The idea is to "translate" Windows OS privileges to a path leading to:
- administrator,
- integrity and/or confidentiality threat,
- availability threat,
- just a mess.
Privileges are listed and explained at: https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
If the goal can be achived multiple ways, the priority is
- Using built-in commands
- Using PowerShell (only if a working script exists)
- Using non-OS tools
- Using any other method
You can check your own privileges with whoami /priv. Disabled privileges are as good as enabled ones. The only important thing is if you have the privilege on the list or not.
Note 1: Whenever the attack path ends with a token creation, you can assume the next step is to create new process using such token and then take control over OS.
Note 2:
a. For calling NtQuerySystemInformation()/ZwQuerySystemInformation() directly, you can find required privileges here.
b. For NtSetSystemInformation()/ZwSetSystemInformation() required privileges are listed here here.
Feel free to contribute and/or discuss presented ideas.
| Privilege | Impact | Tool | Execution path | Remarks |
|---|---|---|---|---|
SeAssignPrimaryToken |
? | ? | ? | |
SeAudit |
Threat | 3rd party tool | Write events to the Security event log to fool auditing or to overwrite old events. | Writing own events is possible with AuthzReportSecurityEvent API. |
SeBackup |
Threat | Built-in commands | Read sensitve files with robocopy /b |
- May be more interesting if you can read %WINDIR%\MEMORY.DMP - SeBackupPrivilege (and robocopy) is not helpful when it comes to open files.- Robocopy requires both SeBackup and SeRestore to work with /b parameter. |
SeChangeNotify |
- | - | - | Privilege held by everyone. Revoking it may make the OS (Windows Server 2019) unbootable. |
SeCreateGlobal |
? | ? | ? | |
SeCreatePagefile |
? | ? | ? | |
SeCreatePermanent |
? | ? | ? | |
SeCreateSymbolicLink |
? | ? | ? | |
SeCreateToken |
Admin | 3rd party tool | Create arbitrary token including local admin rights with NtCreateToken. |
|
SeDebug |
Admin | PowerShell | Duplicate the lsass.exe token. |
Script to be found at FuzzySecurity |
SeDelegateSession-UserImpersonate |
? | ? | ? | Privilege name broken to make the column narrow. |
SeEnableDelegation |
? | ? | ? | |
SeImpersonate |
? | ? | ? | |
SeIncreaseBasePriority |
? | ? | ? | |
SeIncreaseQuota |
? | ? | ? | |
SeIncreaseWorkingSet |
? | ? | ? | |
SeLoadDriver |
? | ? | ? | |
SeLockMemory |
? | ? | ? | |
SeMachineAccount |
? | ? | ? | |
SeManageVolume |
Threat | 3rd party tool | Create large file and manipulate the valid data length with SetFileValidData(). Effectively the data from deleted files should be visible inside the file. |
- Files smaller than ~700B fit entirely within MFT entries and will not expose the content with such method. - It looks like the privilege allows to manipulate with mbr, which may lead to some availability issues. To be investigated. |
SeProfileSingleProcess |
? | ? | ? | |
SeRelabel |
Threat | 3rd party tool | Modification of system files by a legitimate administrator? | See: MIC documentation Integrity labels are infrequently used and work only on top of standard ACLs. Two main scenarios include: - protection against attacks using exploitable applications such as browsers, PDF readers etc. - protection of OS files. Attacks with SeRelabel must obey access rules defined by ACLs, which makes them significantly less useful in practice. |
SeRemoteShutdown |
Availability | Built-in commands | shutdown /s /f /m \\server1 /d P:5:19 |
The privilege is verified when shutdown/restart request comes from the network. 127.0.0.1 scenario to be investigated. |
SeReserveProcessor |
None | It looks like the privilege is no longer used and it appeared only in a couple of versions of winnt.h. You can see it listed i.e. in the source code published by Microsoft here. | ||
SeRestore |
Admin | PowerShell | 1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U |
Attack may be detected by Windows Defender if you touch replaced files later. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
SeSecurity |
Threat | Built-in commands | - Clear Security event log: wevtutil cl Security- Shrink the Security log to 20MB to make events flushed soon: wevtutil sl Security /ms:0- Read Security event log to have knowledge about processes, access and actions of other users within the system. - Knowing what is logged to act under the radar. - Knowing what is logged to generate large number of events effectively purging old ones without leaving obvious evidence of cleaning. |
|
SeShutdown |
Availability | Built-in commands | shutdown.exe /s /f /t 1 |
May be more interesting on servers. |
SeSyncAgent |
None | The privilege is not used in the Windows OS. | ||
SeSystemEnvironment |
Unknown | 3rd party tool | The privilege permits to use NtSetSystemEnvironmentValue, NtModifyDriverEntry and some other syscalls to manipulate UEFI variables. |
- Firmware environment variables were commonly used on non-Intel platforms in the past, and now slowly return to UEFI world. - The area is highly undocumented. - The potential may be huge (i.e. breaking Secure Boot) but raising the impact level requires at least PoC. |
SeSystemProfile |
? | ? | ? | |
SeSystemtime |
? | ? | ? | |
SeTakeOwnership |
? | ? | ? | |
SeTcb |
Admin | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified. |
|
SeTimeZone |
Mess | Built-in commands | Change the timezone. tzutil /s "Chatham Islands Standard Time" |
|
SeTrustedCredManAccess |
? | ? | ? | |
SeUndock |
None | The privilege is enabled when undocking, but never observed it checked to grant/deny access. In practice it means it is actually unused and cannot lead to any escalation. | ||
SeUnsolicitedInput |
None | The privilege is not used in the Windows OS. |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent