Skip to content

Commit e77fbe1

Browse files
carlospolopcarlospolop
authored
Merge pull request #2116 from HackTricks-wiki/research_update_src_windows-hardening_checklist-windows-privilege-escalation_20260411_024605
Research Update Enhanced src/windows-hardening/checklist-win...
2 parents b81c147 + 9b88349 commit e77fbe1

1 file changed

Lines changed: 10 additions & 1 deletion

File tree

src/windows-hardening/checklist-windows-privilege-escalation.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,13 @@
2929
- [ ] Check if any [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
3030
- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
3131
- [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
32+
- [ ] [**Admin Protection / UIAccess silent elevation**](windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md)?
33+
- [ ] [**Secure Desktop accessibility registry propagation (RegPwn)**](windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md)?
3234
- [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
3335
- [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
3436
- [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)?
3537
- [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
38+
- [ ] Check if you have [**SeManageVolumePrivilege**](windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md) to read raw volumes and bypass file ACLs
3639
- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
3740
- [ ] Check[ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (access?)
3841
- [ ] Check [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
@@ -93,6 +96,7 @@
9396
- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
9497
- [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
9598
- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
99+
- [ ] If [**SeManageVolumePrivilege**](windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md) is present, try raw-volume reads for `SAM`, `SYSTEM`, DPAPI material, and `MachineKeys`
96100
- [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)?
97101
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) file?
98102
- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
@@ -113,7 +117,12 @@
113117

114118
- [ ] Check if you can abuse it
115119

116-
{{#include ../banners/hacktricks-training.md}}
117120

118121

122+
## References
123+
124+
- [Project Zero - Bypassing Administrator Protection by Abusing UI Access](https://projectzero.google/2026/02/windows-administrator-protection.html)
125+
- [MDSec - RIP RegPwn](https://www.mdsec.co.uk/2026/03/rip-regpwn/)
119126

127+
128+
{{#include ../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)