable locations ambiguously, services running as SYSTEM with weak file permissions allowing binary replacement, always-install-elevated MSI policies, DLL hijacking through search order manipulation, token impersonation of higher-privilege processes, registry autorun entries with weak permissions, and scheduled tasks with elevated privileges. UAC bypass techniques use trusted Windows binaries to escalate without triggering prompts. Potato family techniques abuse service account token impersonation to escalate to SYSTEM.
Windows remains the dominant enterprise operating system. Privilege escalation on Windows frequently provides domain credential access because Windows caches authentication material in memory. A single escalation to local admin often cascades into domain-wide compromise through credential harvesting. Understanding Windows escalation is essential for offensive operators assessing risk and defenders hardening endpoints.
CDA covers Windows privilege escalation within VSD and IAT domains. Theater missions simulate realistic escalation scenarios where operators must chain multiple techniques. Our approach emphasizes understanding the Windows security architecture to identify novel escalation paths beyond known tool outputs.