From 29e8bbd1e75432c830bf04cfa6d937f646c13cf3 Mon Sep 17 00:00:00 2001
From: sekre <skrell1310@gmail.com>
Date: Tue, 26 Nov 2024 19:33:54 +0100
Subject: [PATCH] Added SeManageVolumePrivilege to win abuse tokens

Added information how to abuse SeManageVolumePrivilege token for priv-esc in windows.
---
 .../privilege-escalation-abusing-tokens/README.md        | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md
index 057cfb23e..59ea81c89 100644
--- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md
+++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md
@@ -153,6 +153,15 @@ If you want to get a `NT SYSTEM` shell you could use:
 import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)
 ```
 
+### SeManageVolumePrivilege
+
+The `SeManageVolumePrivilege` is a Windows user right that allows users to manage disk volumes, including creating and deleting them. While intended for administrators, if granted to non-admin users, it can be exploited for privilege escalation.
+
+It's possible to leverage this privilege to manipulate volumes, leading to full volume access. The [SeManageVolumeExploit](https://github.com/CsEnox/SeManageVolumeExploit) can be used to give full access to all users for C:\
+
+Additionally, the process outlined in [this Medium article](https://medium.com/@raphaeltzy13/exploiting-semanagevolumeprivilege-with-dll-hijacking-windows-privilege-escalation-1a4f28372d37) describes using DLL hijacking in conjunction with `SeManageVolumePrivilege` to escalate privileges. 
+By placing a payload DLL `C:\Windows\System32\wbem\tzres.dll` and calling `systeminfo` the dll is executed.
+
 ## Check privileges
 
 ```