Advanced Windows Privilege Escalation Tactics

Windows privilege boundaries are enforced by access tokens, integrity levels, and session isolation. A standard user runs at Medium integrity; UAC-elevated processes run at High; SYSTEM and protected processes run at System or Protected Process Light (PPL). The token contains the user's SID, group memberships, and a set of privileges — and several privileges grant equivalent or greater power than full admin.

The escalation surface falls into five buckets: misconfigurations (weak ACLs, writable services), stored credentials (DPAPI, registry, files), privilege abuse (SeImpersonate, SeBackup, SeDebug), kernel vulnerabilities (CVE-2024-38080 Hyper-V, CVE-2024-21338 AppLocker driver), and UAC bypasses for AAA (Administrator Approval Mode) escalation.

Enumeration drives all five. Tools like winPEAS, SeatBelt, PrivescCheck, and PowerUp automate hundreds of checks; accesschk, icacls, and Get-Acl provide manual verification.

Windows services are a goldmine. The classic findings still appear on engagement after engagement:

• Unquoted Service Paths — A service binary path like C:\Program Files\App\bin\svc.exe without quotes lets you plant C:\Program.exe if you can write to C:\. The Service Control Manager will execute it as SYSTEM.
• Weak Service ACLs — sc.exe sdshow <svc> reveals the security descriptor. SERVICE_CHANGE_CONFIG lets you rewrite binPath=; SERVICE_ALL_ACCESS lets you do anything. Tools like accesschk -uwcqv "Authenticated Users" * find them quickly.
• Writable Binary or DLL — If a service binary or any DLL it loads is writable by your user, replace it and restart the service. SYSTEM executes your code.
• DLL Hijacking — Many service binaries call LoadLibrary on DLLs that don't exist in any of the searched directories. Process Monitor reveals NAME NOT FOUND results for SYSTEM processes; drop your DLL into a writable directory in the search path.

# Find writable service binaries
Get-WmiObject win32_service | % {
  $p = $_.PathName -split '"' | ? {$_ -match '\.exe'} | select -First 1
  if ($p -and (Test-Path $p)) {
    $a = Get-Acl $p
    $a.Access | ? {$_.IdentityReference -match $env:USERNAME -and $_.FileSystemRights -match "Write"}
  }
}

Service accounts (IIS app pools, MSSQL NT Service\MSSQLSERVER, scheduled tasks) usually hold SeImpersonatePrivilege. With it, the Potato family of exploits chains an authentication coercion against a local NTLM listener to obtain a SYSTEM token:

• RottenPotato (legacy) — uses DCOM/RPC marshaling tricks.
• JuicyPotato / JuicyPotatoNG — works against Windows up to Server 2019.
• PrintSpoofer — abuses the Print Spooler's named-pipe impersonation, works on Server 2019/2022.
• GodPotato — leverages DCOM to escalate on Server 2019–2022 and Windows 11.

PrintSpoofer.exe -i -c "cmd.exe"

These techniques convert a webshell or SQL xp_cmdshell foothold into SYSTEM in one command. The defense is RestrictedAdmin-style guardrails — but few production servers deploy them.

Each Windows privilege is a sub-language for escalation:

• SeBackupPrivilege — read any file, including SAM, SYSTEM, and SECURITY hives. Use reg save or diskshadow to extract them and run secretsdump.py offline.
• SeRestorePrivilege — write to any file or registry key.
• SeDebugPrivilege — open a handle to any process, including LSASS, enabling Mimikatz.
• SeTakeOwnershipPrivilege — take ownership of any object; combined with SeRestore, grants total control.
• SeLoadDriverPrivilege — load a signed but vulnerable driver (Capcom, RTCore, GIGABYTE) for ring-0 code execution.
• SeManageVolumePrivilege — abuseable to grant write to C:\ and then DLL-hijack a SYSTEM process.

whoami /priv enumerates them; whoami /all shows full group context.

If you sit in a Medium-integrity shell as a member of the local Administrators group, UAC is the only thing between you and High integrity. Public bypasses still work on default-configured Windows 11 and Server 2022:

• fodhelper.exe / computerdefaults.exe — auto-elevate, then read a writable HKCU registry key for the command to run.
• sdclt.exe — similar registry-based hijack.
• WSReset.exe — protected app that loads a writable COM object.
• ICMLuaUtil COM — programmatically request elevation via a vulnerable COM interface.

These bypasses rely on auto-elevated binaries respecting user-writable inputs. Microsoft patches individual instances but the class persists. UACMe maintains a curated catalog of 70+ techniques.

Operators frequently find escalation without exploiting code at all:

• Unattended install files — C:\Windows\Panther\Unattend.xml and sysprep.inf often contain base64-encoded local admin passwords.
• Group Policy Preferences (cpassword) — pre-2014 GPP XML files in SYSVOL contain AES-encrypted passwords with a publicly known key.
• Registry autologon — HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword stored in cleartext.
• PowerShell history, CMD history, putty registry entries, and KeePass/KeePassXC databases in user profiles.
• DPAPI vaults — browser passwords, RDP credentials, and Wi-Fi keys decrypted with the user's masterkey (or, if SYSTEM, with the DPAPI machine key).

SharpDPAPI, SeatBelt, and LaZagne automate the harvest.

When userland fails, the kernel delivers. Notable recent CVEs:

• CVE-2024-38080 — Windows Hyper-V LPE, exploited in the wild July 2024.
• CVE-2024-21338 — appid.sys IOCTL handler abused by Lazarus's FudModule rootkit to disable EDR.
• CVE-2023-28252 — CLFS driver LPE, used by Nokoyawa ransomware affiliates.
• PrintNightmare (CVE-2021-34527) — still exploitable in unpatched environments.

Bring-Your-Own-Vulnerable-Driver (BYOVD) remains the dominant kernel-escalation technique because it requires only SeLoadDriverPrivilege (or admin) and bypasses signature enforcement via Microsoft-signed-but-vulnerable drivers.

The Maui ransomware campaigns against US healthcare leveraged JuicyPotato-style impersonation after exploiting Exchange to gain IIS app-pool shells. APT29 (Cozy Bear) used the BYOVD technique with the aswArPot.sys driver to terminate Microsoft Defender during 2023 espionage operations. Vice Society combined PrintNightmare with weak service ACLs to escalate on hundreds of school district endpoints.

Defenders need both proactive hardening and detective coverage:

1. LAPS for randomized local-admin passwords.
2. Constrained Language Mode and PowerShell ScriptBlock Logging to surface enumeration.
3. Microsoft Defender Attack Surface Reduction (ASR) rules — especially "Block credential stealing from LSASS" and "Block process creations from PSExec and WMI commands."
4. Credential Guard to isolate LSASS secrets in a VBS enclave.
5. WDAC / AppLocker to block unauthorized binaries — and to break BYOVD by blocklisting known vulnerable drivers via Microsoft's recommended driver block list.
6. Audit service ACLs with accesschk regularly; require quoted paths.
7. Disable Print Spooler on Domain Controllers and on servers that do not need it (kills PrintNightmare and PrintSpoofer).
8. Set UseLogonCredential=0 in WDigest registry to prevent cleartext password caching.
9. Sysmon + Sigma for telemetry on event IDs 1, 10, 11, 13 covering process creation, ProcessAccess to LSASS, file writes to autorun keys, and registry changes.