Click here to watch the full video on YouTube
Language: Italian
English subtitles available via YouTube captioning
This project explores four distinct Windows privilege escalation techniques, each documented with a full written report covering the complete attack lifecycle: prerequisites and environment setup, manual enumeration of the vulnerable condition, practical exploitation to achieve SYSTEM-level access, and mitigations and countermeasures to defend against it.
The entire infrastructure was built in a controlled virtual lab environment using VMware Workstation. The accompanying video demonstration focuses on the SeBackupPrivilege technique, walking through the entire process from enumeration to SYSTEM-level access via Pass-the-Hash. All four techniques are fully documented in the project report.
The four techniques analyzed are:
- AlwaysInstallElevated – Abusing the Windows Installer policy to bypass UAC and execute a malicious MSI package with elevated privileges.
- SeImpersonatePrivilege – Leveraging the impersonation privilege with GodPotato to escalate from a standard user to NT AUTHORITY\SYSTEM.
- SeBackupPrivilege – Extracting SAM and SYSTEM registry hives to obtain NTLM hashes and performing Pass-the-Hash authentication. (video demonstration)
- Weak Service Permissions – Exploiting misconfigured service ACLs to redirect a service's binary path to a malicious payload.
| Machine | OS | Role |
|---|---|---|
| Attacker | Kali Linux | Payload generation, listeners, remote exploitation |
| Victim | Windows 11 Pro | Target system with misconfigured policies/services |
| Phase | Description |
|---|---|
| Vulnerability | The "Always install with elevated privileges" Group Policy is enabled in both Computer Configuration and User Configuration, allowing any user to run MSI packages with SYSTEM privileges |
| Enumeration | Registry query on HKLM and HKCU confirms AlwaysInstallElevated = 0x1 |
| Exploitation | A malicious MSI (reverse shell) is generated with msfvenom, transferred via Netcat, and executed silently with msiexec /quiet /qn /i — resulting in a SYSTEM shell |
| Key Concepts | UAC bypass, Mandatory Integrity Control (MIC) levels (Low/Medium/High/System), Windows Installer (msiexec.exe) |
| Phase | Description |
|---|---|
| Vulnerability | The SeImpersonatePrivilege right is assigned to a standard user via Local Security Policy, allowing token impersonation |
| Enumeration | whoami /priv over a remote Netcat shell confirms the privilege is enabled |
| Exploitation | GodPotato-NET4 forces a privileged DCOM authentication, captures the SYSTEM token, and spawns a reverse shell as NT AUTHORITY\SYSTEM |
| Key Concepts | Access tokens, impersonation levels, Potato family exploits, .NET Framework version detection |
| Phase | Description |
|---|---|
| Vulnerability | SeBackupPrivilege is granted to a standard user, enabling read access to any file on the system by bypassing ACLs |
| Enumeration | Evil-WinRM session + SharpUp audit TokenPrivileges confirms the privilege as abusable |
| Exploitation | SAM and SYSTEM hives are exported via reg save, transferred to Kali, and processed with impacket-secretsdump to extract NTLM hashes. The Administrator hash is used for Pass-the-Hash authentication via Evil-WinRM |
| Key Concepts | Registry hives (SAM/SYSTEM), boot key / syskey, NTLM hashing, Pass-the-Hash, WinRM remoting |
| Phase | Description |
|---|---|
| Vulnerability | A custom Windows service has overly permissive ACLs — BUILTIN\Users is granted write access to service properties (DCRPWP), allowing binary path modification |
| Enumeration | SharpUp audit ModifiableServices identifies the vulnerable service as modifiable by the current standard user |
| Exploitation | The service's binPath is redirected to a reverse shell payload (sys.exe) via sc config. When the service starts (running as LocalSystem), the payload executes with SYSTEM privileges |
| Key Concepts | Service ACLs (SDDL/DACL), Service Control Manager, binPath hijacking, AUTO_START persistence |
┌─────────────────────────────────────────────────────────────────┐
│ STANDARD USER (Medium Integrity) │
├─────────────┬───────────────┬──────────────┬────────────────────┤
│ AlwaysInst. │ SeImpersonate │ SeBackup │ Weak Svc Perms │
│ Elevated │ Privilege │ Privilege │ │
├─────────────┼───────────────┼──────────────┼────────────────────┤
│ msfvenom │ GodPotato │ reg save │ sc config binPath │
│ MSI payload │ token capture │ SAM+SYSTEM │ → malicious exe │
│ msiexec /qn │ → SYSTEM │ secretsdump │ sc start service │
│ │ shell │ Pass-the-Hash│ │
├─────────────┴───────────────┴──────────────┴────────────────────┤
│ NT AUTHORITY\SYSTEM (System Integrity) │
└─────────────────────────────────────────────────────────────────┘
| Technique | Primary Mitigation |
|---|---|
| AlwaysInstallElevated | Disable the policy in both Computer and User Configuration via gpedit.msc or GPO; keep UAC at maximum level |
| SeImpersonatePrivilege | Restrict the privilege assignment to only necessary service accounts; harden services and reduce attack surface |
| SeBackupPrivilege | Remove the privilege from non-administrative users; disable WinRM if not needed; mitigate Pass-the-Hash |
| Weak Service Permissions | Correct service ACLs to deny write access to non-admin groups; run services with least-privilege accounts |
Cross-cutting recommendations:
- Apply the principle of least privilege across all user accounts, services, and policies
- Enable audit logging (Event Viewer, Sysmon) for privilege usage, service configuration changes, and process creation
- Deploy EDR/SIEM solutions for real-time detection of anomalous privilege escalation patterns
- Regularly audit service configurations and user rights assignments
| Resource | Description | Format |
|---|---|---|
| Project Report | Full written report covering all four techniques with detailed explanations, screenshots, commands, and mitigations | PDF (60 pages) |
| Video Demonstration | Practical walkthrough of the SeBackupPrivilege technique | YouTube |
Note: The project report covers all four privilege escalation techniques in depth (prerequisites, enumeration, exploitation, mitigations). The video focuses on the SeBackupPrivilege technique as a practical demonstration.
- Kali Linux (attack platform)
- msfvenom (payload generation)
- Netcat (nc) (file transfer and reverse shells)
- GodPotato (SeImpersonatePrivilege exploitation)
- Evil-WinRM (WinRM remote shell)
- SharpUp (privilege escalation audit)
- Impacket (secretsdump for NTLM hash extraction)
- Carbon PowerShell Module (privilege assignment)
- VMware Workstation (virtualization platform)
- Windows 11 Pro (victim environment)
- Code and README: Released under the MIT License — free to use for educational and research purposes with attribution.
- Project Report (PDF): Released under Creative Commons BY-NC-ND 4.0 — you may share the document with attribution, but you may not modify it or use it for commercial purposes.
Created by Alberto Cirillo — 2026