Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )
Use Google to search for kernel exploits
Use searchsploit to search for kernel exploits
Any vulnerable Driver?
Check current user privileges
Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
What is inside the Clipboard?
Check current network information
Check hidden local services restricted to the outside
Is any unknown software running?
Is any software with more privileges that it should have running?
Search for exploits for running processes (specially if running of versions)
Can you read any interesting process memory (where passwords could be saved)?
Have write permissions over the binaries been executed by the processes?
Have write permissions over the folder of a binary been executed to perform a DLL Hijacking?
What is running on startup or is scheduled? Can you modify the binary?
Can you dump the memory of any process to extract passwords?
Can you write in any folder inside PATH?
Is there any known service binary that tries to load any non-existant DLL?
Can you write in any binaries folder?
Windows Vault credentials that you could use?
Interesting DPAPI credentials?
Credentials inside "known files"? Inside the Recycle Bin? At home?
Inside Browser data (dbs, history, bookmarks....)?
AppCmd.exe exists? Credentials?
SCClient.exe? DLL Side Loading?
Is this enabled?
Is it vulnerable?
Are you able to write files that could grant you more privileges?
There are several ways to bypass the UAC
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the PEASS & HackTricks telegram group here.