#Sudo Rights
  sudo -l
  ls -salth /etc/sudoers
  
#SUID & GUID
  find / -perm -u=s -type f 2>/dev/null
  find / -perm -g=s -type f 2>/dev/null
  
#Capabilities
  /usr/sbin/getcap -r 2>/dev/null
  
#Cron
  crontab –u root –l
  crontab -l
  cat /etc/crontab
  ls /etc/cron.*

#Network
  netstat -antup
  netstat -tunlp
  
#File Mounts
  cat /etc/fstab
  
#Root Process
  ps aux |grep -i 'root' --color=auto
  
#Kernel
  uname -a
  cat /etc/*-release
  cat /etc /issue

ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/
ls -lsaht /var/lib/
ls -lsaht /var/db/

ls -lsaR /home/                            # .ssh keys
ls -lsaht |grep -i ‘.conf’ --color=auto    # .conf files

# If there are spaces in the path, you could potentially place malicious executables in the path to gain elevated permissions.
|
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """cat /etc/fstab

# Some tasks or services might be misconfigured to run files that low-privileged users can modify.
# You can use tools like schtasks or net start to list tasks and services, then check permissions on the associated files or folders.

# Misconfigured permissions on files or folders can allow an attacker to modify, replace, or execute files with elevated permissions.
# Tools like accesschk (from Sysinternals) can help identify overly permissive settings.
|
accesschk.exe -uws "Everyone" C:\cat /etc/fstab

# Windows systems sometimes have credentials stored in various locations, like the registry, Group Policy Preferences, or in configuration files.
# Tools like mimikatz can be used to extract plaintext passwords and hashes from memory.

# Windows Credential Manager:
# Stores user credentials for various services and applications. It can be accessed via Control Panel or the cmdkey command.

# SAM (Security Accounts Manager) File:
# Located at C:\Windows\System32\config\SAM, this file stores local user account passwords in a hashed format.
# This file isn’t directly accessible while the OS is running. Tools like Mimikatz or pwdump can be used to extract hashes.

# NTDS.dit:
# This file is relevant for domain controllers. It contains Active Directory data, including user credentials.
# Located at C:\Windows\NTDS\NTDS.dit. 

# User Directories:<br># Searching through a user’s documents, desktop, and downloads might reveal saved passwords or authentication tokens.<br># Common paths include C:\Users\[USERNAME]\Documents, C:\Users\[USERNAME]\Desktop, and C:\Users\[USERNAME]\Downloads.

# Pagefile.sys and Hiberfil.sys:<br># These system files might contain plaintext passwords or other sensitive data left behind in memory. Directly analyzing them can sometimes yield useful information.