• [ ] 만약 Windows에서 기본 커맨드가 실행이 안되면 absolute path로 실행 시도. (e.g., C:\\Windows\\System32\\whoami )
• [ ] PowerShell Binary Absolute Path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe

Tools

<aside>

GodPotato

SigmaPotato

PrintSpoofer

RunasCs.exe

accesschk.exe

icacls

wmic

</aside>

Privilege Escalation - Typical Attack Vectors

<aside>

Privileges

AlwaysInstallElevated

Unquoted Service Paths

DLL Hijacking

</aside>

Automated Enumeration

<aside>

PrivescCheck.ps1

powershell -ep bypass -c ". .\\PrivescCheck.ps1; Invoke-PrivescCheck"
powershell -ep bypass -c ". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Format TXT,HTML"
powershell -ep bypass -c ". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"
powershell -ep bypass -c ". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML"

# PowerShell로 리버스 쉘 얻은 경우: 화면 출력 없이 즉시 파일로 저장
. .\\PrivescCheck.ps1
Invoke-PrivescCheck -Report Out-File -BaseName "report.txt"

winPEAS

PowerUp.ps1

</aside>

Manual Enumeration

<aside>

Active Directory PowerShell Module

Directories

C:\\Users
# Check for any non-default directories
C:\\
# If there are web services running
C:\\inetpub

System and Domain information

hostname
systeminfo
systeminfo | findstr /B "OS"
systeminfo | findstr /B "Domain"
Get-CimInstance Win32_OperatingSystem

set
dir env:
Get-ChildItem Env:

User info

whoami
whoami /priv
whoami /groups

query user
quser

Session info

tasklist /v
net session

Network info

arp -A
ipconfig /all
route PRINT
netstat -ano

Process info

ps
Get-Process 

Services info

Get-CimInstance Win32_Service | select Name,StartName
Get-CimInstance Win32_Service | select Name,StartName,State,PathName
# running services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

sc query state= all
sc query state= all | find "DHCP"
sc qc [service name]

# Unquoted Services
wmic service get name,pathname |  findstr /i /v "C:\\Windows\\\\" | findstr /i /v """

Net

net user
net user [username]
net user /domain
net user wook wookpass123 /add

net localgroup
net localgroup administrators
net localgroup /domain
net localgroup administrators wook /add
net localgroup "Remote Desktop Users" wook /add

net group
net group "Domain Admins" /domain

net share
net session
net use

net start
net start [service]
net stop [service]

PowerShell History

# CMD
type %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt

# PowerShell
type $Env:userprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt

Scheduled Tasks

schtasks /query	
Get-ScheduledTask
schtasks /query /fo LIST /v

</aside>