BIPI
BIPI

Windows Privilege Escalation Methodology: From Foothold to SYSTEM

Cybersecurity

A repeatable methodology for moving from a low-privileged Windows foothold to NT AUTHORITY\SYSTEM, covering enumeration, scoring, and exploitation with WinPEAS, PrivescCheck, Seatbelt, and SharpUp.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 2, 2025 · 11 min read

#windows#privilege-escalation#red-team#pentest#winpeas

The methodology, not the trick

Most Windows privesc writeups jump to a CVE. In real engagements you almost never need a CVE. You need a methodology that turns a noisy host into a short list of writable services, misconfigured tasks, exposed tokens, and credentials sitting in plaintext on disk.

Phase 1: situational awareness

  • whoami /all, whoami /priv, whoami /groups to map current token rights
  • systeminfo, wmic qfe list to fingerprint patch level
  • net user, net localgroup administrators, query session for accounts
  • Seatbelt.exe -group=user collects browser data, RDP, WiFi, AWS keys

Phase 2: automated triage

  • WinPEAS (winPEASx64.exe) with -lolbas and -systeminfo for a baseline
  • PrivescCheck.ps1 -Extended -Report for HTML output with severity scoring
  • SharpUp.exe audit when AMSI is loud, since it is smaller and quieter
  • PowerUp.ps1 Invoke-AllChecks when PowerShell is allowed

Phase 3: the seven vectors

  1. Service abuse: weak DACLs, unquoted paths, writable binaries, DLL hijacks
  2. Scheduled tasks running as SYSTEM with writable scripts or binaries
  3. Token privileges: SeImpersonate, SeAssignPrimaryToken, SeBackup, SeDebug
  4. Stored credentials: cmdkey, Credential Manager, DPAPI vaults, Unattend.xml
  5. AlwaysInstallElevated registry keys allowing MSI install as SYSTEM
  6. Kernel and driver CVEs as a last resort, only on supported builds
  7. Active Directory mispath: GenericAll, WriteDACL, RBCD, unconstrained delegation

Token rights are the fastest win

If whoami /priv shows SeImpersonatePrivilege enabled, you almost certainly own the box. Service accounts (IIS AppPool, MSSQLSERVER) ship with it. PrintSpoofer, GodPotato, and JuicyPotatoNG turn it into SYSTEM in seconds.

Credential looting before you escalate

  • C:\Windows\Panther\Unattend.xml, sysprep.inf for cleartext admin creds
  • cmdkey /list reveals stored runas targets, often domain admin
  • HKCU\Software\SimonTatham\PuTTY\Sessions for hardcoded session data
  • %APPDATA%\Microsoft\Credentials and Vaults for DPAPI blobs

Detection telemetry to expect

Event ID 4672 (special privileges) fires on every SeImpersonate use. 7045 logs new service install, the classic SYSTEM persistence tell. Sysmon Event 1 plus 10 (process access) catches LSASS reads. EDR also flags WinPEAS by hash, so rename or recompile.

Remediation that actually works

  • Enable LSA Protection (RunAsPPL) and Credential Guard on Win10 and later
  • Audit service ACLs with accesschk.exe -uwcqv "Authenticated Users" *
  • Strip SeImpersonate from app pools that do not need it, use gMSA
  • Deploy LAPS so local admin reuse does not bridge hosts
  • ASR rule "Block credential stealing from LSASS" via Defender
~70%
Hosts with SeImpersonate on a service account
~40%
Hosts with at least one unquoted service path
1 in 3
Engagements where WinPEAS alone found SYSTEM
If your methodology starts with a CVE search, you are already losing. Start with whoami /priv.

Wrap

Privilege escalation is a checklist, not a trick. Enumerate, score, loot creds, abuse tokens, and only then reach for a CVE. The defender wins the moment they remove SeImpersonate from IIS and turn on LSA Protection.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.