-  The primary goal of Windows privesc is to further our access to a given system to a member of the `Local Administrators` group or the `NT AUTHORITY\SYSTEM` [LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account) account - While privsec may be the ultimate goal of our pentest assessment if our client hires us for a "gold image" or "workstation breakout" type assessment, privesc is often just a vital step to continue lateral movement through a network towards our ultimate objective such as domain controller - Potential reasons for privesc: - When testing a client's [gold image](https://www.techopedia.com/definition/29456/golden-image) Windows workstation and server build for flaws - To escalate privileges locally to gain access to some local resource such as a db - To gain [NT AUTHORITY\System](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account) level access on a domain-joined machine to gain a foothold into the client's Active Directory environment - To obtain creds to move laterally or escalate privileges within the client's network - While Windows presents a vast attack surface below are some example privesc vectors - Abusing Windows group privs - Abusing Windows user privs - Bypassing UAC - Abusing weak service/file perms - Leveraging unpatched kernel exploits - Cred theft - Traffic capture - Typical reasons that privesc vectors are introduced and go unnoticed include: personnel and budget - Many organizations simply do not have the personnel to properly keep up with patching, vulnerability management, periodic internal assessments (self-assessments), continuous monitoring, and larger, more resource-intensive initiatives such as workstation upgrades, server upgrades, and file share audits