In an AD environment, there are multiple scenarios which lead to privilege escalation. We had a look at the following:
- Hunting for local admin access on other machines
- Hunting for high privilege domain accounts (e.g. Domain Admins)
There are various ways of locally escalating privielges on a Windows system.
- Missing patches
- Automated deployment, AutoLogon passwords, passwords in files in cleartext
- AlwaysInstallElevated (Any user can run MSI as SYSTEM)
- Misconfigured Services
- DLL hijacking
- ...
We can use the following tools for complete coverage:
- PowerUp: https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
- BeRoot: https://github.com/AlessandroZ/BeRoot
- PrivEsc: https://github.com/enjoiz/Privesc
We can check services issues with PowerUp.
Get services with unquoted paths and a space in their name
Get-ServiceUnquoted -Verbose
Get services where the current user can write to its binary path or change arguments to the library
Get-ModifiableServiceFile -Verbose
Get the services whose configuration current user can modify
Get-ModifiableService -Verbose
We can also run all checks:
Invoke-AllChecks
Run all checks:
beRoot.exe
Run all checks:
Invoke-PrivEsc