Identify and perform privilege escalation and integrity-level elevation
-
AutoElevate executables
| Some core windows executables are able to auto-elevate to higher integrity level(Get-Command calc.exe).Path sigcheck -m C:\WINDOWS\system32\calc.exe
-
Scheduled Tasks
| vulnerable scheduled tasks will have a "Run as User" or "Task to Run" -
Malicious DLL
| If a application try to call a dll that doesn't exist an attacker can create a fake dll to exploit -
vullnerable Services
| Services are actually DLL's run by schost.exe at the system level. Most Services are ran out of system32, however there are | non-standard locations. If an attacker has delete/write permissions the service can be compromised.