accesschk.exe -uwcqv "Authenticated Users" * Cloud Risk: Often found in third-party monitoring agents installed by cloud marketplace images. 2.3 AlwaysInstallElevated If two registry keys are set, any MSI package installs with SYSTEM privileges.
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated=1 HKCU\... same reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2.4 Unpatched Kernel Exploits (e.g., PrintNightmare, ZeroLogon) Cloud instances often lag behind on patching. TCM tenants relying on default Tencent Cloud images may miss critical updates. tcm security windows privilege escalation
Author: TCM Security Research Team Topic: Windows Privilege Escalation (Cloud-Focused) Target Audience: Red Teamers, Blue Teamers, Cloud Security Engineers Abstract Privilege escalation remains a critical phase in the attack lifecycle, especially within cloud-hosted Windows environments. Tencent Cloud Machine (TCM) instances, while benefiting from cloud security groups and managed services, are still vulnerable to misconfigurations, weak credentials, and unpatched kernel vulnerabilities. This paper explores common Windows privilege escalation vectors from a TCM security perspective, provides practical enumeration techniques, and recommends cloud-specific hardening measures. 1. Introduction In Tencent Cloud, Windows Server instances (2016, 2019, 2022) are commonly used for AD domain controllers, SQL Server, and application hosts. Once an initial foothold is achieved (e.g., via weak RDP credentials or a vulnerable web app), privilege escalation to SYSTEM or Administrator is often required to disable logging, extract cloud credentials, or move laterally. accesschk
PrintNightmare (CVE-2021-34527) allows remote code execution and local privilege escalation via the Print Spooler service. 2.5 Cloud Metadata Credential Theft From a low-privileged shell on a TCM Windows instance, an attacker can query the instance metadata service: Tencent Cloud Machine (TCM) instances, while benefiting from