HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated=1 HKCU\... same reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2.4 Unpatched Kernel Exploits (e.g., PrintNightmare, ZeroLogon) Cloud instances often lag behind on patching. TCM tenants relying on default Tencent Cloud images may miss critical updates.
Invoke-RestMethod -Uri "http://metadata.tencentyun.com/latest/meta-data/cam/security-credentials/" If the instance is assigned a , the returned temporary credentials (SecretId, SecretKey, Token) allow privilege escalation outside the instance to other Tencent Cloud resources (COS, CVM, VPC). 3. Enumeration Methodology (TCM Recommended) A structured approach for Windows privilege escalation assessment: tcm security windows privilege escalation
Author: TCM Security Research Team Topic: Windows Privilege Escalation (Cloud-Focused) Target Audience: Red Teamers, Blue Teamers, Cloud Security Engineers Abstract Privilege escalation remains a critical phase in the attack lifecycle, especially within cloud-hosted Windows environments. Tencent Cloud Machine (TCM) instances, while benefiting from cloud security groups and managed services, are still vulnerable to misconfigurations, weak credentials, and unpatched kernel vulnerabilities. This paper explores common Windows privilege escalation vectors from a TCM security perspective, provides practical enumeration techniques, and recommends cloud-specific hardening measures. 1. Introduction In Tencent Cloud, Windows Server instances (2016, 2019, 2022) are commonly used for AD domain controllers, SQL Server, and application hosts. Once an initial foothold is achieved (e.g., via weak RDP credentials or a vulnerable web app), privilege escalation to SYSTEM or Administrator is often required to disable logging, extract cloud credentials, or move laterally. Invoke-RestMethod -Uri "http://metadata
accesschk.exe -uwcqv "Authenticated Users" * Cloud Risk: Often found in third-party monitoring agents installed by cloud marketplace images. 2.3 AlwaysInstallElevated If two registry keys are set, any MSI package installs with SYSTEM privileges. Tencent Cloud Machine (TCM) instances, while benefiting from