Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS

  • Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )

  • Use Google to search for kernel exploits

  • Use searchsploit to search for kernel exploits


Vulnerable Software or Processes?

  • Is any unknown software running?

  • Is any software with more privileges that it should have running?

  • Search for exploits for running processes (specially if running of versions)

  • Can you read any interesting process memory (where passwords could be saved)?

  • Have write permissions over the binaries been executed by the processes?

  • Have write permissions over the folder of a binary been executed to perform a DLL Hijacking?

  • What is running on startup or is scheduled? Can you modify the binary?

  • Can you dump the memory of any process to extract passwords?


  • Can you write in any folder inside PATH?

  • Is there any known service binary that tries to load any non-existant DLL?

  • Can you write in any binaries folder?

  • Is this enabled?

  • Is it vulnerable?

  • Are you able to write files that could grant you more privileges?

  • There are several ways to bypass the UAC

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the PEASS & HackTricks telegram group here.

Buy me a coffee here