hacktricks/src/windows-hardening/checklist-windows-privilege-escalation.md

# 检查清单 - 本地 Windows 权限提升

{{#include ../banners/hacktricks-training.md}}

### **查找 Windows 本地权限提升向量的最佳工具：** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)

### [系统信息](windows-local-privilege-escalation/index.html#system-info)

- [ ] 获取 [**系统信息**](windows-local-privilege-escalation/index.html#system-info)
- [ ] 使用脚本搜索 **内核** [**漏洞**](windows-local-privilege-escalation/index.html#version-exploits)
- [ ] 使用 **Google 搜索** 内核 **漏洞**
- [ ] 使用 **searchsploit 搜索** 内核 **漏洞**
- [ ] [**环境变量**](windows-local-privilege-escalation/index.html#environment) 中有趣的信息？
- [ ] [**PowerShell 历史**](windows-local-privilege-escalation/index.html#powershell-history) 中的密码？
- [ ] [**Internet 设置**](windows-local-privilege-escalation/index.html#internet-settings) 中有趣的信息？
- [ ] [**驱动器**](windows-local-privilege-escalation/index.html#drives)？
- [ ] [**WSUS 漏洞**](windows-local-privilege-escalation/index.html#wsus)？
- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)？

### [日志/AV 枚举](windows-local-privilege-escalation/index.html#enumeration)

- [ ] 检查 [**审计**](windows-local-privilege-escalation/index.html#audit-settings) 和 [**WEF**](windows-local-privilege-escalation/index.html#wef) 设置
- [ ] 检查 [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] 检查 [**WDigest**](windows-local-privilege-escalation/index.html#wdigest) 是否处于活动状态
- [ ] [**LSA 保护**](windows-local-privilege-escalation/index.html#lsa-protection)？
- [ ] [**凭据保护**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
- [ ] [**缓存凭据**](windows-local-privilege-escalation/index.html#cached-credentials)？
- [ ] 检查是否有任何 [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
- [ ] [**AppLocker 策略**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)？
- [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
- [ ] [**用户权限**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] 检查 [**当前**] 用户 [**权限**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] 你是 [**任何特权组的成员**](windows-local-privilege-escalation/index.html#privileged-groups)吗？
- [ ] 检查你是否启用了 [这些令牌](windows-local-privilege-escalation/index.html#token-manipulation)：**SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**用户会话**](windows-local-privilege-escalation/index.html#logged-users-sessions)？
- [ ] 检查 [**用户主目录**](windows-local-privilege-escalation/index.html#home-folders)（访问？）
- [ ] 检查 [**密码策略**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] [**剪贴板**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard) 中有什么？

### [网络](windows-local-privilege-escalation/index.html#network)

- [ ] 检查 **当前** [**网络** **信息**](windows-local-privilege-escalation/index.html#network)
- [ ] 检查 **隐藏的本地服务** 是否限制外部访问

### [运行中的进程](windows-local-privilege-escalation/index.html#running-processes)

- [ ] 进程二进制文件 [**文件和文件夹权限**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] [**内存密码挖掘**](windows-local-privilege-escalation/index.html#memory-password-mining)
- [ ] [**不安全的 GUI 应用程序**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
- [ ] 通过 `ProcDump.exe` 偷取 **有趣进程** 的凭据？（firefox, chrome 等 ...）

### [服务](windows-local-privilege-escalation/index.html#services)

- [ ] [你能 **修改任何服务** 吗？](windows-local-privilege-escalation/index.html#permissions)
- [ ] [你能 **修改** 任何 **服务** 执行的 **二进制文件** 吗？](windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] [你能 **修改** 任何 **服务** 的 **注册表** 吗？](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] [你能利用任何 **未加引号的服务** 二进制 **路径** 吗？](windows-local-privilege-escalation/index.html#unquoted-service-paths)

### [**应用程序**](windows-local-privilege-escalation/index.html#applications)

- [ ] **写入** [**已安装应用程序的权限**](windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**启动应用程序**](windows-local-privilege-escalation/index.html#run-at-startup)
- [ ] **易受攻击的** [**驱动程序**](windows-local-privilege-escalation/index.html#drivers)

### [DLL 劫持](windows-local-privilege-escalation/index.html#path-dll-hijacking)

- [ ] 你能 **在 PATH 中的任何文件夹中写入** 吗？
- [ ] 是否有任何已知的服务二进制文件 **尝试加载任何不存在的 DLL**？
- [ ] 你能 **在任何二进制文件夹中写入** 吗？

### [网络](windows-local-privilege-escalation/index.html#network)

- [ ] 枚举网络（共享、接口、路由、邻居等...）
- [ ] 特别关注在本地主机（127.0.0.1）上监听的网络服务

### [Windows 凭据](windows-local-privilege-escalation/index.html#windows-credentials)

- [ ] [**Winlogon**](windows-local-privilege-escalation/index.html#winlogon-credentials) 凭据
- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) 中你可以使用的凭据？
- [ ] 有趣的 [**DPAPI 凭据**](windows-local-privilege-escalation/index.html#dpapi)？
- [ ] 保存的 [**Wifi 网络**](windows-local-privilege-escalation/index.html#wifi) 中的密码？
- [ ] [**保存的 RDP 连接**](windows-local-privilege-escalation/index.html#saved-rdp-connections) 中有趣的信息？
- [ ] [**最近运行的命令**](windows-local-privilege-escalation/index.html#recently-run-commands) 中的密码？
- [ ] [**远程桌面凭据管理器**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) 密码？
- [ ] [**AppCmd.exe** 存在](windows-local-privilege-escalation/index.html#appcmd-exe)吗？凭据？
- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)？DLL 侧加载？

### [文件和注册表（凭据）](windows-local-privilege-escalation/index.html#files-and-registry-credentials)

- [ ] **Putty:** [**凭据**](windows-local-privilege-escalation/index.html#putty-creds) **和** [**SSH 主机密钥**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
- [ ] [**注册表中的 SSH 密钥**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)？
- [ ] [**无人值守文件**](windows-local-privilege-escalation/index.html#unattended-files) 中的密码？
- [ ] 任何 [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) 备份？
- [ ] [**云凭据**](windows-local-privilege-escalation/index.html#cloud-credentials)？
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) 文件？
- [ ] [**缓存的 GPP 密码**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)？
- [ ] [**IIS Web 配置文件**](windows-local-privilege-escalation/index.html#iis-web-config) 中的密码？
- [ ] [**Web 日志**](windows-local-privilege-escalation/index.html#logs) 中有趣的信息？
- [ ] 你想要 [**向用户请求凭据**](windows-local-privilege-escalation/index.html#ask-for-credentials) 吗？
- [ ] [**回收站**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin) 中有趣的文件？
- [ ] 其他 [**包含凭据的注册表**](windows-local-privilege-escalation/index.html#inside-the-registry)？
- [ ] [**浏览器数据**](windows-local-privilege-escalation/index.html#browsers-history) 中（数据库、历史记录、书签等）？
- [ ] [**通用密码搜索**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) 在文件和注册表中
- [ ] [**工具**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) 自动搜索密码

### [泄露的处理程序](windows-local-privilege-escalation/index.html#leaked-handlers)

- [ ] 你是否可以访问由管理员运行的任何进程的处理程序？

### [管道客户端冒充](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)

- [ ] 检查你是否可以利用它

{{#include ../banners/hacktricks-training.md}}