Windows Privilege Escalation: The Five Paths That Still Work

Cybersecurity

Local privilege escalation on Windows endpoints comes down to a small set of recurring patterns. We cover the ones that still hit on patched, modern hosts and the host-hardening that retires them.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 24, 2024 · 8 min read

Local privilege escalation on a fully patched Windows 11 host is harder than it was, but five recurring patterns still produce SYSTEM on most enterprise endpoints we test. The kernel exploits get the headlines. The misconfigurations get the wins.

How attackers find this

winPEAS and PowerUp.ps1 are the standard enumeration tools, and both look for the same set of well-known misconfigurations. A pentester running winPEASx64.exe quiet on a beachhead host gets a color-coded report of every weakness within 30 seconds.

• Unquoted service paths: a service binary path with spaces and no quotes (C:\Program Files\Some App\service.exe) lets an attacker who can write to C:\Program Files\Some.exe hijack the service. winPEAS flags these in red.
• Weak service ACLs: services where Authenticated Users have SERVICE_CHANGE_CONFIG let a low-priv user change the service binary path to cmd.exe and restart the service. sc qc and accesschk -uwcqv "Authenticated Users" * are the discovery commands.
• AlwaysInstallElevated: an MSI installed by a low-priv user runs as SYSTEM if both HKLM and HKCU AlwaysInstallElevated registry values are set to 1. msiexec /quiet /qn /i evil.msi gives SYSTEM in one command.
• DLL hijacking: a service or scheduled task that loads a DLL by name from a writable directory. ProcMon under Procmon filter Result is NAME NOT FOUND and Path ends with .dll surfaces every candidate.
• Token impersonation via SeImpersonatePrivilege. Any account holding this privilege (most service accounts) can use Potato-family exploits (JuicyPotato, RoguePotato, GodPotato) to swap to SYSTEM.

The token impersonation path matters more than the others combined. IIS application pools, MSSQL service, Exchange transport agents, and many third-party services run with SeImpersonate. A web shell on an IIS box is one GodPotato away from SYSTEM by default.

What defenders see

Local privilege escalation produces specific Sysmon and Windows event signatures if you are looking for them.

• 4697 service installed events outside change windows are the unquoted-path and weak-ACL signature. Modifying an existing service's ImagePath also produces a registry change Sysmon Event 13.
• 4688 process creation where the parent process is a service and the child is cmd.exe or powershell.exe is the post-exploitation pivot.
• Sysmon Event 1 with a CommandLine containing potato (juicypotato.exe, rotten, godpotato) is the trivial signature. More reliably, look for Event 1 with a parent process running as a service account and a child running as SYSTEM.
• AlwaysInstallElevated abuse leaves a 4688 with msiexec.exe and a child process running as NT AUTHORITY\SYSTEM where the parent runs as a normal user. This combination is a high-fidelity alert.

Hardening

Each path has a specific configuration fix. The collective fix is application whitelisting, which retires several paths at once.

1. Audit all services with PowerShell: Get-WmiObject win32_service | Select Name, PathName, StartName. Quote any path containing spaces. Run accesschk -uwcqv "Authenticated Users" * across all services and tighten ACLs.
2. Disable AlwaysInstallElevated everywhere via GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Installer. Set both Always install with elevated privileges to Disabled. There is no legitimate use for this setting in 2024.
3. Remove SeImpersonatePrivilege from any service account that does not strictly need it. For accounts that must keep it (IIS, MSSQL), constrain them with virtual service accounts and ensure the service is on a fully patched OS where Potato variants are mitigated.
4. Deploy AppLocker or WDAC in enforcement mode. A signed-binary-only policy blocks all of winPEAS, PowerUp, and the Potato family without per-tool signature updates. Start in Audit mode, walk to Enforce.
5. Enable Sysmon with the Olaf Hartong or SwiftOnSecurity config and forward to a SIEM. Most local privesc detections require Sysmon; default Windows logging misses Event 1 process creation context.

The pentest report that lists all five of these on the same host is the report that lists Domain Admin two pages later, because a service account with SeImpersonate on a workstation is often a domain account, and SYSTEM on that workstation reads the cached domain credentials. The hardening is per-host, but the consequence is enterprise-wide.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.