search

Local Privilege Escalation

hashtag
Basic Enumeration

Local Enumerationchevron-right

hashtag
Windows Services Exploitations

hashtag
Service Binary Hijacking

This attack involves replacing the service binary with a malicious version and restart the service.

Service Binary Hijackingchevron-right

hashtag
Service DLL Hijacking

This attack is similar to the "Service Binary Hijacking" but Instead of replacing the binary, it involves overwriting a DLL arrow-up-rightthe binary uses.

Another method is to hijack the DLL search order.

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.
Service DLL Hijackingchevron-right

hashtag
Unquoted Service Paths

This attack relies on windows find an executable path when it's Unquoted.

Unquoted Service Pathschevron-right

hashtag
Scheduled Tasks

Windows Task Scheduler can execute automated tasks. This tasks can execute binary files and also scripts. Also, The scheduled tasks is running behalf on user.

Scheduled Taskschevron-right

hashtag
Token impersonation

Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.

Token impersonationchevron-right

hashtag
References

LogoPage not found - HackTricksbook.hacktricks.xyzchevron-right
Hacktricks - Windows Local Privilege Escalation
PreviousNTLM HashesNextService Binary Hijacking

Last updated