Windows Security

Overview

Windows systems are ubiquitous in enterprise environments, making Windows security knowledge essential for penetration testers and red teamers. This section covers privilege escalation techniques, Windows-specific vulnerabilities, privileged group exploitation, and system hardening strategies.

Privilege Escalation Techniques

Windows Privileges

• SeImpersonate Privilege - Exploit token impersonation for SYSTEM access
• SeBackup Privilege - Leverage backup rights for sensitive file access
• SeDebug Privilege - Abuse debugging privileges for process manipulation
• SeTakeOwnership Privilege - Take ownership of files and registry keys

Service Exploitation

• Service Hijacking - Hijack vulnerable Windows services
• Unquoted Service Path - Exploit improperly quoted service paths

Task Exploitation

• Scheduled Tasks - Abuse misconfigured scheduled tasks

Privileged Groups

Administrative Groups

• Event Log Readers - Exploit Event Log Readers group membership
• Print Operators - Abuse Print Operators group privileges
• Server Operators - Leverage Server Operators permissions
• Hyper-V Administrators - Exploit Hyper-V administrative access

Code Injection & Advanced Techniques

• DLL Injection - Code injection via Dynamic Link Libraries

Known Vulnerabilities

• PrintNightmare - Critical Windows Print Spooler vulnerability
• LLMNR and NBT-NS Poisoning - Credential capture via name resolution poisoning
• Bring Your Own Vulnerable Driver (BYOVD) - Kernel-level exploitation via vulnerable drivers

System Hardening

• Windows Hardening - Security best practices for Windows systems

Attack Methodology

Phase 1: Enumeration

• Identify system information (OS version, patches, architecture)
• Enumerate user privileges and group memberships
• Check running services and scheduled tasks
• Review installed software and versions

Phase 2: Privilege Identification

• Look for dangerous privileges (SeImpersonate, SeBackup, SeDebug)
• Identify misconfigured services and paths
• Check for vulnerable drivers
• Enumerate privileged group memberships

Phase 3: Exploitation

• Exploit identified privileges or misconfigurations
• Use appropriate exploit tools and techniques
• Leverage legitimate Windows functionality

Phase 4: Persistence

• Create scheduled tasks
• Modify services
• Registry autoruns
• WMI event subscriptions

Essential Tools

Related Resources

• Active Directory Attacks - Domain-level exploitation
• Network Protocol Attacks - SMB and RDP attacks
• Linux Security - Cross-platform privilege escalation