OpenSkillIndex← back to search

Hacktricks-skills leaked-handle-exploitation

Windows local privilege escalation via leaked handle exploitation. Use this skill whenever the user mentions Windows privilege escalation, handle enumeration, process handle leaks, inherited handles, or needs to escalate from a low-privileged process to SYSTEM/administrator. Also trigger when users ask about Windows security testing, handle-based attacks, or finding privilege escalation vectors in Windows environments.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation/SKILL.MD
source content

Leaked Handle Exploitation for Windows Privilege Escalation

This skill guides you through identifying and exploiting leaked Windows handles for local privilege escalation (LPE).

Understanding the Vulnerability

When a privileged process (e.g., running as SYSTEM) creates an unprivileged child process with 

bInheritHandles=TRUE
, the child inherits all open handles from the parent. If those handles have sufficient permissions, the unprivileged process can abuse them to escalate privileges.

Exploitable Handle Types

Process Handles - If an unprivileged process inherits a process handle with these permissions, it can execute arbitrary code:

  • PROCESS_ALL_ACCESS
  • PROCESS_CREATE_PROCESS
  • PROCESS_CREATE_THREAD
  • PROCESS_DUP_HANDLE
  • PROCESS_VM_WRITE

Thread Handles - Similar to process handles, exploitable permissions include:

  • THREAD_ALL_ACCESS
  • THREAD_DIRECT_IMPERSONATION
  • THREAD_SET_CONTEXT

File/Registry/Section Handles - Write-equivalent permissions on privileged files or registry keys can allow overwriting critical system resources.

Methodology

Step 1: Enumerate Handles

You need to find handles accessible to your current process. Choose a tool based on your access level:

With SeDebugPrivilege (Administrator):

  • Process Hacker: Right-click process → Handles → view all handles with permissions
  • Sysinternals Handles: 
    handle64.exe <process_name>
    or 
    handle64.exe /a
    for all processes

Without SeDebugPrivilege (User-level):

  • Users can still access their own process handles: 
    handle64.exe /a | findstr /r /i "process thread file key pid:"

Step 2: Identify Vulnerable Handles

Look for handles that:

  1. Belong to your current process (check PID)
  2. Reference privileged processes (SYSTEM, Administrator)
  3. Have exploitable permissions (see lists above)
  4. Are of type "Process", "Thread", "File", "Key", or "Section"

Step 3: Exploit the Handle

Technique A: Shellcode Injection

  • Use the inherited process handle to allocate memory in the privileged process
  • Write shellcode to that memory
  • Create a thread in the privileged process to execute it

Technique B: Token Impersonation

  • Use 
    UpdateProcThreadAttribute
    with 
    PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
  • Set the parent process to the privileged handle
  • Spawn a new process (e.g., 
    cmd.exe
    ) that inherits the elevated token

Tools

ToolPurposeLink
Process HackerGUI handle enumerationhttps://github.com/processhacker/processhacker
Sysinternals HandlesCLI handle enumerationhttps://docs.microsoft.com/en-us/sysinternals/downloads/handle
LeakedHandlesFinderAutomated detection & exploitationhttps://github.com/lab52io/LeakedHandlesFinder
ReHacks Leaky HandlesHandle leaking & exploitationhttps://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles

Common Vulnerable Patterns

Look for these code patterns in services or applications:

// VULNERABLE: Opens handle with inherit flag, then spawns child with inheritance
hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, targetPid);  // TRUE = inheritable
CreateProcessAsUser(token, "child.exe", NULL, NULL, NULL, TRUE, ...);  // TRUE = inherit handles

The vulnerability occurs when:

  1. A privileged process opens handles with 
    bInheritHandle=TRUE
  2. It spawns a child process with 
    bInheritHandles=TRUE
  3. The child process is accessible to a lower-privileged user

Practical Workflow

  1. Gain initial access to a low-privileged user account
  2. Run handle enumeration with your current permissions
  3. Filter for process/thread handles pointing to SYSTEM/Admin processes
  4. Check permissions on each handle
  5. Test exploitation using one of the techniques above
  6. Verify escalation by checking token privileges or running 
    whoami /priv

Important Notes

  • SeDebugPrivilege is needed to enumerate ALL process handles, but you can still enumerate your own process handles without it
  • Handle exploitation is rare but high-impact - always check for it during Windows pentests
  • Modern Windows versions have improved handle isolation, but legacy services and custom applications remain vulnerable
  • Always test in a controlled environment before production use

References