SeSecurity: added an information about SACL

README.md

@@ -49,7 +49,7 @@ Feel free to contribute and/or discuss presented ideas.
 |`SeRemoteShutdown`| Availability | ***Built-in commands*** | `shutdown /s /f /m \\server1 /d P:5:19` | The privilege is verified when shutdown/restart request comes from the network. 127.0.0.1 scenario to be investigated. |
 |`SeReserveProcessor`| None | - | - | It looks like the privilege is no longer used and it appeared only in a couple of versions of winnt.h. You can see it listed i.e. in the source code published by Microsoft [here](https://code.msdn.microsoft.com/Effective-access-rights-dd5b13a8/sourcecode?fileId=58676&pathId=767997020). |
 |`SeRestore`| ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.<br>2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)).<br>3. Rename utilman.exe to utilman.old<br>4. Rename cmd.exe to utilman.exe<br>5. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.<br> - see [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeRestorePrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
-|`SeSecurity`| **Threat** | ***Built-in commands*** |- Clear Security event log: `wevtutil cl Security`<br> <br>- Shrink the Security log to 20MB to make events flushed soon: `wevtutil sl Security /ms:0`<br> <br>- Read Security event log to have knowledge about processes, access and actions of other users within the system.<br> <br>- Knowing what is logged to act under the radar.<br> <br>- Knowing what is logged to generate large number of events effectively purging old ones without leaving obvious evidence of cleaning. | See [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeSecurityPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
+|`SeSecurity`| **Threat** | ***Built-in commands*** |- Clear Security event log: `wevtutil cl Security`<br> <br>- Shrink the Security log to 20MB to make events flushed soon: `wevtutil sl Security /ms:0`<br> <br>- Read Security event log to have knowledge about processes, access and actions of other users within the system.<br> <br>- Knowing what is logged to act under the radar.<br> <br>- Knowing what is logged to generate large number of events effectively purging old ones without leaving obvious evidence of cleaning. <br> <br>- Viewing and changing object SACLs (in practice: auditing settings) | See [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeSecurityPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
 |`SeShutdown`| Availability | ***Built-in commands*** | `shutdown.exe /s /f /t 1` | Allows to call most of NtPowerInformation() levels. To be investigated. Allows to call NtRaiseHardError() causing immediate BSOD and memory dump, leading potentially to sensitive information disclosure - see [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeShutdownPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
 |`SeSyncAgent`| None | - | - | The privilege is not used in the Windows OS. |
 |`SeSystemEnvironment`| _Unknown_ | 3rd party tool | The privilege permits to use `NtSetSystemEnvironmentValue`, `NtModifyDriverEntry` and some other syscalls to manipulate UEFI variables. |The privilege is required to run sysprep.exe.<p>Additionally:<br>- Firmware environment variables were commonly used on non-Intel platforms in the past, and now slowly return to UEFI world. <br>- The area is highly undocumented.<br>- The potential may be huge (i.e. breaking Secure Boot) but raising the impact level requires at least PoC.<br> - see [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeSystemEnvironmentPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |