-
Notifications
You must be signed in to change notification settings - Fork 53
/
00 Mindmap Windows Privilege Escalation.canvas
152 lines (152 loc) · 17.3 KB
/
00 Mindmap Windows Privilege Escalation.canvas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
{
"nodes":[
{"type":"text","text":"Credentials from registery","id":"b78ee0e7ceb006ab","x":351,"y":-219,"width":489,"height":60},
{"type":"text","text":"Credentials from Unantended or sysprep files","id":"0f5723a076eaae4f","x":351,"y":-139,"width":489,"height":60},
{"type":"text","text":"Default passwords","id":"5302dd561a8236d7","x":351,"y":-695,"width":489,"height":60},
{"type":"text","text":"Reused passwords","id":"fd4c95347ab92034","x":351,"y":-615,"width":489,"height":60},
{"type":"text","text":"Credentials from configuration files","id":"076099c4c32fbe25","x":351,"y":-535,"width":489,"height":60},
{"type":"text","text":"Credentials from local database","id":"f84fcaa02799a4f6","x":351,"y":-455,"width":489,"height":60},
{"type":"text","text":"Credentials from Powershell History","id":"9c24df2395abe41a","x":351,"y":-375,"width":489,"height":60},
{"type":"text","text":"Credentials from cmdkey","id":"eb42d5086fc4f9a6","x":351,"y":-295,"width":489,"height":56},
{"type":"text","text":"Credential access\n[01 EoP - Looting for passwords](01%20EoP%20-%20Looting%20for%20passwords.md)","id":"7ddb51f340b8be2c","x":-113,"y":-355,"width":250,"height":60},
{"type":"text","text":"Credential from log files","id":"a9663ffe70ee368b","x":351,"y":-59,"width":489,"height":60},
{"type":"text","text":"user groups","id":"c6220802d7426bdc","x":351,"y":21,"width":489,"height":60},
{"type":"text","text":"Services running on localhost","id":"2c8455b8ffb76174","x":307,"y":187,"width":250,"height":71},
{"type":"text","text":"Kernel version","id":"a25b333fa7daf51a","x":307,"y":278,"width":250,"height":60},
{"type":"text","text":"Software versions","id":"c3f1ec57c7e90023","x":307,"y":358,"width":250,"height":60},
{"type":"text","text":"Service versions","id":"c9c20801f084214f","x":307,"y":438,"width":250,"height":60},
{"type":"text","text":"Exploits","id":"6f27ac9995f09067","x":-54,"y":328,"width":250,"height":60},
{"type":"text","text":"User privileges","id":"4956b7ac4008d08a","x":307,"y":629,"width":250,"height":60},
{"type":"text","text":"Misconfigurations","id":"38feeca0e4fd29de","x":-95,"y":959,"width":250,"height":60},
{"type":"text","text":"Windows Privilege Escalation","id":"aad5d31f0f41aecb","x":-469,"y":328,"width":250,"height":60},
{"type":"text","text":"Eventvwr","id":"af123cfcccfbbd8f","x":2064,"y":156,"width":250,"height":60},
{"type":"text","text":" iscsicpl.exe","id":"27b079fdf65709e2","x":2064,"y":325,"width":290,"height":60},
{"type":"text","text":"dcomcnfg.exe","id":"4329fa532f4c737d","x":2064,"y":405,"width":290,"height":60},
{"type":"text","text":"netplwiz.exe","id":"46a1c9098384bef8","x":2064,"y":245,"width":290,"height":60},
{"type":"text","text":"GUI based","id":"0bc6177fcd7c7605","x":1658,"y":485,"width":250,"height":60},
{"type":"text","text":"Terminal based","id":"fe536c202155ae18","x":1658,"y":111,"width":250,"height":60},
{"type":"text","text":"UAC bypass","id":"716e0d265b76cd47","x":1330,"y":290,"width":250,"height":60},
{"type":"text","text":"FODHelper","id":"5bb0086cbe514336","x":2064,"y":51,"width":250,"height":60},
{"type":"text","text":"Potato","id":"72a7b049a6c95e2d","x":1998,"y":877,"width":250,"height":60},
{"type":"text","text":"PrintSpoofer","id":"cb15a33dd19f7051","x":1998,"y":967,"width":250,"height":60},
{"type":"text","text":"RogueWinRM","id":"5e6db4782e6ef82d","x":1998,"y":1057,"width":250,"height":60},
{"type":"text","text":"eventvwr.exe","id":"2b196e1919b251d0","x":2064,"y":645,"width":290,"height":60},
{"type":"text","text":"perfmon.exe","id":"3451c7ac82a0e795","x":2064,"y":485,"width":290,"height":60},
{"type":"text","text":"compMgmtLauncher.exe","id":"4c154bbc07b6dbfd","x":2064,"y":565,"width":290,"height":60},
{"type":"text","text":"mmc devmgmt.msc","id":"04354e8b5c980ade","x":2064,"y":725,"width":290,"height":60},
{"type":"text","text":"SeImpersonatePrivilege","id":"95e2c9a8eebb0e50","x":1463,"y":928,"width":320,"height":60},
{"type":"text","text":"Unqouted Service Path","id":"6c093fddd840630b","x":687,"y":1349,"width":333,"height":60},
{"type":"text","text":"Change Service Binary Location","id":"0719354cb82742e5","x":687,"y":1429,"width":333,"height":60},
{"type":"text","text":"Overwrite Service Binary","id":"26ef825dc02041d6","x":687,"y":1509,"width":333,"height":60},
{"type":"text","text":"DLL Hijacking","id":"cfaf8b747ac03845","x":687,"y":1589,"width":333,"height":60},
{"type":"text","text":"Executable File Writable","id":"d5272c59e5be3225","x":687,"y":1735,"width":333,"height":60},
{"type":"text","text":"Dependency writable","id":"c9b212d6f3b1f8a3","x":687,"y":1815,"width":250,"height":60},
{"type":"text","text":"SAM Hive","id":"af9d8f06265c79f8","x":687,"y":1919,"width":250,"height":60},
{"type":"text","text":"SYSTEM Hive","id":"016bbef731befcb5","x":687,"y":2020,"width":250,"height":60},
{"type":"text","text":"Sensitive Files Readable","id":"2cc238db686f9323","x":346,"y":1966,"width":250,"height":60},
{"type":"text","text":"Scheduled tasks","id":"2a089154244f994f","x":346,"y":1785,"width":250,"height":60},
{"type":"text","text":"SeAssignPrimaryToken","id":"15141501165d1bb3","x":1463,"y":817,"width":320,"height":60},
{"type":"text","text":"SeBackupPrivilege","id":"31ec6a691f31dda2","x":1463,"y":1289,"width":250,"height":60},
{"type":"text","text":"Windows client","id":"366711f2b5b9b5ce","x":1783,"y":1257,"width":250,"height":60},
{"type":"text","text":"Domain Controller","id":"58f8b512220a61be","x":1783,"y":1349,"width":250,"height":60},
{"type":"text","text":"SAM + SYSTEM","id":"fa44a3fbb17ec5a0","x":2094,"y":1257,"width":250,"height":60},
{"type":"text","text":"ntds.dit","id":"de1ea014046600d9","x":2094,"y":1349,"width":250,"height":60},
{"type":"text","text":"Churrasco","id":"b7884c09d4a7873e","x":1998,"y":1147,"width":250,"height":60},
{"type":"text","text":"Services[20 EoP - Leveraging Windows Services](20%20EoP%20-%20Leveraging%20Windows%20Services.md)","id":"2315e805c1e53d91","x":346,"y":1479,"width":250,"height":60},
{"type":"text","text":"```cmd\nwhoami /priv\n```","id":"d786877728553b71","x":1020,"y":1147,"width":250,"height":60},
{"id":"06de0f837d66e239","type":"text","text":"1. Launch PowerShell/ISE with the SeRestore privilege present. \n2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)). \n3. Rename utilman.exe to utilman.old \n4. Rename cmd.exe to utilman.exe \n5. Lock the console and press Win+U","x":2080,"y":1464,"width":420,"height":256},
{"id":"483acb34bc9e1af8","type":"text","text":"non GUI","x":1783,"y":1820,"width":250,"height":60},
{"id":"293b44daa49ad5bd","type":"text","text":"https://github.com/xct/SeRestoreAbuse","x":2078,"y":1820,"width":422,"height":60},
{"id":"3868cd248078fdc9","type":"text","text":"GUI","x":1783,"y":1562,"width":250,"height":60},
{"id":"06311376f8cf1feb","type":"text","text":"SeRestorePrivilege","x":1461,"y":1680,"width":250,"height":60},
{"type":"text","text":"RottenPotato","id":"87da1835e99293ab","x":2680,"y":637,"width":250,"height":60},
{"type":"text","text":"RottenPotatoNG","id":"893fa0bb5f67583b","x":2680,"y":717,"width":250,"height":60},
{"type":"text","text":"JuicyPotato","id":"e0f0f6d08a02ad12","x":2680,"y":797,"width":250,"height":60},
{"type":"text","text":"SweetPotato","id":"f7c579ceb1b6b298","x":2680,"y":877,"width":250,"height":60},
{"type":"text","text":"RemotePotato0","id":"bbcae9a8b0fa2404","x":2680,"y":957,"width":250,"height":60},
{"type":"text","text":"GodPotato","id":"a9dd9a7b5c230404","x":2680,"y":1037,"width":250,"height":60},
{"id":"138bdce8820e1b6c","type":"text","text":"Coerced Potato","x":2680,"y":1129,"width":250,"height":60},
{"id":"a456bf627d11a26a","type":"text","text":"[13 EoP - Impersonation Privileges](13%20EoP%20-%20Impersonation%20Privileges.md) - Token Impersonation","x":687,"y":1147,"width":257,"height":60},
{"id":"2a564c9fffccf4e5","type":"text","text":"SeCreateToken","x":1463,"y":1990,"width":250,"height":60},
{"type":"text","text":"SeDebug","id":"0c49f358bc120769","x":1463,"y":2086,"width":250,"height":60},
{"type":"text","text":"SeLoadDriver","id":"38f9abcc878048ab","x":1463,"y":2166,"width":250,"height":60},
{"id":"811f92004d330326","type":"text","text":"SeTakeOwnership","x":1463,"y":2260,"width":250,"height":60},
{"id":"c7196124c9848781","type":"text","text":"[16 EoP - Registry Escalation - AlwaysInstallElevated](16%20EoP%20-%20Registry%20Escalation%20-%20AlwaysInstallElevated.md) set in Windows Registry","x":346,"y":1650,"width":250,"height":85},
{"id":"85a85527aa1994e7","x":2680,"y":1207,"width":250,"height":60,"type":"text","text":"SigmaPotato"}
],
"edges":[
{"id":"6b14fbe0816370ea","fromNode":"aad5d31f0f41aecb","fromSide":"right","toNode":"7ddb51f340b8be2c","toSide":"left"},
{"id":"545dc08a71ef8a10","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"5302dd561a8236d7","toSide":"left"},
{"id":"b21750b54302fb9f","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"fd4c95347ab92034","toSide":"left"},
{"id":"1e16f278b9048bb4","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"076099c4c32fbe25","toSide":"left"},
{"id":"5a7061bc3380a019","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"f84fcaa02799a4f6","toSide":"left"},
{"id":"2f1d2e3bf15a1aea","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"9c24df2395abe41a","toSide":"left"},
{"id":"5d567d9515f2497b","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"eb42d5086fc4f9a6","toSide":"left"},
{"id":"6650ed989019a4f4","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"b78ee0e7ceb006ab","toSide":"left"},
{"id":"a34464095b7a2302","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"0f5723a076eaae4f","toSide":"left"},
{"id":"c8d45c9b232668f7","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"a9663ffe70ee368b","toSide":"left"},
{"id":"3f06113db90a04a9","fromNode":"7ddb51f340b8be2c","fromSide":"right","toNode":"c6220802d7426bdc","toSide":"left"},
{"id":"1362c405a6b72ed3","fromNode":"6f27ac9995f09067","fromSide":"right","toNode":"2c8455b8ffb76174","toSide":"left"},
{"id":"7988da7598dbad97","fromNode":"6f27ac9995f09067","fromSide":"right","toNode":"a25b333fa7daf51a","toSide":"left"},
{"id":"6dbf67af85ecf893","fromNode":"6f27ac9995f09067","fromSide":"right","toNode":"c3f1ec57c7e90023","toSide":"left"},
{"id":"f23bb94d2c02f3e3","fromNode":"6f27ac9995f09067","fromSide":"right","toNode":"c9c20801f084214f","toSide":"left"},
{"id":"205d7810d89be3ac","fromNode":"aad5d31f0f41aecb","fromSide":"right","toNode":"6f27ac9995f09067","toSide":"left"},
{"id":"c211d9808d944941","fromNode":"aad5d31f0f41aecb","fromSide":"right","toNode":"38feeca0e4fd29de","toSide":"left"},
{"id":"2be88759d08efb0e","fromNode":"38feeca0e4fd29de","fromSide":"right","toNode":"4956b7ac4008d08a","toSide":"left"},
{"id":"d3596bb6b04b54d4","fromNode":"38feeca0e4fd29de","fromSide":"right","toNode":"c7196124c9848781","toSide":"left"},
{"id":"d3e741c46de5ea44","fromNode":"38feeca0e4fd29de","fromSide":"right","toNode":"2a089154244f994f","toSide":"left"},
{"id":"86472d13d29fcbe1","fromNode":"38feeca0e4fd29de","fromSide":"right","toNode":"2cc238db686f9323","toSide":"left"},
{"id":"7571aafd7c74828f","fromNode":"2a089154244f994f","fromSide":"right","toNode":"d5272c59e5be3225","toSide":"left"},
{"id":"55469547fd0aa8f0","fromNode":"2a089154244f994f","fromSide":"right","toNode":"c9b212d6f3b1f8a3","toSide":"left"},
{"id":"5f83eaf67d7aa7a1","fromNode":"2cc238db686f9323","fromSide":"right","toNode":"af9d8f06265c79f8","toSide":"left"},
{"id":"8e4a0f16919f0843","fromNode":"2cc238db686f9323","fromSide":"right","toNode":"016bbef731befcb5","toSide":"left"},
{"id":"638f12ffd1b9e375","fromNode":"4956b7ac4008d08a","fromSide":"right","toNode":"716e0d265b76cd47","toSide":"left"},
{"id":"07aa9a15ce120f54","fromNode":"fe536c202155ae18","fromSide":"right","toNode":"5bb0086cbe514336","toSide":"left"},
{"id":"aa459817bc6ec933","fromNode":"fe536c202155ae18","fromSide":"right","toNode":"af123cfcccfbbd8f","toSide":"left"},
{"id":"049e2f527c353f66","fromNode":"4956b7ac4008d08a","fromSide":"right","toNode":"a456bf627d11a26a","toSide":"left"},
{"id":"d4c08fbccc6e86b6","fromNode":"d786877728553b71","fromSide":"right","toNode":"95e2c9a8eebb0e50","toSide":"left"},
{"id":"7d13eb9ef5cae18a","fromNode":"716e0d265b76cd47","fromSide":"right","toNode":"fe536c202155ae18","toSide":"left"},
{"id":"b881e92adde5c5ce","fromNode":"716e0d265b76cd47","fromSide":"right","toNode":"0bc6177fcd7c7605","toSide":"left"},
{"id":"9a35fc5417f7d720","fromNode":"95e2c9a8eebb0e50","fromSide":"right","toNode":"72a7b049a6c95e2d","toSide":"left"},
{"id":"df763b3b6059181f","fromNode":"95e2c9a8eebb0e50","fromSide":"right","toNode":"cb15a33dd19f7051","toSide":"left"},
{"id":"2a9cc709addfad08","fromNode":"d786877728553b71","fromSide":"right","toNode":"31ec6a691f31dda2","toSide":"left"},
{"id":"7dea89b358895048","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"a9dd9a7b5c230404","toSide":"left"},
{"id":"c6982044ceb24979","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"87da1835e99293ab","toSide":"left"},
{"id":"91f2a622998e76c7","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"e0f0f6d08a02ad12","toSide":"left"},
{"id":"58fc2c35ded59d70","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"bbcae9a8b0fa2404","toSide":"left"},
{"id":"60942cc3f4efdf32","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"f7c579ceb1b6b298","toSide":"left"},
{"id":"be5d21d8f3f5fa81","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"893fa0bb5f67583b","toSide":"left"},
{"id":"f1baeb77dd58891e","fromNode":"95e2c9a8eebb0e50","fromSide":"right","toNode":"5e6db4782e6ef82d","toSide":"left"},
{"id":"89f8bb46c7990405","fromNode":"31ec6a691f31dda2","fromSide":"right","toNode":"366711f2b5b9b5ce","toSide":"left"},
{"id":"633c664fbcbd8393","fromNode":"31ec6a691f31dda2","fromSide":"right","toNode":"58f8b512220a61be","toSide":"left"},
{"id":"d2032cd3a41597e7","fromNode":"366711f2b5b9b5ce","fromSide":"right","toNode":"fa44a3fbb17ec5a0","toSide":"left"},
{"id":"f0760c8c31788aca","fromNode":"58f8b512220a61be","fromSide":"right","toNode":"de1ea014046600d9","toSide":"left"},
{"id":"1b70fdfd2f92eb8d","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"46a1c9098384bef8","toSide":"left"},
{"id":"f633a1858348bb6e","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"27b079fdf65709e2","toSide":"left"},
{"id":"8a225e6119ef73cc","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"4329fa532f4c737d","toSide":"left"},
{"id":"c4674515fab7b733","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"3451c7ac82a0e795","toSide":"left"},
{"id":"6b79044098e48277","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"4c154bbc07b6dbfd","toSide":"left"},
{"id":"94e3776ed922d511","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"2b196e1919b251d0","toSide":"left"},
{"id":"3be64437bdad8a94","fromNode":"0bc6177fcd7c7605","fromSide":"right","toNode":"04354e8b5c980ade","toSide":"left"},
{"id":"88d3567d824b6ada","fromNode":"d786877728553b71","fromSide":"right","toNode":"15141501165d1bb3","toSide":"left"},
{"id":"96e6718a5561b697","fromNode":"15141501165d1bb3","fromSide":"right","toNode":"72a7b049a6c95e2d","toSide":"left"},
{"id":"c39aabc559e6baca","fromNode":"95e2c9a8eebb0e50","fromSide":"right","toNode":"b7884c09d4a7873e","toSide":"left"},
{"id":"7e4370fc02fd436d","fromNode":"38feeca0e4fd29de","fromSide":"right","toNode":"2315e805c1e53d91","toSide":"left"},
{"id":"fea03ae9ccc0dfc3","fromNode":"2315e805c1e53d91","fromSide":"right","toNode":"6c093fddd840630b","toSide":"left"},
{"id":"6735bc3996115aa2","fromNode":"2315e805c1e53d91","fromSide":"right","toNode":"0719354cb82742e5","toSide":"left"},
{"id":"0f1a4a46645f086d","fromNode":"2315e805c1e53d91","fromSide":"right","toNode":"26ef825dc02041d6","toSide":"left"},
{"id":"9e4c392b74127f4b","fromNode":"2315e805c1e53d91","fromSide":"right","toNode":"cfaf8b747ac03845","toSide":"left"},
{"id":"c682878a468196c2","fromNode":"d786877728553b71","fromSide":"right","toNode":"0c49f358bc120769","toSide":"left"},
{"id":"552cdb2de6c46555","fromNode":"d786877728553b71","fromSide":"right","toNode":"38f9abcc878048ab","toSide":"left"},
{"id":"ea44ba23f66591ab","fromNode":"d786877728553b71","fromSide":"right","toNode":"06311376f8cf1feb","toSide":"left"},
{"id":"6486674903df39d5","fromNode":"06311376f8cf1feb","fromSide":"right","toNode":"3868cd248078fdc9","toSide":"left"},
{"id":"af6c46f3c99ecb50","fromNode":"06311376f8cf1feb","fromSide":"right","toNode":"483acb34bc9e1af8","toSide":"left"},
{"id":"4be939aa57224410","fromNode":"483acb34bc9e1af8","fromSide":"right","toNode":"293b44daa49ad5bd","toSide":"left"},
{"id":"83f42162a9ef0fb8","fromNode":"3868cd248078fdc9","fromSide":"right","toNode":"06de0f837d66e239","toSide":"left"},
{"id":"f6869fa0dd985489","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"138bdce8820e1b6c","toSide":"left"},
{"id":"3113c4b9f21b08cc","fromNode":"a456bf627d11a26a","fromSide":"right","toNode":"d786877728553b71","toSide":"left"},
{"id":"443220948f592125","fromNode":"d786877728553b71","fromSide":"right","toNode":"2a564c9fffccf4e5","toSide":"left"},
{"id":"06b6adb321a3e025","fromNode":"d786877728553b71","fromSide":"right","toNode":"811f92004d330326","toSide":"left"},
{"id":"87f57bbc2090049c","fromNode":"72a7b049a6c95e2d","fromSide":"right","toNode":"85a85527aa1994e7","toSide":"left"}
]
}