Course Roadmap
This Windows Privilege Escalation complete course covers all core local escalation vectors and modern defensive context. Practice each module in labs and verify with proof artifacts.
Module 1 — Windows Security Fundamentals
- Integrity levels, UAC, privileges vs rights
- Access tokens and impersonation model
- SIDs, groups, ACL/DACL/SACL basics
- Service accounts and trust boundaries
Module 2 — Enumeration Workflow
whoami /all
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn
Get-LocalUser; Get-LocalGroup; net localgroup administrators
Get-Service | ? {$_.Status -eq 'Running'}Pair manual checks with winPEAS/Seatbelt/PowerUp and validate every finding manually.
Module 3 — Credential Access for PrivEsc
- Saved creds, unattended files, config leaks
- Registry secrets and LSA-protected context
- DPAPI awareness and operational boundaries
- Password reuse from app/service accounts
Module 4 — Service Misconfigurations
- Unquoted service paths
- Weak service permissions (change config/binpath)
- Writable service binaries
- Auto-start privilege abuse chains
Module 5 — Scheduled Tasks Abuse
- Writable script/binary targets executed as SYSTEM
- Task folder ACL weaknesses
- Task trigger abuse and reliability checks
Module 6 — Registry-based Escalation
- AlwaysInstallElevated
- AutoRun and startup execution opportunities
- Insecure COM registration patterns
Module 7 — Token Privilege Abuse
- SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
- Potato-family concepts and constraints
- Juicy/Print/Sweet potato class operational checks
Module 8 — UAC Bypass Concepts
- Auto-elevated binaries and hijack points
- Environment/registry-based bypass ideas
- Patch-level and build-specific caveats
Module 9 — DLL Hijacking & Search Order
- Missing DLL opportunities in privileged context
- PATH and application dir search abuse
- Service-related DLL replacement scenarios
Module 10 — File/Folder ACL Abuse
- icacls triage for writable privileged paths
- Program Files and service folders
- Startup folders and privileged script locations
Module 11 — AV/EDR-Aware Execution Strategy
- Living-off-the-land preference
- PowerShell constrained language considerations
- Operational logging and detection minimization
Module 12 — AD-Adjacent Local PrivEsc
- Local admin to domain impact pathways
- Credential material for lateral movement readiness
- GPP leftovers, mapped drives, delegated creds
Module 13 — Patch & Exploit Triage
- Build number to exploit matrix mindset
- Kernel/local exploit risk decisions
- Safer alternatives before exploit usage
Module 14 — Persistence vs Assessment Ethics
- When not to persist
- Engagement-safe evidence collection
- Cleanup and rollback discipline
Module 15 — Reporting Like a Pro
- Exact reproduction steps
- Impact narrative in business language
- Mitigation with technical and policy controls
Hands-on Labs (Mandatory)
- 10 beginner labs (service/task basics)
- 10 intermediate labs (token/registry/UAC chains)
- 10 advanced labs (multi-step SYSTEM escalation + AD context)
Final Exam Blueprint
- Enumeration in 7 minutes
- Prioritized attack tree
- SYSTEM escalation with minimal noise
- Defender-ready remediation report
Conclusion
By mastering this course, you can consistently escalate from low-privileged Windows access to Administrator/SYSTEM with structured methodology and strong reporting quality.