| name | privesc-windows |
| description | Use when escalating privileges on a Windows host — SeImpersonate Potato chains (GodPotato/PrintNotifyPotato), service & DLL hijacking, UAC bypass (fodhelper/ICMLuaUtil), kernel EoP + BYOVD (CVE-2025-29824), token-rights abuse, LSASS/SAM/DPAPI credential harvesting |
| metadata | {"type":"offensive","phase":"post-exploitation","tools":"winpeas, seatbelt, privesccheck, sharpup, godpotato, sigmapotato, printnotifypotato, fullpowers, edrsandblast, mimikatz, nanodump, pypykatz, impacket-secretsdump","mitre":"TA0004"} |
| kill_chain | {"phase":["exploit","actions"],"step":[4,7],"attck_tactics":["TA0004","TA0005","TA0006"],"attck_techniques":["T1134","T1134.001","T1134.002","T1543.003","T1574.001","T1574.009","T1574.010","T1548.002","T1068","T1211","T1003.001","T1003.002","T1555.004","T1053.005","T1547.001"]} |
| depends_on | ["network-attack","exploit-development"] |
| feeds_into | ["red-team-ops","advanced-redteam","active-directory-attack","edr-evasion"] |
| inputs | ["shell_access","os_fingerprint","service_account_context"] |
| outputs | ["elevated_access","system_token","credential_dump","finding_record"] |
| references | ["references/enumeration-triage.md","references/token-impersonation-potatoes.md","references/service-dll-hijacking.md","references/uac-bypass.md","references/kernel-byovd.md","references/credential-harvesting.md"] |
| scripts | ["scripts/win_privesc_triage.ps1","scripts/check_potato.py","scripts/service_hijack_audit.ps1","scripts/uac_bypass.ps1","scripts/byovd_loader.c"] |