Windows Privilege Escalation

Privileges on the Windows operating system refer to the permissions of a specific account to perform system-related local operations.

Here's a nice checklist

Important Information

Below is important information on the Windows security model. This contains information about users, groups, security tokens, and access control.

Security Identifier (SID)

Security Identifier (SID): Each user and group is assigned a unique SID. Each account or group, or each process that runs in the security context of the account, has a unique SID that's issued by an authority, such as a Windows domain controller.

NOTE: Windows uses SID, not usernames, to identify principles for access control management. The SID is stored in a security database. When a new account or group is created, a SID is created to go with it.

NOTE: SIDs are a fundamental building block of the Windows security model.

Security Identifier (SID) Architecture

Security Identifier is a data structure in binary format.

A SID looks like:

S-1-5-21-1004336348-1177238915-682003330-512

The first values in the structure contain information about the SID structure.

The remaining values are arranged in a hierarchy (similar to a telephone number)

The individual values of a SID are described in the following table:

Comment
Description

Revision

Indicates the version of the SID structure that's used in a particular SID.

Identifier authority

Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority).

Subauthorities

Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain.

User Account Control (UAC):

User Account Control (UAC): UAC helps protect the system by requiring administrative approval or credentials for certain tasks, even when logged in as an administrator.

Access Tokens:

Access Tokens: Access tokens are data structures associated with a user or process.

Each time a user logs in, Windows creates an access token for that user. The access token contains the users SID, user rights, and the SIDs for any groups the user belongs to. This token is used for whatever action the user performs on that computer. Here's a full list of it's contents:

Access Token Impersonation:

Access Control Lists (ACLs)

Access Control Lists (ACLs): ACLs are used to specify the permissions associated with an object. They list the users or groups and their corresponding access rights.

Last updated