In episode 2 of Tradecraft Security Weekly Beau Bullock (@dafthack) discusses Windows privilege escalation techniques. There are many reasons why normal employees should not be local administrators of their own systems. Network administrators tend to lock down permissions correctly for users, but privilege escalation vulnerabilities still arise through various software or system configuration. A few tools and techniques for discovering these vulnerabilities include PowerUp (by @harmj0y), Hot Potato (by foxglovesec), and manually finding exploits for missing MS patches with Searchsploit are discussed.
Command to check for installed patches (on the target Windows box):
C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
Searchsploit command to check for exploits in exploit-db (from Kali):
# searchsploit MS16 windows local
C:\> powershell.exe -exec bypass
PS C:\> Import-Module PowerUp.ps1