Privilege Escalation on Windows
Techniques for escalating to SYSTEM or Administrator on Windows through service misconfigurations and token manipulation.
Techniques for escalating to SYSTEM or Administrator on Windows through service misconfigurations and token manipulation.
Continue your mission
Windows privilege escalation involves techniques that elevate an attacker from a standard user account to SYSTEM, Administrator, or other high-privilege contexts. These techniques target the complex permission model, service architecture, and legacy compatibility features unique to Windows environments.
Attackers enumerate escalation vectors using tools like WinPEAS, PowerUp, and Seatbelt. Primary vectors include unquoted service paths where Windows resolves executable locations ambiguously, services running as SYSTEM with weak file permissions allowing binary replacement, always-install-elevated MSI policies, DLL hijacking through search order manipulation, token impersonation of higher-privilege processes, registry autorun entries with weak permissions, and scheduled tasks with elevated privileges. UAC bypass techniques use trusted Windows binaries to escalate without triggering prompts. Potato family techniques abuse service account token impersonation to escalate to SYSTEM.
Windows remains the dominant enterprise operating system. Privilege escalation on Windows frequently provides domain credential access because Windows caches authentication material in memory. A single escalation to local admin often cascades into domain-wide compromise through credential harvesting. Understanding Windows escalation is essential for offensive operators assessing risk and defenders hardening endpoints.
CDA covers Windows privilege escalation within VSD and IAT domains. Theater missions simulate realistic escalation scenarios where operators must chain multiple techniques. Our approach emphasizes understanding the Windows security architecture to identify novel escalation paths beyond known tool outputs.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.