Privilege Escalation Checklist

CyberDefender 4 mins0

Privilege Escalation is when someone gains more permissions on a system than they are supposed to have.

In simple terms:

👉 You start as a normal user…
👉 But you find a weakness…
👉 And you end up with admin/root control.

Below is a clear, practical privilege-escalation checklist you can use during security assessments, system hardening, or incident response.
It is divided into Windows and Linux and includes what to check, why it matters, and common tools.

1. ENUMERATION (Always the first step)

🔍 System Information

  • OS version & build
  • Kernel version (Linux)
  • Installed patches / missing updates
  • Virtualization or container environment

Commands

  • Windows: systeminfo, wmic qfe, winver
  • Linux: uname -a, lsb_release -a, cat /etc/os-release

2. USER & GROUP INFORMATION

👤 Check for:

  • Current user privileges
  • Sudoers misconfigurations
  • Users with admin/root permissions
  • Reused passwords

Commands

  • Windows: whoami /priv, net user, net localgroup Administrators
  • Linux: id, whoami, sudo -l, cat /etc/passwd

3. RUNNING PROCESSES & SERVICES

🧩 Look for:

  • Weak service permissions
  • Services running as SYSTEM/root
  • Unquoted service paths
  • Writable directories used by services

Commands

  • Windows: tasklist /v, sc qc <service>, wmic service get name,pathname,startname

  • Linux: ps aux, systemctl list-units, crontab -l

4. FILESYSTEM & PERMISSIONS

🔑 Check:

  • Writable directories owned by root/admin
  • Config files with credentials
  • World-writable scripts used by privileged services

Commands

Windows: icacls

Linux:

  • find / -type f -perm -4000 2>/dev/null (SUID binaries)
  • find / -writable -type d 2>/dev/null

5. SENSITIVE CREDENTIALS & TOKENS

🔐 Search for:

  • Hardcoded passwords
  • SSH keys
  • Saved credentials in files
  • Windows Credential Manager secrets
  • Browser saved logins

Windows Commands:

  • cmdkey /list
  • Check PowerShell history: Get-History or check ConsoleHost_history.txt

Linux Commands:

  • cat ~/.ssh/id_rsa
  • grep -Ri "password" /var/www/
  • history

6. SCHEDULED TASKS / CRON JOBS

🕒 Why?

Misconfigured jobs running as root/admin may call scripts you can modify.

Windows:

  • schtasks /query /fo LIST /v

Linux:

  • cat /etc/crontab
  • ls -al /etc/cron.*

7. NETWORK & APPLICATION ENUMERATION

🕸 Identify:

  • Listening ports
  • Local services exposing admin interfaces
  • Weak authentication or misconfigurations
  • Commands:
  • netstat -ano (Windows)
  • ss -tulpn (Linux)

8. EXPLOITABLE SOFTWARE & KERNEL VERSIONS

🎯 Check for:

  • Known kernel exploits
  • CVEs affecting installed software
  • Deprecated applications
  • Tools:
  • Linux: linux-exploit-suggester, linpeas.sh
  • Windows: windows-privesc-check, WinPEAS.exe

9. PRIVILEGE ESCALATION PATHS TO TEST

🔥 Common Techniques

  • SUID exploitation (Linux)
  • DLL hijacking / service binary replacement (Windows)
  • Unquoted service paths
  • Abuse of sudo allowed commands
  • Token impersonation (Windows)
  • Cron jobs with weak permissions
  • Capabilities abuse (getcap -r /)
  • Docker/LXC escape
  • Weak registry permissions (Windows)

10. LOGS & EVIDENCE CHECK

📝 Look for:

  • Failed login attempts
  • Known exploitation patterns
  • Suspicious service modifications
  • Windows: Event Viewer
    Linux: /var/log/auth.log, /var/log/syslog

CyberDefender